Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
15-10-2021 17:18
Static task
static1
Behavioral task
behavioral1
Sample
ARRIVAL NOTICE AND IMPORT PERMIT.exe
Resource
win7-en-20210920
General
-
Target
ARRIVAL NOTICE AND IMPORT PERMIT.exe
-
Size
136KB
-
MD5
14286f5d33d5d0db8c2cf853588105de
-
SHA1
0054237732dfb296e5b5429886a057e4374c1515
-
SHA256
0bf8feda9e131c4b5bc7b17218880c3a492f702fa9fd6dc9d10f5a62a72aa08a
-
SHA512
f8169fc9ed525a268dca75f6e1e836fae00dabe3876aaf4766d21cf8d883fa91f0e4a6c8c9fcee3daec6ac6db0100614e7bbf0720b9015cd98015043dafe627d
Malware Config
Extracted
formbook
4.1
s0vc
http://www.xn--289an7fmsbe2rud327e.com/s0vc/
redstonemanagers.com
graffitiparktx.com
aliturk.com
asicsmalaysiasale.com
primetimehandyman.com
logjed068.xyz
rusicedream.com
rickcaronmuseum.com
softwarebuynow.com
buddysbarkery.com
ysm99.com
rtetrgwgre.xyz
97020.xyz
utahblind.site
hiyym.com
rohukager.xyz
vcstudentwork.com
oxfordautomotivepa.com
salibrown.com
tekosocks.com
creekincrystals.com
clairewashere.site
emiratli.xyz
eusoufernandorocha.com
regionalleadmap.guide
firstselectindia.com
megamodamaster.com
ritmicatop.com
hextellconstructions.com
axismath.com
tadowequsotot.rest
hw0745.com
a-great-online-mba-es-lagdn.fyi
nazlialisverissitesi.com
bolacn.com
thegroundknowledge.com
brooksuper.com
readyneed.net
gentciu.com
trywelles.website
colab.farm
taylormadedfwhometeam.net
gosh-opium.club
hayyjameel.cloud
898192.com
pwnedpasswordsnft.com
pastormarkusgh.com
toonkor.golf
ambientmusicartist.com
chrisforjp.com
shzd2.com
lonestarbiologics.com
thinktimelogisticsllc.com
472291.com
heidoulife.com
lisamf.xyz
captainamberbeard.net
csishj.com
perfectnethost.com
abovethebarn.net
everhuntingabandon.xyz
satima.net
xn--jj0bs99byvj.com
smitheating.com
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/556-70-0x0000000000400000-0x0000000000553000-memory.dmp formbook behavioral1/memory/1228-77-0x00000000000C0000-0x00000000000EF000-memory.dmp formbook -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
ARRIVAL NOTICE AND IMPORT PERMIT.exeARRIVAL NOTICE AND IMPORT PERMIT.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe ARRIVAL NOTICE AND IMPORT PERMIT.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe ARRIVAL NOTICE AND IMPORT PERMIT.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1168 cmd.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
ARRIVAL NOTICE AND IMPORT PERMIT.exepid process 556 ARRIVAL NOTICE AND IMPORT PERMIT.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
ARRIVAL NOTICE AND IMPORT PERMIT.exeARRIVAL NOTICE AND IMPORT PERMIT.exepid process 1128 ARRIVAL NOTICE AND IMPORT PERMIT.exe 556 ARRIVAL NOTICE AND IMPORT PERMIT.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
ARRIVAL NOTICE AND IMPORT PERMIT.exeARRIVAL NOTICE AND IMPORT PERMIT.exesvchost.exedescription pid process target process PID 1128 set thread context of 556 1128 ARRIVAL NOTICE AND IMPORT PERMIT.exe ARRIVAL NOTICE AND IMPORT PERMIT.exe PID 556 set thread context of 1360 556 ARRIVAL NOTICE AND IMPORT PERMIT.exe Explorer.EXE PID 1228 set thread context of 1360 1228 svchost.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
ARRIVAL NOTICE AND IMPORT PERMIT.exesvchost.exepid process 556 ARRIVAL NOTICE AND IMPORT PERMIT.exe 556 ARRIVAL NOTICE AND IMPORT PERMIT.exe 1228 svchost.exe 1228 svchost.exe 1228 svchost.exe 1228 svchost.exe 1228 svchost.exe 1228 svchost.exe 1228 svchost.exe 1228 svchost.exe 1228 svchost.exe 1228 svchost.exe 1228 svchost.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
ARRIVAL NOTICE AND IMPORT PERMIT.exeARRIVAL NOTICE AND IMPORT PERMIT.exesvchost.exepid process 1128 ARRIVAL NOTICE AND IMPORT PERMIT.exe 556 ARRIVAL NOTICE AND IMPORT PERMIT.exe 556 ARRIVAL NOTICE AND IMPORT PERMIT.exe 556 ARRIVAL NOTICE AND IMPORT PERMIT.exe 1228 svchost.exe 1228 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ARRIVAL NOTICE AND IMPORT PERMIT.exesvchost.exedescription pid process Token: SeDebugPrivilege 556 ARRIVAL NOTICE AND IMPORT PERMIT.exe Token: SeDebugPrivilege 1228 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ARRIVAL NOTICE AND IMPORT PERMIT.exepid process 1128 ARRIVAL NOTICE AND IMPORT PERMIT.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
ARRIVAL NOTICE AND IMPORT PERMIT.exeExplorer.EXEsvchost.exedescription pid process target process PID 1128 wrote to memory of 556 1128 ARRIVAL NOTICE AND IMPORT PERMIT.exe ARRIVAL NOTICE AND IMPORT PERMIT.exe PID 1128 wrote to memory of 556 1128 ARRIVAL NOTICE AND IMPORT PERMIT.exe ARRIVAL NOTICE AND IMPORT PERMIT.exe PID 1128 wrote to memory of 556 1128 ARRIVAL NOTICE AND IMPORT PERMIT.exe ARRIVAL NOTICE AND IMPORT PERMIT.exe PID 1128 wrote to memory of 556 1128 ARRIVAL NOTICE AND IMPORT PERMIT.exe ARRIVAL NOTICE AND IMPORT PERMIT.exe PID 1128 wrote to memory of 556 1128 ARRIVAL NOTICE AND IMPORT PERMIT.exe ARRIVAL NOTICE AND IMPORT PERMIT.exe PID 1360 wrote to memory of 1228 1360 Explorer.EXE svchost.exe PID 1360 wrote to memory of 1228 1360 Explorer.EXE svchost.exe PID 1360 wrote to memory of 1228 1360 Explorer.EXE svchost.exe PID 1360 wrote to memory of 1228 1360 Explorer.EXE svchost.exe PID 1228 wrote to memory of 1168 1228 svchost.exe cmd.exe PID 1228 wrote to memory of 1168 1228 svchost.exe cmd.exe PID 1228 wrote to memory of 1168 1228 svchost.exe cmd.exe PID 1228 wrote to memory of 1168 1228 svchost.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ARRIVAL NOTICE AND IMPORT PERMIT.exe"C:\Users\Admin\AppData\Local\Temp\ARRIVAL NOTICE AND IMPORT PERMIT.exe"2⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ARRIVAL NOTICE AND IMPORT PERMIT.exe"C:\Users\Admin\AppData\Local\Temp\ARRIVAL NOTICE AND IMPORT PERMIT.exe"3⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\ARRIVAL NOTICE AND IMPORT PERMIT.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/556-65-0x00000000001B0000-0x00000000002B0000-memory.dmpFilesize
1024KB
-
memory/556-72-0x000000001E220000-0x000000001E234000-memory.dmpFilesize
80KB
-
memory/556-71-0x000000001E820000-0x000000001EB23000-memory.dmpFilesize
3.0MB
-
memory/556-70-0x0000000000400000-0x0000000000553000-memory.dmpFilesize
1.3MB
-
memory/556-69-0x0000000077010000-0x0000000077190000-memory.dmpFilesize
1.5MB
-
memory/556-68-0x0000000076E30000-0x0000000076FD9000-memory.dmpFilesize
1.7MB
-
memory/556-61-0x00000000004011A0-mapping.dmp
-
memory/556-62-0x0000000000400000-0x0000000000553000-memory.dmpFilesize
1.3MB
-
memory/1128-59-0x0000000077010000-0x0000000077190000-memory.dmpFilesize
1.5MB
-
memory/1128-53-0x0000000000220000-0x0000000000226000-memory.dmpFilesize
24KB
-
memory/1128-58-0x0000000076E30000-0x0000000076FD9000-memory.dmpFilesize
1.7MB
-
memory/1128-57-0x0000000074B41000-0x0000000074B43000-memory.dmpFilesize
8KB
-
memory/1128-55-0x00000000002B0000-0x00000000002C7000-memory.dmpFilesize
92KB
-
memory/1128-54-0x0000000000220000-0x000000000022A000-memory.dmpFilesize
40KB
-
memory/1128-64-0x0000000077010000-0x0000000077190000-memory.dmpFilesize
1.5MB
-
memory/1168-75-0x0000000000000000-mapping.dmp
-
memory/1228-76-0x0000000000C70000-0x0000000000C78000-memory.dmpFilesize
32KB
-
memory/1228-74-0x0000000000000000-mapping.dmp
-
memory/1228-77-0x00000000000C0000-0x00000000000EF000-memory.dmpFilesize
188KB
-
memory/1228-78-0x0000000000810000-0x0000000000B13000-memory.dmpFilesize
3.0MB
-
memory/1228-79-0x0000000000680000-0x0000000000713000-memory.dmpFilesize
588KB
-
memory/1360-73-0x0000000004730000-0x000000000480E000-memory.dmpFilesize
888KB
-
memory/1360-80-0x0000000004B10000-0x0000000004BC4000-memory.dmpFilesize
720KB