Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
14-10-2021 06:56
Static task
static1
Behavioral task
behavioral1
Sample
Confirmacion del pedido.exe
Resource
win7v20210408
General
-
Target
Confirmacion del pedido.exe
-
Size
991KB
-
MD5
0e9502be7eceefc502cdf2c78ee19b13
-
SHA1
ad1936812db52a98c6bd0ae76000b3a0019554db
-
SHA256
ba13df26cb62acc861953da6844d332dd79a6778fbd2c4a6e5bb3d83bcb30d78
-
SHA512
e6bba42904e7f80dc3a145079aa156c5387734ceb0c6142874a0e08299c0da3a2d3ff72dac8a82e9338cd23ebf2bb65a5b45827c41f674982d14a76f00b5d15f
Malware Config
Extracted
formbook
4.1
bc3s
http://www.topei-products.com/bc3s/
anna-ng.com
mariangelamata.com
szqnbl.com
nesherguitars.com
mysekrit.com
againbeautyviensui.xyz
appf.life
bilalsolution.com
technoratii.com
11restoran.com
birthingly.com
crystalcarrillo.com
cohenasset.info
bunchofdesign.com
highstreetmag.com
talentkerning.com
outdoor-glassesadvice.com
aliceeety.com
habbuhot.info
pao91.com
resgatarpontosparavoce.com
tuancai.net
cnynckcrw.com
visaza.com
paulettecallen.com
kandmfinancialgroup.com
malibuclassix.com
thespoonteller.com
vidyaxyp.com
xn--gmsepetim-q9ab20j.com
saudesexualdoshomens.com
safehandmarketing.com
yebimhieu.site
alimitchellmedia.com
andrewpatrickpiette.com
astro-paradise.com
domainechoquet.com
navihealthpartners.com
detroitveganseafood.com
spankingandpunishment.com
magalu-queromais.com
mallsinup.com
rmsnidlogini.cloud
lifeisveryessential.com
stolzfus.com
iniciala.com
designslayers.com
clinivahq.com
ubersms.com
welenb.com
skyegroupllc.com
happyburger.net
moredate-s.com
alon-mail.com
voceprofessor.com
dokadveri.com
lafabricadisseny.com
westwooddesign.net
blossoms-boutique.com
jumtix.xyz
dietgulfport.com
soccerstreamer.com
lapurtcedd.com
secret-mall.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3604-117-0x0000000000000000-mapping.dmp formbook behavioral2/memory/3604-119-0x0000000072480000-0x00000000724AE000-memory.dmp formbook behavioral2/memory/3604-124-0x0000000072480000-0x00000000724AE000-memory.dmp formbook behavioral2/memory/2852-129-0x0000000000C00000-0x0000000000C2E000-memory.dmp formbook -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Confirmacion del pedido.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nzvamcw = "C:\\Users\\Public\\Libraries\\wcmavzN.url" Confirmacion del pedido.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
secinit.exesvchost.exedescription pid process target process PID 3604 set thread context of 3028 3604 secinit.exe Explorer.EXE PID 3604 set thread context of 3028 3604 secinit.exe Explorer.EXE PID 2852 set thread context of 3028 2852 svchost.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 54 IoCs
Processes:
secinit.exesvchost.exepid process 3604 secinit.exe 3604 secinit.exe 3604 secinit.exe 3604 secinit.exe 3604 secinit.exe 3604 secinit.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3028 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
secinit.exesvchost.exepid process 3604 secinit.exe 3604 secinit.exe 3604 secinit.exe 3604 secinit.exe 2852 svchost.exe 2852 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
secinit.exesvchost.exedescription pid process Token: SeDebugPrivilege 3604 secinit.exe Token: SeDebugPrivilege 2852 svchost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Confirmacion del pedido.exesecinit.exesvchost.exedescription pid process target process PID 1684 wrote to memory of 3604 1684 Confirmacion del pedido.exe secinit.exe PID 1684 wrote to memory of 3604 1684 Confirmacion del pedido.exe secinit.exe PID 1684 wrote to memory of 3604 1684 Confirmacion del pedido.exe secinit.exe PID 1684 wrote to memory of 3604 1684 Confirmacion del pedido.exe secinit.exe PID 1684 wrote to memory of 3604 1684 Confirmacion del pedido.exe secinit.exe PID 1684 wrote to memory of 3604 1684 Confirmacion del pedido.exe secinit.exe PID 3604 wrote to memory of 2852 3604 secinit.exe svchost.exe PID 3604 wrote to memory of 2852 3604 secinit.exe svchost.exe PID 3604 wrote to memory of 2852 3604 secinit.exe svchost.exe PID 2852 wrote to memory of 984 2852 svchost.exe cmd.exe PID 2852 wrote to memory of 984 2852 svchost.exe cmd.exe PID 2852 wrote to memory of 984 2852 svchost.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Local\Temp\Confirmacion del pedido.exe"C:\Users\Admin\AppData\Local\Temp\Confirmacion del pedido.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\secinit.exeC:\Windows\System32\secinit.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\secinit.exe"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/984-130-0x0000000000000000-mapping.dmp
-
memory/1684-116-0x0000000002381000-0x0000000002395000-memory.dmpFilesize
80KB
-
memory/1684-115-0x0000000000500000-0x00000000005AE000-memory.dmpFilesize
696KB
-
memory/2852-127-0x0000000000000000-mapping.dmp
-
memory/2852-132-0x00000000031C0000-0x0000000003253000-memory.dmpFilesize
588KB
-
memory/2852-131-0x0000000003690000-0x00000000039B0000-memory.dmpFilesize
3.1MB
-
memory/2852-129-0x0000000000C00000-0x0000000000C2E000-memory.dmpFilesize
184KB
-
memory/2852-128-0x00000000011B0000-0x00000000011BC000-memory.dmpFilesize
48KB
-
memory/3028-133-0x00000000065D0000-0x000000000666D000-memory.dmpFilesize
628KB
-
memory/3028-123-0x0000000001060000-0x000000000116A000-memory.dmpFilesize
1.0MB
-
memory/3028-126-0x0000000002F70000-0x0000000003068000-memory.dmpFilesize
992KB
-
memory/3604-119-0x0000000072480000-0x00000000724AE000-memory.dmpFilesize
184KB
-
memory/3604-125-0x00000000008A0000-0x00000000008B4000-memory.dmpFilesize
80KB
-
memory/3604-124-0x0000000072480000-0x00000000724AE000-memory.dmpFilesize
184KB
-
memory/3604-121-0x0000000004430000-0x0000000004750000-memory.dmpFilesize
3.1MB
-
memory/3604-122-0x0000000000860000-0x0000000000874000-memory.dmpFilesize
80KB
-
memory/3604-118-0x0000000000610000-0x0000000000611000-memory.dmpFilesize
4KB
-
memory/3604-117-0x0000000000000000-mapping.dmp