Analysis
-
max time kernel
146s -
max time network
172s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
19-10-2021 06:36
Static task
static1
Behavioral task
behavioral1
Sample
Document RFQ#8086A_461A_0000086_300_3550_2021.exe
Resource
win7-en-20210920
General
-
Target
Document RFQ#8086A_461A_0000086_300_3550_2021.exe
-
Size
510KB
-
MD5
a445dd187c6dc7254da6d2f0d893f2fb
-
SHA1
c0548d4ed4a9c2b68fbcf592e9a892fa587d5b0e
-
SHA256
2a2187ae775f286c2400957b71aac1c550779fc6652a710d126546d4d4879f0f
-
SHA512
ec8fb387474fe1a737ea46d67e5b2e363ecb6c35634e1af63e465fb487c8ae2b7684d128d8ea982d6234110dee83a4601b6fba64f05765a41927f580520c527e
Malware Config
Extracted
formbook
4.1
g8ni
http://www.er5544.com/g8ni/
nickmowat.com
garethjame.biz
colibrilift.com
vulnerabilitylabs.one
neuro-ai-web-ru.website
16mcnaestreetmooneeponds.com
bestofstmaarten.net
meditelier.com
ragnarduke.com
escueladecampo.com
vongtayvn.com
inmemoriamaan.com
yourpeoplemanager.com
r6-gytr.com
agreeablebeauty.com
snpconfirms.com
tribalurq.quest
purafuse.com
cisco-training-course.com
wery.top
haiyaa.tech
schtefo.net
kenytc.com
energypopcorn.com
0urls.top
artiatec.com
enqum.com
nextcloud.solutions
stateaffairsng.com
727bpay.com
matchmakerfiji.com
qingdouge.com
nusrattelbdoffical.xyz
seo-clicks7.com
aspirateurs.net
autosandmorestore.com
moje-akvarium.net
uehddw.com
geschmacksakademie.com
gendarmerie.email
buynftinc.com
mission-nao.com
webmakers.xyz
federationwholesale.com
tjbieying.com
finestpoints.com
premiersloyko.xyz
carlislepartssurvey.com
hackernfts.com
abitvip.com
iphone13mini.supplies
thenorthfacedeal.online
swlhvipbj.com
elguije.com
auto2pl.com
route112mitsubishi.com
zilliq.com
pumateam04.com
xtzztf.com
sacmaudantoc.xyz
kalafwalker.com
jumeaux-numeriques.com
purposefulwork.com
jacquelineblog.info
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1676-61-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1676-62-0x000000000041F0C0-mapping.dmp formbook behavioral1/memory/1488-70-0x0000000000070000-0x000000000009F000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1320 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Document RFQ#8086A_461A_0000086_300_3550_2021.exeDocument RFQ#8086A_461A_0000086_300_3550_2021.execscript.exedescription pid process target process PID 1064 set thread context of 1676 1064 Document RFQ#8086A_461A_0000086_300_3550_2021.exe Document RFQ#8086A_461A_0000086_300_3550_2021.exe PID 1676 set thread context of 1420 1676 Document RFQ#8086A_461A_0000086_300_3550_2021.exe Explorer.EXE PID 1488 set thread context of 1420 1488 cscript.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
Document RFQ#8086A_461A_0000086_300_3550_2021.exeDocument RFQ#8086A_461A_0000086_300_3550_2021.execscript.exepid process 1064 Document RFQ#8086A_461A_0000086_300_3550_2021.exe 1064 Document RFQ#8086A_461A_0000086_300_3550_2021.exe 1064 Document RFQ#8086A_461A_0000086_300_3550_2021.exe 1064 Document RFQ#8086A_461A_0000086_300_3550_2021.exe 1064 Document RFQ#8086A_461A_0000086_300_3550_2021.exe 1064 Document RFQ#8086A_461A_0000086_300_3550_2021.exe 1676 Document RFQ#8086A_461A_0000086_300_3550_2021.exe 1676 Document RFQ#8086A_461A_0000086_300_3550_2021.exe 1488 cscript.exe 1488 cscript.exe 1488 cscript.exe 1488 cscript.exe 1488 cscript.exe 1488 cscript.exe 1488 cscript.exe 1488 cscript.exe 1488 cscript.exe 1488 cscript.exe 1488 cscript.exe 1488 cscript.exe 1488 cscript.exe 1488 cscript.exe 1488 cscript.exe 1488 cscript.exe 1488 cscript.exe 1488 cscript.exe 1488 cscript.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Document RFQ#8086A_461A_0000086_300_3550_2021.execscript.exepid process 1676 Document RFQ#8086A_461A_0000086_300_3550_2021.exe 1676 Document RFQ#8086A_461A_0000086_300_3550_2021.exe 1676 Document RFQ#8086A_461A_0000086_300_3550_2021.exe 1488 cscript.exe 1488 cscript.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Document RFQ#8086A_461A_0000086_300_3550_2021.exeDocument RFQ#8086A_461A_0000086_300_3550_2021.execscript.exedescription pid process Token: SeDebugPrivilege 1064 Document RFQ#8086A_461A_0000086_300_3550_2021.exe Token: SeDebugPrivilege 1676 Document RFQ#8086A_461A_0000086_300_3550_2021.exe Token: SeDebugPrivilege 1488 cscript.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1420 Explorer.EXE 1420 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1420 Explorer.EXE 1420 Explorer.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
