Analysis
-
max time kernel
156s -
max time network
168s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
14-10-2021 14:56
Static task
static1
Behavioral task
behavioral1
Sample
CMA-CGM_BOOKING CONFIRMATION.exe
Resource
win7-en-20210920
General
-
Target
CMA-CGM_BOOKING CONFIRMATION.exe
-
Size
136KB
-
MD5
8d8de7800608937b14d10bd67119606c
-
SHA1
bc31409f73d7cae389fb0a7f6d43c4559cdf3b24
-
SHA256
312a98e7e1ce67e997898b9fc725d99a2eb0ac2e9e6b1d316f9f5c99ed3a3223
-
SHA512
92b5241333d0fe0cd303be979e226be5bd69b5656a733c5a867f5415923773561a584ff5ee15113b727299d11a94f474b624173a8c8b4807711644caa6a7d7d7
Malware Config
Extracted
formbook
4.1
nff
http://www.yellow-wink.com/nff/
shinseikai.site
creditmystartup.com
howtovvbucks.com
betterfromthebeginning.com
oubacm.com
stonalogov.com
gentrypartyof8.com
cuesticksandsupplies.com
joelsavestheday.com
llanobnb.com
ecclogic.com
miempaque.com
cai23668.com
miscdr.net
twzhhq.com
bloomandbrewcafe.com
angcomleisure.com
mafeeboutique.com
300coin.club
brooksranchhomes.com
konversiondigital.com
dominivision.com
superiorshinedetailing.net
thehomechef.global
dating-web.site
gcbsclubc.com
mothererph.com
pacleanfuel.com
jerseryshorenflflagfootball.com
roberthyatt.com
wwwmacsports.com
tearor.com
american-ai.com
mkyiyuan.com
gempharmatechllc.com
verdijvtc.com
zimnik-bibo.one
heatherdarkauthor.net
dunn-labs.com
automotivevita.com
bersatubagaidulu.com
gorillarecruiting.com
mikecdmusic.com
femuveewedre.com
onyxmodsllc.com
ooweesports.com
dezeren.com
foeweifgoor73dz.com
sorchaashe.com
jamiitulivu.com
jifengshijie.com
ranchfiberglas.com
glendalesocialmediaagency.com
icuvietnam.com
404hapgood.com
planetturmeric.com
danfrem.com
amazonautomationbusiness.com
switchfinder.com
diversifiedforest.com
findnehomes.com
rsyueda.com
colombianmatrimony.com
evan-dawson.info
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3144-128-0x0000000000400000-0x0000000000553000-memory.dmp formbook behavioral2/memory/3144-129-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/3144-133-0x0000000000401000-0x0000000000541000-memory.dmp formbook behavioral2/memory/1380-138-0x0000000003200000-0x000000000322E000-memory.dmp formbook -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
CMA-CGM_BOOKING CONFIRMATION.exeCMA-CGM_BOOKING CONFIRMATION.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe CMA-CGM_BOOKING CONFIRMATION.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe CMA-CGM_BOOKING CONFIRMATION.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
CMA-CGM_BOOKING CONFIRMATION.exepid process 3144 CMA-CGM_BOOKING CONFIRMATION.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
CMA-CGM_BOOKING CONFIRMATION.exeCMA-CGM_BOOKING CONFIRMATION.exepid process 4076 CMA-CGM_BOOKING CONFIRMATION.exe 3144 CMA-CGM_BOOKING CONFIRMATION.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
CMA-CGM_BOOKING CONFIRMATION.exeCMA-CGM_BOOKING CONFIRMATION.exesystray.exedescription pid process target process PID 4076 set thread context of 3144 4076 CMA-CGM_BOOKING CONFIRMATION.exe CMA-CGM_BOOKING CONFIRMATION.exe PID 3144 set thread context of 3028 3144 CMA-CGM_BOOKING CONFIRMATION.exe Explorer.EXE PID 3144 set thread context of 3028 3144 CMA-CGM_BOOKING CONFIRMATION.exe Explorer.EXE PID 1380 set thread context of 3028 1380 systray.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
CMA-CGM_BOOKING CONFIRMATION.exesystray.exepid process 3144 CMA-CGM_BOOKING CONFIRMATION.exe 3144 CMA-CGM_BOOKING CONFIRMATION.exe 3144 CMA-CGM_BOOKING CONFIRMATION.exe 3144 CMA-CGM_BOOKING CONFIRMATION.exe 3144 CMA-CGM_BOOKING CONFIRMATION.exe 3144 CMA-CGM_BOOKING CONFIRMATION.exe 1380 systray.exe 1380 systray.exe 1380 systray.exe 1380 systray.exe 1380 systray.exe 1380 systray.exe 1380 systray.exe 1380 systray.exe 1380 systray.exe 1380 systray.exe 1380 systray.exe 1380 systray.exe 1380 systray.exe 1380 systray.exe 1380 systray.exe 1380 systray.exe 1380 systray.exe 1380 systray.exe 1380 systray.exe 1380 systray.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
