Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2023, 14:22
Static task
static1
Behavioral task
behavioral1
Sample
rockro9902.exe
Resource
win7-20230831-en
General
-
Target
rockro9902.exe
-
Size
308KB
-
MD5
3a5d8742e681ecc4db1c3a73f35866f0
-
SHA1
9776d6df4a8951716aa2da4fb06ef5d5fa939e9a
-
SHA256
8934df69bc2e54179331e8850adff610d7e70104aeb9b49443456bf7bc096ee3
-
SHA512
17eeb32dedfebb22a6111fe05a29091110f746f2f5027f430a56cf65fedcfb7eb80bbcc51bbfc1bc6cff559c6c46d134f6e195471c8514135a70e16c5c8b4fa2
-
SSDEEP
6144:LnPdudwDra9qCbQfNt8w8oyRtm/me4fIukSROUkKbSnKDeMp:LnPd/a9qpNZyzohu7ROUkSSKCk
Malware Config
Extracted
formbook
4.1
rc11
makemoneywithkalyn.com
embanks.online
hustlewithheather.net
firmdev.net
tmjservices.online
5gpp4.xyz
youtubereelsdownload.com
qdhengwang.com
169318.com
alphastarweddingvideos.com
leyelizworld.com
brewedburn.com
tinkerchem.com
ndtkw.com
tronzadoragroup.com
formaciondocendo.net
nirwanaai.com
mbadevelopment.online
talkswdrick.com
frora-gift.com
cmryan.com
iammgmt.com
hf1695.com
huko029.com
opinzil.xyz
intentional-creation.com
egnbh.link
noblegrofood.com
lavisigorta.net
xpromarketsreviews.com
tiendainterdisc.online
pikditas.com
gpggkhuxxpc.xyz
tonallytwistedyarn.com
trodelvyannualcost676901.life
advance2digital.com
lrbf.asia
akrondream.store
noah23.online
tecratech.com
liberal-not-woke.com
adambalic.com
servitasosuna.com
zihditozlogf.com
heysongsale.shop
wardenswisdom.com
discoverarmenia.travel
vivasbet352.com
basicandbold.com
gmeinleben.com
167587.com
ambitionsofarose.com
hamburg-boxt.com
homeinbridletrails.com
thechampsamp.com
commlabproperties.com
hyundaimobil.site
komct.link
knowmyrep.com
nutrioneglobal.com
baktipewarisnegeri.com
yourhealthinsuranceclaim.com
bbaixie.vip
interdisciplinaris.com
23x3uxhi.top
Signatures
-
Formbook payload 4 IoCs
resource yara_rule behavioral2/memory/4472-7-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4472-12-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3792-17-0x0000000000880000-0x00000000008AF000-memory.dmp formbook behavioral2/memory/3792-20-0x0000000000880000-0x00000000008AF000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
pid Process 2104 qshilspv.exe 4472 qshilspv.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2104 set thread context of 4472 2104 qshilspv.exe 84 PID 4472 set thread context of 3276 4472 qshilspv.exe 41 PID 3792 set thread context of 3276 3792 help.exe 41 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 58 IoCs
pid Process 4472 qshilspv.exe 4472 qshilspv.exe 4472 qshilspv.exe 4472 qshilspv.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe 3792 help.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3276 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 2104 qshilspv.exe 4472 qshilspv.exe 4472 qshilspv.exe 4472 qshilspv.exe 3792 help.exe 3792 help.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4472 qshilspv.exe Token: SeDebugPrivilege 3792 help.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3276 Explorer.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2956 wrote to memory of 2104 2956 rockro9902.exe 83 PID 2956 wrote to memory of 2104 2956 rockro9902.exe 83 PID 2956 wrote to memory of 2104 2956 rockro9902.exe 83 PID 2104 wrote to memory of 4472 2104 qshilspv.exe 84 PID 2104 wrote to memory of 4472 2104 qshilspv.exe 84 PID 2104 wrote to memory of 4472 2104 qshilspv.exe 84 PID 2104 wrote to memory of 4472 2104 qshilspv.exe 84 PID 3276 wrote to memory of 3792 3276 Explorer.EXE 86 PID 3276 wrote to memory of 3792 3276 Explorer.EXE 86 PID 3276 wrote to memory of 3792 3276 Explorer.EXE 86 PID 3792 wrote to memory of 2624 3792 help.exe 91 PID 3792 wrote to memory of 2624 3792 help.exe 91 PID 3792 wrote to memory of 2624 3792 help.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\rockro9902.exe"C:\Users\Admin\AppData\Local\Temp\rockro9902.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Users\Admin\AppData\Local\Temp\qshilspv.exe"C:\Users\Admin\AppData\Local\Temp\qshilspv.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\qshilspv.exe"C:\Users\Admin\AppData\Local\Temp\qshilspv.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4472
-
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\qshilspv.exe"3⤵PID:2624
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD53e653d351f5dbbe07ff27813467d9166
SHA1043e028f34111d6598e1a23b77b20da234a0d0dd
SHA25636a752605304acc2ae96583784d6aaa25d4cbb8a63b56d244bfad91ee7029fe4
SHA512be8f0b2d2d583739851363c04b946a2a728e7e236718bd9717f8da1bce2656b374ae8ed42c458d0e22d390dc022a564d27c933c89b6b5dcbd3b514e9b7172674
-
Filesize
176KB
MD53e653d351f5dbbe07ff27813467d9166
SHA1043e028f34111d6598e1a23b77b20da234a0d0dd
SHA25636a752605304acc2ae96583784d6aaa25d4cbb8a63b56d244bfad91ee7029fe4
SHA512be8f0b2d2d583739851363c04b946a2a728e7e236718bd9717f8da1bce2656b374ae8ed42c458d0e22d390dc022a564d27c933c89b6b5dcbd3b514e9b7172674
-
Filesize
176KB
MD53e653d351f5dbbe07ff27813467d9166
SHA1043e028f34111d6598e1a23b77b20da234a0d0dd
SHA25636a752605304acc2ae96583784d6aaa25d4cbb8a63b56d244bfad91ee7029fe4
SHA512be8f0b2d2d583739851363c04b946a2a728e7e236718bd9717f8da1bce2656b374ae8ed42c458d0e22d390dc022a564d27c933c89b6b5dcbd3b514e9b7172674
-
Filesize
205KB
MD5b2f36e78f5f6497ae8c5ab24bb3a9992
SHA130bd084cef9a5a6fb327add9c6e27bff786115d5
SHA2563c40338dd227b2d2455656908669acc9ad018696d83d9ef636347032024eb329
SHA5128ee713b9c2fe61559d8f952696c1b03f69a3b42da694b0afd3b5e923e8f67ccb44b667f1472d6370d563e566523a92c61a9fb1f22c26507d55649843e3ad81f5