Document RFQ#8086A_461A_0000086_300_3550_2021.exeExplorer.EXEcscript.exedescription pid process target process PID 1064 wrote to memory of 608 1064 Document RFQ#8086A_461A_0000086_300_3550_2021.exe schtasks.exe PID 1064 wrote to memory of 608 1064 Document RFQ#8086A_461A_0000086_300_3550_2021.exe schtasks.exe PID 1064 wrote to memory of 608 1064 Document RFQ#8086A_461A_0000086_300_3550_2021.exe schtasks.exe PID 1064 wrote to memory of 608 1064 Document RFQ#8086A_461A_0000086_300_3550_2021.exe schtasks.exe PID 1064 wrote to memory of 1676 1064 Document RFQ#8086A_461A_0000086_300_3550_2021.exe Document RFQ#8086A_461A_0000086_300_3550_2021.exe PID 1064 wrote to memory of 1676 1064 Document RFQ#8086A_461A_0000086_300_3550_2021.exe Document RFQ#8086A_461A_0000086_300_3550_2021.exe PID 1064 wrote to memory of 1676 1064 Document RFQ#8086A_461A_0000086_300_3550_2021.exe Document RFQ#8086A_461A_0000086_300_3550_2021.exe PID 1064 wrote to memory of 1676 1064 Document RFQ#8086A_461A_0000086_300_3550_2021.exe Document RFQ#8086A_461A_0000086_300_3550_2021.exe PID 1064 wrote to memory of 1676 1064 Document RFQ#8086A_461A_0000086_300_3550_2021.exe Document RFQ#8086A_461A_0000086_300_3550_2021.exe PID 1064 wrote to memory of 1676 1064 Document RFQ#8086A_461A_0000086_300_3550_2021.exe Document RFQ#8086A_461A_0000086_300_3550_2021.exe PID 1064 wrote to memory of 1676 1064 Document RFQ#8086A_461A_0000086_300_3550_2021.exe Document RFQ#8086A_461A_0000086_300_3550_2021.exe PID 1420 wrote to memory of 1488 1420 Explorer.EXE cscript.exe PID 1420 wrote to memory of 1488 1420 Explorer.EXE cscript.exe PID 1420 wrote to memory of 1488 1420 Explorer.EXE cscript.exe PID 1420 wrote to memory of 1488 1420 Explorer.EXE cscript.exe PID 1488 wrote to memory of 1320 1488 cscript.exe cmd.exe PID 1488 wrote to memory of 1320 1488 cscript.exe cmd.exe PID 1488 wrote to memory of 1320 1488 cscript.exe cmd.exe PID 1488 wrote to memory of 1320 1488 cscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Document RFQ#8086A_461A_0000086_300_3550_2021.exe"C:\Users\Admin\AppData\Local\Temp\Document RFQ#8086A_461A_0000086_300_3550_2021.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BLhDhkGdnNl" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFB30.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Document RFQ#8086A_461A_0000086_300_3550_2021.exe"C:\Users\Admin\AppData\Local\Temp\Document RFQ#8086A_461A_0000086_300_3550_2021.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Document RFQ#8086A_461A_0000086_300_3550_2021.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/608-58-0x0000000000000000-mapping.dmp
-
memory/1064-55-0x00000000072C0000-0x00000000072C1000-memory.dmpFilesize
4KB
-
memory/1064-56-0x00000000004F0000-0x00000000004F8000-memory.dmpFilesize
32KB
-
memory/1064-57-0x00000000048E0000-0x0000000004930000-memory.dmpFilesize
320KB
-
memory/1064-53-0x00000000012E0000-0x00000000012E1000-memory.dmpFilesize
4KB
-
memory/1320-68-0x0000000000000000-mapping.dmp
-
memory/1420-66-0x0000000006790000-0x00000000068A2000-memory.dmpFilesize
1.1MB
-
memory/1420-73-0x0000000007030000-0x000000000715F000-memory.dmpFilesize
1.2MB
-
memory/1488-67-0x0000000000000000-mapping.dmp
-
memory/1488-69-0x00000000002A0000-0x00000000002C2000-memory.dmpFilesize
136KB
-
memory/1488-70-0x0000000000070000-0x000000000009F000-memory.dmpFilesize
188KB
-
memory/1488-71-0x0000000002200000-0x0000000002503000-memory.dmpFilesize
3.0MB
-
memory/1488-72-0x00000000005B0000-0x0000000000643000-memory.dmpFilesize
588KB
-
memory/1676-64-0x00000000008F0000-0x0000000000BF3000-memory.dmpFilesize
3.0MB
-
memory/1676-65-0x0000000000140000-0x0000000000154000-memory.dmpFilesize
80KB
-
memory/1676-62-0x000000000041F0C0-mapping.dmp
-
memory/1676-61-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1676-60-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1676-59-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB