Analysis
-
max time kernel
147s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
26-11-2020 06:39
Static task
static1
Behavioral task
behavioral1
Sample
purchase order.exe
Resource
win7v20201028
General
-
Target
purchase order.exe
-
Size
887KB
-
MD5
975187a07455d3cbf38ec878d893b490
-
SHA1
af8ddbf775cdb9dbd3776f717c192094202127be
-
SHA256
009d9a0f6fafa91b750271413fef5771a4ce5855a59c0e6c16c85eb7de08e52b
-
SHA512
378768e3aa1a49e6dce7a83197c1eceb86111422a6886fbe9e3ba7df75ce2bdb0f0979620a8eb905153caf276b43a23dd19885ff487586b3069a515cceb15222
Malware Config
Extracted
formbook
http://www.firedoom.com/sbmh/
edlasyarns.com
rettexo.com
friendlyksa.com
westhighlandwaytours.com
goudmarket.com
turkime.com
wellnysdirect.com
handydanny.net
ylccmakq.com
benefits-sherpa.com
sousolutions.net
lspcall.com
makgxoimisitzer.info
katrinarask.com
istanbulconsulter.net
mingjiaxuan.com
faculdadegraca.com
kikegbwebdesign.com
69ase.com
downrangedynamics.com
upllsj.com
punebites.com
cheekymonkeytech.com
hoy.viajes
ablehead.net
wordsubscribeeager.club
keystonefulfillment.com
malvasiahomes.com
direstraitslives.com
parking500.com
groom.land
humanschoolpodcast.com
plv8.online
modernspiritualbombshell.com
elegancerealestategroup.com
magentos6.com
xpressclouds.net
masihingat.com
exposingsecrets.com
beautybymscookie.com
skyauscompany.com
ak-sicherheitssysteme.net
meatslasvegas.com
blessedbeetherapy.com
nightanddayfreight.net
zizb4.com
pharmacymillwork.com
endlessgirls.online
bikingeswatini.com
xoxysei.site
tannhienonline.com
bloochy.com
ceo-ghost.com
amazonecho.sucks
klooskustoms.com
2xingyao.com
menopausebars.com
shdjtx.net
salon-massage-linit.com
macavent.com
purehempbotanicalsinfo.com
saintmaxnetwork.com
imagetown.group
occips.info
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/892-12-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/892-13-0x000000000041ECD0-mapping.dmp formbook behavioral2/memory/800-14-0x0000000000000000-mapping.dmp formbook -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
purchase order.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion purchase order.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion purchase order.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
purchase order.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum purchase order.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 purchase order.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
purchase order.exepurchase order.execmd.exedescription pid process target process PID 4684 set thread context of 892 4684 purchase order.exe purchase order.exe PID 892 set thread context of 3028 892 purchase order.exe Explorer.EXE PID 800 set thread context of 3028 800 cmd.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 41 IoCs
Processes:
purchase order.exepurchase order.execmd.exepid process 4684 purchase order.exe 4684 purchase order.exe 4684 purchase order.exe 892 purchase order.exe 892 purchase order.exe 892 purchase order.exe 892 purchase order.exe 800 cmd.exe 800 cmd.exe 800 cmd.exe 800 cmd.exe 800 cmd.exe 800 cmd.exe 800 cmd.exe 800 cmd.exe 800 cmd.exe 800 cmd.exe 800 cmd.exe 800 cmd.exe 800 cmd.exe 800 cmd.exe 800 cmd.exe 800 cmd.exe 800 cmd.exe 800 cmd.exe 800 cmd.exe 800 cmd.exe 800 cmd.exe 800 cmd.exe 800 cmd.exe 800 cmd.exe 800 cmd.exe 800 cmd.exe 800 cmd.exe 800 cmd.exe 800 cmd.exe 800 cmd.exe 800 cmd.exe 800 cmd.exe 800 cmd.exe 800 cmd.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
purchase order.execmd.exepid process 892 purchase order.exe 892 purchase order.exe 892 purchase order.exe 800 cmd.exe 800 cmd.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
purchase order.exepurchase order.execmd.exedescription pid process Token: SeDebugPrivilege 4684 purchase order.exe Token: SeDebugPrivilege 892 purchase order.exe Token: SeDebugPrivilege 800 cmd.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3028 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
purchase order.exeExplorer.EXEcmd.exedescription pid process target process PID 4684 wrote to memory of 892 4684 purchase order.exe purchase order.exe PID 4684 wrote to memory of 892 4684 purchase order.exe purchase order.exe PID 4684 wrote to memory of 892 4684 purchase order.exe purchase order.exe PID 4684 wrote to memory of 892 4684 purchase order.exe purchase order.exe PID 4684 wrote to memory of 892 4684 purchase order.exe purchase order.exe PID 4684 wrote to memory of 892 4684 purchase order.exe purchase order.exe PID 3028 wrote to memory of 800 3028 Explorer.EXE cmd.exe PID 3028 wrote to memory of 800 3028 Explorer.EXE cmd.exe PID 3028 wrote to memory of 800 3028 Explorer.EXE cmd.exe PID 800 wrote to memory of 1108 800 cmd.exe cmd.exe PID 800 wrote to memory of 1108 800 cmd.exe cmd.exe PID 800 wrote to memory of 1108 800 cmd.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\purchase order.exe"C:\Users\Admin\AppData\Local\Temp\purchase order.exe"2⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\purchase order.exe"C:\Users\Admin\AppData\Local\Temp\purchase order.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\purchase order.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/800-18-0x0000000004020000-0x00000000041B3000-memory.dmpFilesize
1MB
-
memory/800-16-0x00000000001A0000-0x00000000001F9000-memory.dmpFilesize
356KB
-
memory/800-15-0x00000000001A0000-0x00000000001F9000-memory.dmpFilesize
356KB
-
memory/800-14-0x0000000000000000-mapping.dmp
-
memory/892-12-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/892-13-0x000000000041ECD0-mapping.dmp
-
memory/1108-17-0x0000000000000000-mapping.dmp
-
memory/4684-5-0x0000000005A80000-0x0000000005A81000-memory.dmpFilesize
4KB
-
memory/4684-9-0x00000000067E0000-0x0000000006845000-memory.dmpFilesize
404KB
-
memory/4684-10-0x00000000066A0000-0x00000000066D0000-memory.dmpFilesize
192KB
-
memory/4684-11-0x0000000006930000-0x0000000006931000-memory.dmpFilesize
4KB
-
memory/4684-8-0x0000000005A20000-0x0000000005A33000-memory.dmpFilesize
76KB
-
memory/4684-7-0x0000000005BE0000-0x0000000005BE1000-memory.dmpFilesize
4KB
-
memory/4684-6-0x0000000005A00000-0x0000000005A01000-memory.dmpFilesize
4KB
-
memory/4684-0-0x0000000073430000-0x0000000073B1E000-memory.dmpFilesize
6MB
-
memory/4684-4-0x0000000005EE0000-0x0000000005EE1000-memory.dmpFilesize
4KB
-
memory/4684-3-0x0000000005940000-0x0000000005941000-memory.dmpFilesize
4KB
-
memory/4684-1-0x0000000000CB0000-0x0000000000CB1000-memory.dmpFilesize
4KB