Analysis
-
max time kernel
152s -
max time network
143s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
14-10-2021 14:56
Static task
static1
Behavioral task
behavioral1
Sample
CMA-CGM_BOOKING CONFIRMATION.exe
Resource
win7-en-20210920
General
-
Target
CMA-CGM_BOOKING CONFIRMATION.exe
-
Size
136KB
-
MD5
8d8de7800608937b14d10bd67119606c
-
SHA1
bc31409f73d7cae389fb0a7f6d43c4559cdf3b24
-
SHA256
312a98e7e1ce67e997898b9fc725d99a2eb0ac2e9e6b1d316f9f5c99ed3a3223
-
SHA512
92b5241333d0fe0cd303be979e226be5bd69b5656a733c5a867f5415923773561a584ff5ee15113b727299d11a94f474b624173a8c8b4807711644caa6a7d7d7
Malware Config
Extracted
formbook
4.1
nff
http://www.yellow-wink.com/nff/
shinseikai.site
creditmystartup.com
howtovvbucks.com
betterfromthebeginning.com
oubacm.com
stonalogov.com
gentrypartyof8.com
cuesticksandsupplies.com
joelsavestheday.com
llanobnb.com
ecclogic.com
miempaque.com
cai23668.com
miscdr.net
twzhhq.com
bloomandbrewcafe.com
angcomleisure.com
mafeeboutique.com
300coin.club
brooksranchhomes.com
konversiondigital.com
dominivision.com
superiorshinedetailing.net
thehomechef.global
dating-web.site
gcbsclubc.com
mothererph.com
pacleanfuel.com
jerseryshorenflflagfootball.com
roberthyatt.com
wwwmacsports.com
tearor.com
american-ai.com
mkyiyuan.com
gempharmatechllc.com
verdijvtc.com
zimnik-bibo.one
heatherdarkauthor.net
dunn-labs.com
automotivevita.com
bersatubagaidulu.com
gorillarecruiting.com
mikecdmusic.com
femuveewedre.com
onyxmodsllc.com
ooweesports.com
dezeren.com
foeweifgoor73dz.com
sorchaashe.com
jamiitulivu.com
jifengshijie.com
ranchfiberglas.com
glendalesocialmediaagency.com
icuvietnam.com
404hapgood.com
planetturmeric.com
danfrem.com
amazonautomationbusiness.com
switchfinder.com
diversifiedforest.com
findnehomes.com
rsyueda.com
colombianmatrimony.com
evan-dawson.info
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/316-71-0x0000000000400000-0x0000000000553000-memory.dmp formbook behavioral1/memory/316-72-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1064-79-0x0000000000070000-0x000000000009E000-memory.dmp formbook -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
CMA-CGM_BOOKING CONFIRMATION.exeCMA-CGM_BOOKING CONFIRMATION.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe CMA-CGM_BOOKING CONFIRMATION.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe CMA-CGM_BOOKING CONFIRMATION.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2028 cmd.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
CMA-CGM_BOOKING CONFIRMATION.exepid process 316 CMA-CGM_BOOKING CONFIRMATION.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
CMA-CGM_BOOKING CONFIRMATION.exeCMA-CGM_BOOKING CONFIRMATION.exepid process 1296 CMA-CGM_BOOKING CONFIRMATION.exe 316 CMA-CGM_BOOKING CONFIRMATION.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
CMA-CGM_BOOKING CONFIRMATION.exeCMA-CGM_BOOKING CONFIRMATION.execscript.exedescription pid process target process PID 1296 set thread context of 316 1296 CMA-CGM_BOOKING CONFIRMATION.exe CMA-CGM_BOOKING CONFIRMATION.exe PID 316 set thread context of 1216 316 CMA-CGM_BOOKING CONFIRMATION.exe Explorer.EXE PID 1064 set thread context of 1216 1064 cscript.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
CMA-CGM_BOOKING CONFIRMATION.execscript.exepid process 316 CMA-CGM_BOOKING CONFIRMATION.exe 316 CMA-CGM_BOOKING CONFIRMATION.exe 1064 cscript.exe 1064 cscript.exe 1064 cscript.exe 1064 cscript.exe 1064 cscript.exe 1064 cscript.exe 1064 cscript.exe 1064 cscript.exe 1064 cscript.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
CMA-CGM_BOOKING CONFIRMATION.exeCMA-CGM_BOOKING CONFIRMATION.execscript.exepid process 1296 CMA-CGM_BOOKING CONFIRMATION.exe 316 CMA-CGM_BOOKING CONFIRMATION.exe 316 CMA-CGM_BOOKING CONFIRMATION.exe 316 CMA-CGM_BOOKING CONFIRMATION.exe 1064 cscript.exe 1064 cscript.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
