Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
09-05-2021 15:01
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order-070POR044127.exe
Resource
win7v20210410
General
-
Target
Purchase Order-070POR044127.exe
-
Size
970KB
-
MD5
15777f1f1c6b81ea03eb9f14c3a77f68
-
SHA1
1664e98460e60a7399d393c9df24aa5435f9e251
-
SHA256
1012fd502b2b0f81c21293efaf6b1f012693dc485690e4b8dda25dfa4c7538d9
-
SHA512
54e7d77fc74ce5f5331a4e1f373b9bbd4dc8dc4ffc9ec3b62f9a321535d699209956dd13d3907e0609c54410e19deddbacec1f78f02cfa80eb6788c1de99e8c7
Malware Config
Extracted
formbook
4.1
http://www.magnumopuspro.com/nyr/
anemone-vintage.com
ironcitytools.com
joshandmatthew.com
breathtakingscenery.photos
karabakh-terror.com
micahelgall.com
entretiendesterrasses.com
mhgholdings.com
blewm.com
sidewalknotary.com
ytrs-elec.com
danhpham.com
ma21cle2henz.xyz
lotusforlease.com
shipleyphotoandfilm.com
bulktool.xyz
ouedzmala.com
yichengvpr.com
connectmygames.com
chjcsc.com
dope-chocolate.com
tacowench.com
projectsbay.com
xn--pgboc92d.com
royaldropofoil.com
ranguanglian.club
mobilne-kucice.com
buytsycon.com
goiasbets.net
blpetroleum.com
starrealms.net
exclusiveflooringcollection.com
kudalive.com
tienda-sky.com
drillinginsider.info
theglasshousenyc.com
vietnammoi.xyz
walterbenicio.com
zoomtvliveshows.xyz
boujiehoodbaby.com
yzyangyu.com
exploreecetera.com
sycord.com
waykifood.com
shadingconsultancy.com
precedentai.net
linhanhkitchen.com
expekt24.com
socialdating24.com
lubvim.com
floryi.com
alerist.com
maluss.com
hitbbq.com
alerrandrotattoo.com
algoplayer.com
idahooutsiders.com
qygmuakhk.club
neverpossible.com
winparadigm.com
toughdecorative.com
yourbuildmedia.com
summercrowd.com
josemvazquez.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3384-124-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/3384-125-0x000000000041EBA0-mapping.dmp formbook behavioral2/memory/2292-133-0x00000000001B0000-0x00000000001DE000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Purchase Order-070POR044127.exePurchase Order-070POR044127.exeexplorer.exedescription pid process target process PID 624 set thread context of 3384 624 Purchase Order-070POR044127.exe Purchase Order-070POR044127.exe PID 3384 set thread context of 2708 3384 Purchase Order-070POR044127.exe Explorer.EXE PID 2292 set thread context of 2708 2292 explorer.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 44 IoCs
Processes:
Purchase Order-070POR044127.exeexplorer.exepid process 3384 Purchase Order-070POR044127.exe 3384 Purchase Order-070POR044127.exe 3384 Purchase Order-070POR044127.exe 3384 Purchase Order-070POR044127.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2708 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Purchase Order-070POR044127.exeexplorer.exepid process 3384 Purchase Order-070POR044127.exe 3384 Purchase Order-070POR044127.exe 3384 Purchase Order-070POR044127.exe 2292 explorer.exe 2292 explorer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Purchase Order-070POR044127.exeexplorer.exedescription pid process Token: SeDebugPrivilege 3384 Purchase Order-070POR044127.exe Token: SeDebugPrivilege 2292 explorer.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 2708 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Purchase Order-070POR044127.exeExplorer.EXEexplorer.exedescription pid process target process PID 624 wrote to memory of 3384 624 Purchase Order-070POR044127.exe Purchase Order-070POR044127.exe PID 624 wrote to memory of 3384 624 Purchase Order-070POR044127.exe Purchase Order-070POR044127.exe PID 624 wrote to memory of 3384 624 Purchase Order-070POR044127.exe Purchase Order-070POR044127.exe PID 624 wrote to memory of 3384 624 Purchase Order-070POR044127.exe Purchase Order-070POR044127.exe PID 624 wrote to memory of 3384 624 Purchase Order-070POR044127.exe Purchase Order-070POR044127.exe PID 624 wrote to memory of 3384 624 Purchase Order-070POR044127.exe Purchase Order-070POR044127.exe PID 2708 wrote to memory of 2292 2708 Explorer.EXE explorer.exe PID 2708 wrote to memory of 2292 2708 Explorer.EXE explorer.exe PID 2708 wrote to memory of 2292 2708 Explorer.EXE explorer.exe PID 2292 wrote to memory of 2768 2292 explorer.exe cmd.exe PID 2292 wrote to memory of 2768 2292 explorer.exe cmd.exe PID 2292 wrote to memory of 2768 2292 explorer.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order-070POR044127.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order-070POR044127.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order-070POR044127.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Purchase Order-070POR044127.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/624-123-0x000000000B390000-0x000000000B3D0000-memory.dmpFilesize
256KB
-
memory/624-114-0x0000000000920000-0x0000000000921000-memory.dmpFilesize
4KB
-
memory/624-117-0x0000000005420000-0x0000000005421000-memory.dmpFilesize
4KB
-
memory/624-118-0x0000000005310000-0x00000000053A2000-memory.dmpFilesize
584KB
-
memory/624-122-0x0000000008C10000-0x0000000008C9D000-memory.dmpFilesize
564KB
-
memory/624-120-0x00000000089F0000-0x00000000089F1000-memory.dmpFilesize
4KB
-
memory/624-116-0x0000000005920000-0x0000000005921000-memory.dmpFilesize
4KB
-
memory/624-121-0x0000000005900000-0x000000000590E000-memory.dmpFilesize
56KB
-
memory/624-119-0x00000000053A0000-0x00000000053A1000-memory.dmpFilesize
4KB
-
memory/2292-133-0x00000000001B0000-0x00000000001DE000-memory.dmpFilesize
184KB
-
memory/2292-135-0x00000000046A0000-0x0000000004733000-memory.dmpFilesize
588KB
-
memory/2292-134-0x0000000004930000-0x0000000004C50000-memory.dmpFilesize
3.1MB
-
memory/2292-132-0x00000000009C0000-0x0000000000DFF000-memory.dmpFilesize
4.2MB
-
memory/2292-130-0x0000000000000000-mapping.dmp
-
memory/2708-129-0x0000000004EC0000-0x0000000004FCD000-memory.dmpFilesize
1.1MB
-
memory/2708-136-0x0000000004FD0000-0x0000000005117000-memory.dmpFilesize
1.3MB
-
memory/2768-131-0x0000000000000000-mapping.dmp
-
memory/3384-128-0x0000000000B00000-0x0000000000C4A000-memory.dmpFilesize
1.3MB
-
memory/3384-127-0x00000000010C0000-0x00000000013E0000-memory.dmpFilesize
3.1MB
-
memory/3384-125-0x000000000041EBA0-mapping.dmp
-
memory/3384-124-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB