Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 19:37
Behavioral task
behavioral1
Sample
PURCHASE ORDER.exe
Resource
win7v20201028
General
-
Target
PURCHASE ORDER.exe
-
Size
378KB
-
MD5
c284f72d5a76d0ff86ed2c35c74ebe89
-
SHA1
ceeae846adc4e2f121f601c7d3cf13a1b9ebff33
-
SHA256
916badee0304605bfd8e43c11179fb975d094226a432eeb28af55dc9be426c24
-
SHA512
240b5096045ba660bddf27f0ff26031a99b5ecf005094ad91df019ad7b832a64102b009a7d1187bd946951912730108469c36b37a2925596a641a7becf2d9469
Malware Config
Extracted
formbook
http://www.mansiobok3.info/ch62/
priceground.com
protmaxvigilancia.com
allyboom.com
calimerkids.com
behproject.com
everxs.com
peertopeervaluetrading.com
asosdiscountscode.com
supersoloblitz.com
allindiaexpo.com
mountainpunks.com
lawberrys.com
myinsuranceclaimconsultants.com
autoberles.center
xn--circuitomioulla-7qb.com
beheartratemonitoringkey.live
bigcitypillows.com
tresriosresortoffers.com
ratmanrodentremoval.com
fujiaseed.com
140117.com
babyandkidexpo.com
bolduan-electronic.com
unreadytowear.com
portsaid.today
5oo50042.com
qiangbaoshou.net
hoptovine.com
coastalchiropracticcoverage.com
abeabogado.com
dancourvilleclhev.com
opebet915.com
justin-freeman.com
foodpursuits.com
pinjuanbao.com
900gamecz.com
andelmanconsulting.com
milandicic.com
airexpertservices.com
leaginac.com
strongzhen.com
gaikokujin-jinzai.com
runtu.ltd
cruisia.com
violaperitivo.com
amulyakandikonda.com
shorelaketampa.com
evyandella.com
robertodammora.info
micro-fut.com
caminhosdoacre.com
mikifamily.com
wellsassistancefargoalert.com
coyo.ltd
aldeiaterra.com
wishfuldreamnewportnews.com
maker-cnc.com
ruralvia2acceso.net
freetraffic2updatesall.win
pub-sora.com
vizcaps.com
yychsm.com
ayudameperu.com
smyeocut.win
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3960-3-0x0000000000400000-0x000000000042A000-memory.dmp formbook behavioral2/memory/3960-4-0x000000000041B6D0-mapping.dmp formbook behavioral2/memory/3860-6-0x0000000000000000-mapping.dmp formbook -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
PURCHASE ORDER.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion PURCHASE ORDER.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion PURCHASE ORDER.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
cmstp.exedescription ioc process Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run cmstp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\J0MPF6-XPXG = "C:\\Program Files (x86)\\Xtrl\\update4ho4ann0.exe" cmstp.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
PURCHASE ORDER.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum PURCHASE ORDER.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 PURCHASE ORDER.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
PURCHASE ORDER.exePURCHASE ORDER.execmstp.exedescription pid process target process PID 1316 set thread context of 3960 1316 PURCHASE ORDER.exe PURCHASE ORDER.exe PID 3960 set thread context of 2352 3960 PURCHASE ORDER.exe Explorer.EXE PID 3860 set thread context of 2352 3860 cmstp.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
cmstp.exedescription ioc process File opened for modification C:\Program Files (x86)\Xtrl\update4ho4ann0.exe cmstp.exe -
Processes:
cmstp.exedescription ioc process Key created \Registry\User\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmstp.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
Processes:
PURCHASE ORDER.execmstp.exepid process 3960 PURCHASE ORDER.exe 3960 PURCHASE ORDER.exe 3960 PURCHASE ORDER.exe 3960 PURCHASE ORDER.exe 3860 cmstp.exe 3860 cmstp.exe 3860 cmstp.exe 3860 cmstp.exe 3860 cmstp.exe 3860 cmstp.exe 3860 cmstp.exe 3860 cmstp.exe 3860 cmstp.exe 3860 cmstp.exe 3860 cmstp.exe 3860 cmstp.exe 3860 cmstp.exe 3860 cmstp.exe 3860 cmstp.exe 3860 cmstp.exe 3860 cmstp.exe 3860 cmstp.exe 3860 cmstp.exe 3860 cmstp.exe 3860 cmstp.exe 3860 cmstp.exe 3860 cmstp.exe 3860 cmstp.exe 3860 cmstp.exe 3860 cmstp.exe 3860 cmstp.exe 3860 cmstp.exe 3860 cmstp.exe 3860 cmstp.exe 3860 cmstp.exe 3860 cmstp.exe 3860 cmstp.exe 3860 cmstp.exe 3860 cmstp.exe 3860 cmstp.exe 3860 cmstp.exe 3860 cmstp.exe 3860 cmstp.exe 3860 cmstp.exe 3860 cmstp.exe 3860 cmstp.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
PURCHASE ORDER.execmstp.exepid process 3960 PURCHASE ORDER.exe 3960 PURCHASE ORDER.exe 3960 PURCHASE ORDER.exe 3860 cmstp.exe 3860 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
PURCHASE ORDER.exePURCHASE ORDER.execmstp.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1316 PURCHASE ORDER.exe Token: SeDebugPrivilege 3960 PURCHASE ORDER.exe Token: SeDebugPrivilege 3860 cmstp.exe Token: SeShutdownPrivilege 2352 Explorer.EXE Token: SeCreatePagefilePrivilege 2352 Explorer.EXE Token: SeShutdownPrivilege 2352 Explorer.EXE Token: SeCreatePagefilePrivilege 2352 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
PURCHASE ORDER.exepid process 1316 PURCHASE ORDER.exe 1316 PURCHASE ORDER.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 2352 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
PURCHASE ORDER.exeExplorer.EXEcmstp.exedescription pid process target process PID 1316 wrote to memory of 3960 1316 PURCHASE ORDER.exe PURCHASE ORDER.exe PID 1316 wrote to memory of 3960 1316 PURCHASE ORDER.exe PURCHASE ORDER.exe PID 1316 wrote to memory of 3960 1316 PURCHASE ORDER.exe PURCHASE ORDER.exe PID 1316 wrote to memory of 3960 1316 PURCHASE ORDER.exe PURCHASE ORDER.exe PID 1316 wrote to memory of 3960 1316 PURCHASE ORDER.exe PURCHASE ORDER.exe PID 1316 wrote to memory of 3960 1316 PURCHASE ORDER.exe PURCHASE ORDER.exe PID 2352 wrote to memory of 3860 2352 Explorer.EXE cmstp.exe PID 2352 wrote to memory of 3860 2352 Explorer.EXE cmstp.exe PID 2352 wrote to memory of 3860 2352 Explorer.EXE cmstp.exe PID 3860 wrote to memory of 792 3860 cmstp.exe cmd.exe PID 3860 wrote to memory of 792 3860 cmstp.exe cmd.exe PID 3860 wrote to memory of 792 3860 cmstp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"2⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\9L5A8AD1\9L5logim.jpegMD5
9ee605354ae0bae20a89baa5796dbab2
SHA13767c14c3a3add02dcc6d9c60a63d80bc480c6bc
SHA256db45c23743d78f05a7ae07a5fb20730f18ef4d1a86a156d85112142aaa9c73be
SHA512e8679a50c75f7f74a6c830375752186f0495bd151cb9cd7fa7ac49a174566f98cd66eb796b52b88759fe484fb5e282fc6f6cca9d127ccdea8e07b03af72d2f2f
-
C:\Users\Admin\AppData\Roaming\9L5A8AD1\9L5logri.iniMD5
d63a82e5d81e02e399090af26db0b9cb
SHA191d0014c8f54743bba141fd60c9d963f869d76c9
SHA256eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA51238afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad
-
C:\Users\Admin\AppData\Roaming\9L5A8AD1\9L5logrv.iniMD5
bbc41c78bae6c71e63cb544a6a284d94
SHA133f2c1d9fa0e9c99b80bc2500621e95af38b1f9a
SHA256ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb
SHA5120aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4
-
memory/792-9-0x0000000000000000-mapping.dmp
-
memory/3860-6-0x0000000000000000-mapping.dmp
-
memory/3860-7-0x0000000000D00000-0x0000000000D16000-memory.dmpFilesize
88KB
-
memory/3860-8-0x0000000000D00000-0x0000000000D16000-memory.dmpFilesize
88KB
-
memory/3860-10-0x0000000005460000-0x00000000055EA000-memory.dmpFilesize
1.5MB
-
memory/3960-3-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/3960-4-0x000000000041B6D0-mapping.dmp