CMA-CGM_BOOKING CONFIRMATION.exeCMA-CGM_BOOKING CONFIRMATION.exesystray.exepid process 4076 CMA-CGM_BOOKING CONFIRMATION.exe 3144 CMA-CGM_BOOKING CONFIRMATION.exe 3144 CMA-CGM_BOOKING CONFIRMATION.exe 3144 CMA-CGM_BOOKING CONFIRMATION.exe 3144 CMA-CGM_BOOKING CONFIRMATION.exe 1380 systray.exe 1380 systray.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
CMA-CGM_BOOKING CONFIRMATION.exesystray.exedescription pid process Token: SeDebugPrivilege 3144 CMA-CGM_BOOKING CONFIRMATION.exe Token: SeDebugPrivilege 1380 systray.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
CMA-CGM_BOOKING CONFIRMATION.exepid process 4076 CMA-CGM_BOOKING CONFIRMATION.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
CMA-CGM_BOOKING CONFIRMATION.exeExplorer.EXEsystray.exedescription pid process target process PID 4076 wrote to memory of 3144 4076 CMA-CGM_BOOKING CONFIRMATION.exe CMA-CGM_BOOKING CONFIRMATION.exe PID 4076 wrote to memory of 3144 4076 CMA-CGM_BOOKING CONFIRMATION.exe CMA-CGM_BOOKING CONFIRMATION.exe PID 4076 wrote to memory of 3144 4076 CMA-CGM_BOOKING CONFIRMATION.exe CMA-CGM_BOOKING CONFIRMATION.exe PID 4076 wrote to memory of 3144 4076 CMA-CGM_BOOKING CONFIRMATION.exe CMA-CGM_BOOKING CONFIRMATION.exe PID 3028 wrote to memory of 1380 3028 Explorer.EXE systray.exe PID 3028 wrote to memory of 1380 3028 Explorer.EXE systray.exe PID 3028 wrote to memory of 1380 3028 Explorer.EXE systray.exe PID 1380 wrote to memory of 1500 1380 systray.exe cmd.exe PID 1380 wrote to memory of 1500 1380 systray.exe cmd.exe PID 1380 wrote to memory of 1500 1380 systray.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CMA-CGM_BOOKING CONFIRMATION.exe"C:\Users\Admin\AppData\Local\Temp\CMA-CGM_BOOKING CONFIRMATION.exe"2⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CMA-CGM_BOOKING CONFIRMATION.exe"C:\Users\Admin\AppData\Local\Temp\CMA-CGM_BOOKING CONFIRMATION.exe"3⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\CMA-CGM_BOOKING CONFIRMATION.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1380-141-0x0000000004B10000-0x0000000004BA3000-memory.dmpFilesize
588KB
-
memory/1380-140-0x0000000004750000-0x0000000004A70000-memory.dmpFilesize
3.1MB
-
memory/1380-137-0x0000000000FD0000-0x0000000000FD6000-memory.dmpFilesize
24KB
-
memory/1380-138-0x0000000003200000-0x000000000322E000-memory.dmpFilesize
184KB
-
memory/1380-136-0x0000000000000000-mapping.dmp
-
memory/1500-139-0x0000000000000000-mapping.dmp
-
memory/3028-132-0x0000000005E80000-0x0000000005FCA000-memory.dmpFilesize
1.3MB
-
memory/3028-142-0x0000000004E10000-0x0000000004F2B000-memory.dmpFilesize
1.1MB
-
memory/3028-135-0x00000000026B0000-0x000000000276B000-memory.dmpFilesize
748KB
-
memory/3144-121-0x0000000000400000-0x0000000000553000-memory.dmpFilesize
1.3MB
-
memory/3144-120-0x00000000004011A0-mapping.dmp
-
memory/3144-127-0x0000000077790000-0x000000007791E000-memory.dmpFilesize
1.6MB
-
memory/3144-128-0x0000000000400000-0x0000000000553000-memory.dmpFilesize
1.3MB
-
memory/3144-129-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/3144-131-0x000000001E2A0000-0x000000001E2B4000-memory.dmpFilesize
80KB
-
memory/3144-130-0x000000001E420000-0x000000001E740000-memory.dmpFilesize
3.1MB
-
memory/3144-125-0x0000000000560000-0x0000000000660000-memory.dmpFilesize
1024KB
-
memory/3144-133-0x0000000000401000-0x0000000000541000-memory.dmpFilesize
1.2MB
-
memory/3144-126-0x00007FFDD8870000-0x00007FFDD8A4B000-memory.dmpFilesize
1.9MB
-
memory/3144-134-0x0000000000160000-0x0000000000174000-memory.dmpFilesize
80KB
-
memory/3144-123-0x0000000000401000-0x00000000004FD000-memory.dmpFilesize
1008KB
-
memory/4076-115-0x00000000001D0000-0x00000000001D6000-memory.dmpFilesize
24KB
-
memory/4076-124-0x0000000077790000-0x000000007791E000-memory.dmpFilesize
1.6MB
-
memory/4076-119-0x0000000077790000-0x000000007791E000-memory.dmpFilesize
1.6MB
-
memory/4076-118-0x00007FFDD8870000-0x00007FFDD8A4B000-memory.dmpFilesize
1.9MB
-
memory/4076-117-0x0000000002310000-0x0000000002327000-memory.dmpFilesize
92KB
-
memory/4076-116-0x00000000001D0000-0x00000000001DA000-memory.dmpFilesize
40KB