Analysis
-
max time kernel
154s -
max time network
170s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
14-10-2021 06:56
Static task
static1
Behavioral task
behavioral1
Sample
Confirmacion del pedido.exe
Resource
win7v20210408
General
-
Target
Confirmacion del pedido.exe
-
Size
991KB
-
MD5
0e9502be7eceefc502cdf2c78ee19b13
-
SHA1
ad1936812db52a98c6bd0ae76000b3a0019554db
-
SHA256
ba13df26cb62acc861953da6844d332dd79a6778fbd2c4a6e5bb3d83bcb30d78
-
SHA512
e6bba42904e7f80dc3a145079aa156c5387734ceb0c6142874a0e08299c0da3a2d3ff72dac8a82e9338cd23ebf2bb65a5b45827c41f674982d14a76f00b5d15f
Malware Config
Extracted
formbook
4.1
bc3s
http://www.topei-products.com/bc3s/
anna-ng.com
mariangelamata.com
szqnbl.com
nesherguitars.com
mysekrit.com
againbeautyviensui.xyz
appf.life
bilalsolution.com
technoratii.com
11restoran.com
birthingly.com
crystalcarrillo.com
cohenasset.info
bunchofdesign.com
highstreetmag.com
talentkerning.com
outdoor-glassesadvice.com
aliceeety.com
habbuhot.info
pao91.com
resgatarpontosparavoce.com
tuancai.net
cnynckcrw.com
visaza.com
paulettecallen.com
kandmfinancialgroup.com
malibuclassix.com
thespoonteller.com
vidyaxyp.com
xn--gmsepetim-q9ab20j.com
saudesexualdoshomens.com
safehandmarketing.com
yebimhieu.site
alimitchellmedia.com
andrewpatrickpiette.com
astro-paradise.com
domainechoquet.com
navihealthpartners.com
detroitveganseafood.com
spankingandpunishment.com
magalu-queromais.com
mallsinup.com
rmsnidlogini.cloud
lifeisveryessential.com
stolzfus.com
iniciala.com
designslayers.com
clinivahq.com
ubersms.com
welenb.com
skyegroupllc.com
happyburger.net
moredate-s.com
alon-mail.com
voceprofessor.com
dokadveri.com
lafabricadisseny.com
westwooddesign.net
blossoms-boutique.com
jumtix.xyz
dietgulfport.com
soccerstreamer.com
lapurtcedd.com
secret-mall.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/864-66-0x0000000000000000-mapping.dmp formbook behavioral1/memory/864-69-0x0000000072480000-0x00000000724AE000-memory.dmp formbook behavioral1/memory/1004-76-0x0000000000080000-0x00000000000AE000-memory.dmp formbook -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Confirmacion del pedido.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nzvamcw = "C:\\Users\\Public\\Libraries\\wcmavzN.url" Confirmacion del pedido.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
logagent.exewininit.exedescription pid process target process PID 864 set thread context of 1208 864 logagent.exe Explorer.EXE PID 1004 set thread context of 1208 1004 wininit.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
logagent.exewininit.exepid process 864 logagent.exe 864 logagent.exe 1004 wininit.exe 1004 wininit.exe 1004 wininit.exe 1004 wininit.exe 1004 wininit.exe 1004 wininit.exe 1004 wininit.exe 1004 wininit.exe 1004 wininit.exe 1004 wininit.exe 1004 wininit.exe 1004 wininit.exe 1004 wininit.exe 1004 wininit.exe 1004 wininit.exe 1004 wininit.exe 1004 wininit.exe 1004 wininit.exe 1004 wininit.exe 1004 wininit.exe 1004 wininit.exe 1004 wininit.exe 1004 wininit.exe 1004 wininit.exe 1004 wininit.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
logagent.exewininit.exepid process 864 logagent.exe 864 logagent.exe 864 logagent.exe 1004 wininit.exe 1004 wininit.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
logagent.exewininit.exedescription pid process Token: SeDebugPrivilege 864 logagent.exe Token: SeDebugPrivilege 1004 wininit.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious use of SendNotifyMessage 5 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Confirmacion del pedido.exeExplorer.EXEwininit.exedescription pid process target process PID 1936 wrote to memory of 864 1936 Confirmacion del pedido.exe logagent.exe PID 1936 wrote to memory of 864 1936 Confirmacion del pedido.exe logagent.exe PID 1936 wrote to memory of 864 1936 Confirmacion del pedido.exe logagent.exe PID 1936 wrote to memory of 864 1936 Confirmacion del pedido.exe logagent.exe PID 1936 wrote to memory of 864 1936 Confirmacion del pedido.exe logagent.exe PID 1936 wrote to memory of 864 1936 Confirmacion del pedido.exe logagent.exe PID 1936 wrote to memory of 864 1936 Confirmacion del pedido.exe logagent.exe PID 1208 wrote to memory of 1004 1208 Explorer.EXE wininit.exe PID 1208 wrote to memory of 1004 1208 Explorer.EXE wininit.exe PID 1208 wrote to memory of 1004 1208 Explorer.EXE wininit.exe PID 1208 wrote to memory of 1004 1208 Explorer.EXE wininit.exe PID 1004 wrote to memory of 1300 1004 wininit.exe cmd.exe PID 1004 wrote to memory of 1300 1004 wininit.exe cmd.exe PID 1004 wrote to memory of 1300 1004 wininit.exe cmd.exe PID 1004 wrote to memory of 1300 1004 wininit.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Confirmacion del pedido.exe"C:\Users\Admin\AppData\Local\Temp\Confirmacion del pedido.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\logagent.exeC:\Windows\System32\logagent.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wininit.exe"C:\Windows\SysWOW64\wininit.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\logagent.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/864-70-0x0000000001F10000-0x0000000002213000-memory.dmpFilesize
3.0MB
-
memory/864-68-0x00000000000D0000-0x00000000000D1000-memory.dmpFilesize
4KB
-
memory/864-71-0x0000000000320000-0x0000000000334000-memory.dmpFilesize
80KB
-
memory/864-63-0x0000000072480000-0x00000000724AE000-memory.dmpFilesize
184KB
-
memory/864-64-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/864-66-0x0000000000000000-mapping.dmp
-
memory/864-69-0x0000000072480000-0x00000000724AE000-memory.dmpFilesize
184KB
-
memory/1004-75-0x00000000006F0000-0x000000000070A000-memory.dmpFilesize
104KB
-
memory/1004-73-0x0000000000000000-mapping.dmp
-
memory/1004-76-0x0000000000080000-0x00000000000AE000-memory.dmpFilesize
184KB
-
memory/1004-77-0x0000000002100000-0x0000000002403000-memory.dmpFilesize
3.0MB
-
memory/1004-78-0x00000000005F0000-0x0000000000683000-memory.dmpFilesize
588KB
-
memory/1208-79-0x0000000007340000-0x0000000007481000-memory.dmpFilesize
1.3MB
-
memory/1208-72-0x0000000006C20000-0x0000000006D48000-memory.dmpFilesize
1.2MB
-
memory/1300-74-0x0000000000000000-mapping.dmp
-
memory/1936-62-0x00000000003A1000-0x00000000003B5000-memory.dmpFilesize
80KB
-
memory/1936-1-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1936-0-0x0000000076641000-0x0000000076643000-memory.dmpFilesize
8KB