CMA-CGM_BOOKING CONFIRMATION.execscript.exedescription pid process Token: SeDebugPrivilege 316 CMA-CGM_BOOKING CONFIRMATION.exe Token: SeDebugPrivilege 1064 cscript.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
CMA-CGM_BOOKING CONFIRMATION.exepid process 1296 CMA-CGM_BOOKING CONFIRMATION.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
CMA-CGM_BOOKING CONFIRMATION.exeExplorer.EXEcscript.exedescription pid process target process PID 1296 wrote to memory of 316 1296 CMA-CGM_BOOKING CONFIRMATION.exe CMA-CGM_BOOKING CONFIRMATION.exe PID 1296 wrote to memory of 316 1296 CMA-CGM_BOOKING CONFIRMATION.exe CMA-CGM_BOOKING CONFIRMATION.exe PID 1296 wrote to memory of 316 1296 CMA-CGM_BOOKING CONFIRMATION.exe CMA-CGM_BOOKING CONFIRMATION.exe PID 1296 wrote to memory of 316 1296 CMA-CGM_BOOKING CONFIRMATION.exe CMA-CGM_BOOKING CONFIRMATION.exe PID 1296 wrote to memory of 316 1296 CMA-CGM_BOOKING CONFIRMATION.exe CMA-CGM_BOOKING CONFIRMATION.exe PID 1216 wrote to memory of 1064 1216 Explorer.EXE cscript.exe PID 1216 wrote to memory of 1064 1216 Explorer.EXE cscript.exe PID 1216 wrote to memory of 1064 1216 Explorer.EXE cscript.exe PID 1216 wrote to memory of 1064 1216 Explorer.EXE cscript.exe PID 1064 wrote to memory of 2028 1064 cscript.exe cmd.exe PID 1064 wrote to memory of 2028 1064 cscript.exe cmd.exe PID 1064 wrote to memory of 2028 1064 cscript.exe cmd.exe PID 1064 wrote to memory of 2028 1064 cscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CMA-CGM_BOOKING CONFIRMATION.exe"C:\Users\Admin\AppData\Local\Temp\CMA-CGM_BOOKING CONFIRMATION.exe"2⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CMA-CGM_BOOKING CONFIRMATION.exe"C:\Users\Admin\AppData\Local\Temp\CMA-CGM_BOOKING CONFIRMATION.exe"3⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\CMA-CGM_BOOKING CONFIRMATION.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/316-71-0x0000000000400000-0x0000000000553000-memory.dmpFilesize
1.3MB
-
memory/316-66-0x00000000001B0000-0x00000000002B0000-memory.dmpFilesize
1024KB
-
memory/316-69-0x00000000770B0000-0x0000000077259000-memory.dmpFilesize
1.7MB
-
memory/316-70-0x0000000077290000-0x0000000077410000-memory.dmpFilesize
1.5MB
-
memory/316-74-0x000000001DFE0000-0x000000001E1A4000-memory.dmpFilesize
1.8MB
-
memory/316-72-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/316-62-0x00000000004011A0-mapping.dmp
-
memory/316-63-0x0000000000400000-0x0000000000553000-memory.dmpFilesize
1.3MB
-
memory/316-73-0x000000001E5B0000-0x000000001E8B3000-memory.dmpFilesize
3.0MB
-
memory/1064-80-0x0000000000AC0000-0x0000000000DC3000-memory.dmpFilesize
3.0MB
-
memory/1064-76-0x0000000000000000-mapping.dmp
-
memory/1064-81-0x0000000000890000-0x0000000000923000-memory.dmpFilesize
588KB
-
memory/1064-79-0x0000000000070000-0x000000000009E000-memory.dmpFilesize
184KB
-
memory/1064-78-0x0000000000FA0000-0x0000000000FC2000-memory.dmpFilesize
136KB
-
memory/1216-75-0x0000000007550000-0x00000000076F6000-memory.dmpFilesize
1.6MB
-
memory/1216-82-0x00000000080D0000-0x000000000825A000-memory.dmpFilesize
1.5MB
-
memory/1296-60-0x0000000075331000-0x0000000075333000-memory.dmpFilesize
8KB
-
memory/1296-54-0x0000000000220000-0x0000000000226000-memory.dmpFilesize
24KB
-
memory/1296-58-0x00000000770B0000-0x0000000077259000-memory.dmpFilesize
1.7MB
-
memory/1296-65-0x0000000077290000-0x0000000077410000-memory.dmpFilesize
1.5MB
-
memory/1296-59-0x0000000077290000-0x0000000077410000-memory.dmpFilesize
1.5MB
-
memory/1296-55-0x0000000000220000-0x000000000022A000-memory.dmpFilesize
40KB
-
memory/1296-56-0x00000000003D0000-0x00000000003E7000-memory.dmpFilesize
92KB
-
memory/2028-77-0x0000000000000000-mapping.dmp