Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
26-02-2021 07:59
Static task
static1
Behavioral task
behavioral1
Sample
MAERSK Booking Confirmation_Pdf.exe
Resource
win7v20201028
General
-
Target
MAERSK Booking Confirmation_Pdf.exe
-
Size
498KB
-
MD5
90277a5bab7cc82507c6c23244ac1507
-
SHA1
1500a32d309247c7d91b6930be4e6ba3849740c4
-
SHA256
528006e667ab91fe8d56f0207c97cdb763c0a9386abb1ab16746add4e7efdef8
-
SHA512
aa2b5674a3ab9240950ca6adbddfc7d2c5e3278d261ee9aed153d96d8deb4c6c4ca1a6ff8586b124250f03e8453537dcd2fc8be53d3f7930c90d1e98d0662af1
Malware Config
Extracted
formbook
http://www.workonlinetimallen.com/dll/
nyeconcreations.com
generar-k.com
refugiodelmate.com
elementclubhouse.com
freescorrs.xyz
tonesweettone.com
lojachicco.com
cyberxchange.net
strobelsolutions.com
tipsytravelerbar.com
shesheofnewyork.com
jdallmed.com
woefys.online
naviwatch.net
yuelvzuche.com
thehoneysuppliers.site
smokindeebflavors.com
preventvaccins.com
thepraisehouse.com
lgbtpridedirectory.com
bestconcretelifting.com
commissary.xyz
jakeleeeakin.info
partakpakhsh.com
mystyleonline.online
brunoloulopes.com
softwarexcompanies.com
stockincloud.net
volemate.com
pubjek.com
miamibotany.com
khoing.com
abdpublicidad.com
sundialandpanel.com
latitiaseymour.xyz
ameluskajewelry.net
coltivazioneelementare.info
ontoicase.com
coeurdeconscience.com
komgo.net
literatur.site
shopbrandnew.com
propertiesnaija.com
vaca2day.net
laytikes.com
cryptocustodianship.com
chicagoarthaus.com
worm-tea.com
purchase-support.com
cdamultisport.com
capecodmicrowedding.com
firsttimehomebuyerusinfo.com
thedeepdivelab.com
xn--eiswrfelform-glb.com
oceanupdate.xyz
s8agency.com
lovethybodi.com
xeonnet.com
verificationrelay.xyz
0310li.com
richardpanitch.com
jaydenmichaelgouchie.com
oiltankremovaljc.com
olenfex.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/440-10-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/440-11-0x000000000041EBD0-mapping.dmp formbook behavioral1/memory/1356-19-0x0000000000100000-0x000000000012E000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 688 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
MAERSK Booking Confirmation_Pdf.exeMAERSK Booking Confirmation_Pdf.execmmon32.exedescription pid process target process PID 1636 set thread context of 440 1636 MAERSK Booking Confirmation_Pdf.exe MAERSK Booking Confirmation_Pdf.exe PID 440 set thread context of 1192 440 MAERSK Booking Confirmation_Pdf.exe Explorer.EXE PID 1356 set thread context of 1192 1356 cmmon32.exe Explorer.EXE -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1052 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
MAERSK Booking Confirmation_Pdf.execmmon32.exepid process 440 MAERSK Booking Confirmation_Pdf.exe 440 MAERSK Booking Confirmation_Pdf.exe 1356 cmmon32.exe 1356 cmmon32.exe 1356 cmmon32.exe 1356 cmmon32.exe 1356 cmmon32.exe 1356 cmmon32.exe 1356 cmmon32.exe 1356 cmmon32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1192 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
MAERSK Booking Confirmation_Pdf.execmmon32.exepid process 440 MAERSK Booking Confirmation_Pdf.exe 440 MAERSK Booking Confirmation_Pdf.exe 440 MAERSK Booking Confirmation_Pdf.exe 1356 cmmon32.exe 1356 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
MAERSK Booking Confirmation_Pdf.execmmon32.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 440 MAERSK Booking Confirmation_Pdf.exe Token: SeDebugPrivilege 1356 cmmon32.exe Token: SeShutdownPrivilege 1192 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
