Analysis

  • max time kernel
    180s
  • max time network
    182s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2023, 12:34

General

  • Target

    Gtzzucrmbyfogz.exe

  • Size

    1.6MB

  • MD5

    41fca559302236c81ecf62501d240a0c

  • SHA1

    ea35fb19bb74e639c66f235b7b3b5b06fab3eb65

  • SHA256

    a98c998bfd92e84cee4401dd2ca4f4a088043e33cc414ffb8d26f4af871e50bd

  • SHA512

    c29fb389c5903c8e3b9fde81344f15356f1c54dc4a1da5d35fb4228106833eea4bf054202a2b23514363009e674fa2621ff73726a1af46f559d16db5b6faf2bd

  • SSDEEP

    24576:XkBHomD+FDtdfE222kxVoy+OQp6DjasufyJIZlnLxGgVzwmDi1ETNay76nBWWnme:XjFDnE22efn513VzrunNxNeE

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ur25

Decoy

discountstoreonline.store

profitwavemastery.com

cvqqrc9j.top

easyhub.xyz

dynamicelevateemporium.online

hlcapp.com

jayanamachine.com

agyaie.com

rentthecostume.net

jvjjdjsf.top

ratce.xyz

pensoupecas.com

nnc375.xyz

beingfrankwithcash.com

simplysoaps.store

jugouqduj.top

rampageoriginal.com

tigglywinks.com

stillnightjohns.fun

exchadom002.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Formbook payload 2 IoCs
  • ModiLoader Second Stage 55 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Gtzzucrmbyfogz.exe
    "C:\Users\Admin\AppData\Local\Temp\Gtzzucrmbyfogz.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4488
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\GtzzucrmO.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c mkdir "\\?\C:\Windows "
        3⤵
          PID:1848
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c mkdir "\\?\C:\Windows \System32"
          3⤵
            PID:1984
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c ECHO F
            3⤵
              PID:2044
            • C:\Windows\SysWOW64\xcopy.exe
              xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y
              3⤵
              • Enumerates system info in registry
              PID:2188
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /c ECHO F
              3⤵
                PID:4540
              • C:\Windows\SysWOW64\xcopy.exe
                xcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y
                3⤵
                • Enumerates system info in registry
                PID:3044
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /c ECHO F
                3⤵
                  PID:4572
                • C:\Windows\SysWOW64\xcopy.exe
                  xcopy "KDECO.bat" "C:\Windows \System32\" /K /D /H /Y
                  3⤵
                  • Enumerates system info in registry
                  PID:3820
                • C:\Windows \System32\easinvoker.exe
                  "C:\Windows \System32\easinvoker.exe"
                  3⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious use of WriteProcessMemory
                  PID:3232
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:540
                    • C:\Windows\system32\cmd.exe
                      cmd.exe /c start /min powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:4180
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
                        6⤵
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4148
                • C:\Windows\SysWOW64\PING.EXE
                  ping 127.0.0.1 -n 6
                  3⤵
                  • Runs ping.exe
                  PID:3932
              • C:\Windows\SysWOW64\colorcpl.exe
                C:\Windows\System32\colorcpl.exe
                2⤵
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of AdjustPrivilegeToken
                PID:4668
            • C:\Windows\Explorer.EXE
              C:\Windows\Explorer.EXE
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3192
              • C:\Windows\SysWOW64\msdt.exe
                "C:\Windows\SysWOW64\msdt.exe"
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3208
                • C:\Windows\SysWOW64\cmd.exe
                  /c del "C:\Windows\SysWOW64\colorcpl.exe"
                  3⤵
                    PID:1492

              Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h3i2mnh2.s1u.ps1

                      Filesize

                      60B

                      MD5

                      d17fe0a3f47be24a6453e9ef58c94641

                      SHA1

                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                      SHA256

                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                      SHA512

                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                    • C:\Users\Public\Libraries\GtzzucrmO.bat

                      Filesize

                      466B

                      MD5

                      9e80036aabe3227dbf98b3975051a53b

                      SHA1

                      9670aab8897770a93293d85426b7b13dda23a152

                      SHA256

                      964aab3b72b3545fabc58a209714ebeade739a0fec40b33af675d7157b9cb252

                      SHA512

                      107fb6b364cf92730aca1a044f7769a1f4aed39a72f031a5004ccf09b3bebabac5fc88b3d0f85eb64c665404136db13678718bad36bea4311f07726684ed0a03

                    • C:\Users\Public\Libraries\KDECO.bat

                      Filesize

                      152B

                      MD5

                      7e5fbd29557a68383dfb34e696964e93

                      SHA1

                      c1f748f89b47864301255d1fb2bfed04ed0d1300

                      SHA256

                      4e55b1bbe2e0e099592ac57a747fa8d4ef67409901d6c64323a1b73d50e5de67

                      SHA512

                      7dcb6582b03e7bf0cab2168dc775ca6d7a15ebb097fd2cdd3445b6d35ee128386fb9aa6a548b745c32540e358b2aa4d7c78a6f59f85c32065735fc54a6a2bb6a

                    • C:\Users\Public\Libraries\easinvoker.exe

                      Filesize

                      128KB

                      MD5

                      231ce1e1d7d98b44371ffff407d68b59

                      SHA1

                      25510d0f6353dbf0c9f72fc880de7585e34b28ff

                      SHA256

                      30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96

                      SHA512

                      520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612

                    • C:\Users\Public\Libraries\netutils.dll

                      Filesize

                      108KB

                      MD5

                      8184a5a46c31d95b7c0057dd5aa90136

                      SHA1

                      b2ba89c94bd07b811e74d9c6897d95638e15d2ac

                      SHA256

                      0e1ebed2c43fdca6759e1a4be9382bb34a3be143c27c6494df67794c1adcd7b2

                      SHA512

                      3fa13f10c3070473cd7a80f2d90b1f879da0cfdeed583c9312697f9c66268d51435a93fc641ac06078bd3c2807c498ede11c7afae3183cebc3b1e6d30cc659db

                    • C:\Windows \System32\easinvoker.exe

                      Filesize

                      128KB

                      MD5

                      231ce1e1d7d98b44371ffff407d68b59

                      SHA1

                      25510d0f6353dbf0c9f72fc880de7585e34b28ff

                      SHA256

                      30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96

                      SHA512

                      520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612

                    • C:\Windows \System32\easinvoker.exe

                      Filesize

                      128KB

                      MD5

                      231ce1e1d7d98b44371ffff407d68b59

                      SHA1

                      25510d0f6353dbf0c9f72fc880de7585e34b28ff

                      SHA256

                      30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96

                      SHA512

                      520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612

                    • C:\Windows \System32\netutils.dll

                      Filesize

                      108KB

                      MD5

                      8184a5a46c31d95b7c0057dd5aa90136

                      SHA1

                      b2ba89c94bd07b811e74d9c6897d95638e15d2ac

                      SHA256

                      0e1ebed2c43fdca6759e1a4be9382bb34a3be143c27c6494df67794c1adcd7b2

                      SHA512

                      3fa13f10c3070473cd7a80f2d90b1f879da0cfdeed583c9312697f9c66268d51435a93fc641ac06078bd3c2807c498ede11c7afae3183cebc3b1e6d30cc659db

                    • C:\Windows \System32\netutils.dll

                      Filesize

                      108KB

                      MD5

                      8184a5a46c31d95b7c0057dd5aa90136

                      SHA1

                      b2ba89c94bd07b811e74d9c6897d95638e15d2ac

                      SHA256

                      0e1ebed2c43fdca6759e1a4be9382bb34a3be143c27c6494df67794c1adcd7b2

                      SHA512

                      3fa13f10c3070473cd7a80f2d90b1f879da0cfdeed583c9312697f9c66268d51435a93fc641ac06078bd3c2807c498ede11c7afae3183cebc3b1e6d30cc659db

                    • C:\windows \system32\KDECO.bat

                      Filesize

                      152B

                      MD5

                      7e5fbd29557a68383dfb34e696964e93

                      SHA1

                      c1f748f89b47864301255d1fb2bfed04ed0d1300

                      SHA256

                      4e55b1bbe2e0e099592ac57a747fa8d4ef67409901d6c64323a1b73d50e5de67

                      SHA512

                      7dcb6582b03e7bf0cab2168dc775ca6d7a15ebb097fd2cdd3445b6d35ee128386fb9aa6a548b745c32540e358b2aa4d7c78a6f59f85c32065735fc54a6a2bb6a

                    • memory/3192-328-0x0000000008B20000-0x0000000008C89000-memory.dmp

                      Filesize

                      1.4MB

                    • memory/3208-344-0x00000000003D0000-0x0000000000427000-memory.dmp

                      Filesize

                      348KB

                    • memory/3208-346-0x0000000000530000-0x000000000055F000-memory.dmp

                      Filesize

                      188KB

                    • memory/3208-349-0x0000000002760000-0x0000000002AAA000-memory.dmp

                      Filesize

                      3.3MB

                    • memory/4148-218-0x0000029826D30000-0x0000029826D52000-memory.dmp

                      Filesize

                      136KB

                    • memory/4148-219-0x00007FFA15740000-0x00007FFA16201000-memory.dmp

                      Filesize

                      10.8MB

                    • memory/4148-221-0x0000029826ED0000-0x0000029826EE0000-memory.dmp

                      Filesize

                      64KB

                    • memory/4148-220-0x0000029826ED0000-0x0000029826EE0000-memory.dmp

                      Filesize

                      64KB

                    • memory/4148-223-0x00007FFA15740000-0x00007FFA16201000-memory.dmp

                      Filesize

                      10.8MB

                    • memory/4488-22-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-55-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-23-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-24-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-25-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-26-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-27-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-28-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-30-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-31-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-32-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-33-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-34-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-35-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-37-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-38-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-39-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-40-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-41-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-42-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-43-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-44-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-45-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-46-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-47-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-48-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-49-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-50-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-52-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-53-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-54-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-0-0x0000000000400000-0x00000000005AC000-memory.dmp

                      Filesize

                      1.7MB

                    • memory/4488-56-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-57-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-58-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-59-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-60-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-62-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-63-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-64-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-65-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-21-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-20-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-19-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-18-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-17-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-16-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-15-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-14-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-13-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-12-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-10-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-9-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-8-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-7-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-6-0x00000000023A0000-0x00000000023A1000-memory.dmp

                      Filesize

                      4KB

                    • memory/4488-1-0x00000000023A0000-0x00000000023A1000-memory.dmp

                      Filesize

                      4KB

                    • memory/4488-2-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-3-0x0000000002970000-0x0000000003970000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4488-5-0x0000000000400000-0x00000000005AC000-memory.dmp

                      Filesize

                      1.7MB

                    • memory/4668-323-0x0000000002AE0000-0x0000000002AF5000-memory.dmp

                      Filesize

                      84KB

                    • memory/4668-317-0x0000000004720000-0x0000000005720000-memory.dmp

                      Filesize

                      16.0MB

                    • memory/4668-309-0x000000001C620000-0x000000001C96A000-memory.dmp

                      Filesize

                      3.3MB