MAERSK Booking Confirmation_Pdf.exeExplorer.EXEcmmon32.exedescription pid process target process PID 1636 wrote to memory of 440 1636 MAERSK Booking Confirmation_Pdf.exe MAERSK Booking Confirmation_Pdf.exe PID 1636 wrote to memory of 440 1636 MAERSK Booking Confirmation_Pdf.exe MAERSK Booking Confirmation_Pdf.exe PID 1636 wrote to memory of 440 1636 MAERSK Booking Confirmation_Pdf.exe MAERSK Booking Confirmation_Pdf.exe PID 1636 wrote to memory of 440 1636 MAERSK Booking Confirmation_Pdf.exe MAERSK Booking Confirmation_Pdf.exe PID 1636 wrote to memory of 440 1636 MAERSK Booking Confirmation_Pdf.exe MAERSK Booking Confirmation_Pdf.exe PID 1636 wrote to memory of 440 1636 MAERSK Booking Confirmation_Pdf.exe MAERSK Booking Confirmation_Pdf.exe PID 1636 wrote to memory of 440 1636 MAERSK Booking Confirmation_Pdf.exe MAERSK Booking Confirmation_Pdf.exe PID 1192 wrote to memory of 1356 1192 Explorer.EXE cmmon32.exe PID 1192 wrote to memory of 1356 1192 Explorer.EXE cmmon32.exe PID 1192 wrote to memory of 1356 1192 Explorer.EXE cmmon32.exe PID 1192 wrote to memory of 1356 1192 Explorer.EXE cmmon32.exe PID 1356 wrote to memory of 688 1356 cmmon32.exe cmd.exe PID 1356 wrote to memory of 688 1356 cmmon32.exe cmd.exe PID 1356 wrote to memory of 688 1356 cmmon32.exe cmd.exe PID 1356 wrote to memory of 688 1356 cmmon32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\MAERSK Booking Confirmation_Pdf.exe"C:\Users\Admin\AppData\Local\Temp\MAERSK Booking Confirmation_Pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\MAERSK Booking Confirmation_Pdf.exe"C:\Users\Admin\AppData\Local\Temp\MAERSK Booking Confirmation_Pdf.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:440 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SuspendMove.txt2⤵
- Opens file in notepad (likely ransom note)
PID:1052 -
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\MAERSK Booking Confirmation_Pdf.exe"3⤵
- Deletes itself
PID:688
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/400-8-0x000007FEF6380000-0x000007FEF65FA000-memory.dmpFilesize
2.5MB
-
memory/440-10-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/440-13-0x0000000000970000-0x0000000000C73000-memory.dmpFilesize
3.0MB
-
memory/440-14-0x00000000001D0000-0x00000000001E4000-memory.dmpFilesize
80KB
-
memory/440-11-0x000000000041EBD0-mapping.dmp
-
memory/688-17-0x0000000000000000-mapping.dmp
-
memory/1052-7-0x000007FEFBEC1000-0x000007FEFBEC3000-memory.dmpFilesize
8KB
-
memory/1192-15-0x0000000007670000-0x0000000007806000-memory.dmpFilesize
1.6MB
-
memory/1192-22-0x0000000004160000-0x0000000004213000-memory.dmpFilesize
716KB
-
memory/1356-16-0x0000000000000000-mapping.dmp
-
memory/1356-18-0x0000000000860000-0x000000000086D000-memory.dmpFilesize
52KB
-
memory/1356-19-0x0000000000100000-0x000000000012E000-memory.dmpFilesize
184KB
-
memory/1356-20-0x0000000001F40000-0x0000000002243000-memory.dmpFilesize
3.0MB
-
memory/1356-21-0x0000000001D10000-0x0000000001DA3000-memory.dmpFilesize
588KB
-
memory/1636-9-0x0000000004E30000-0x0000000004E84000-memory.dmpFilesize
336KB
-
memory/1636-2-0x00000000746F0000-0x0000000074DDE000-memory.dmpFilesize
6.9MB
-
memory/1636-6-0x0000000000350000-0x0000000000353000-memory.dmpFilesize
12KB
-
memory/1636-5-0x0000000004CF0000-0x0000000004CF1000-memory.dmpFilesize
4KB
-
memory/1636-3-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB