Analysis
-
max time kernel
146s -
max time network
139s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
25-10-2021 11:02
Static task
static1
Behavioral task
behavioral1
Sample
dhlexcel9078.excel.exe
Resource
win7-en-20210920
General
-
Target
dhlexcel9078.excel.exe
-
Size
462KB
-
MD5
f70df4cd6c3bb5f98021586d550d47d7
-
SHA1
297d8d7a7c8524914d78892e51fe92b034c47bc1
-
SHA256
5898ff655531cce98050d6ac064d14b5e64249c3e8a01110e12b46e93bf72de9
-
SHA512
5eb7a7a7b8866d2a7f5b95cf51aa33b118f602d67fb99401bb56f025a6e5fb06c9e16022f6e8e42f2f64d0f857a7d5fe8a7d100de0ea40661cc37cefdff23488
Malware Config
Extracted
formbook
4.1
ct6s
http://www.metalzj.quest/ct6s/
liaquatsibtian.com
erisa.cymru
theultimateone.world
petpartner.info
edison-press.com
ryanmurazik.icu
bukasystems.com
kitsusimplex.com
qatarstyleart.com
brkhot.top
paehdfdtrujdfhs.xyz
createdbybonk.com
kuihoon.com
deathtocustomerservice.com
iotimb.com
greendiamond.pw
millionaireproducers.academy
websitemolsa.com
cbshomeimprovement.com
eardunder.quest
qdsrogijnsoiaha.xyz
winsimplebet8.com
nguyendinhmanh.online
straforkutu.online
jtbfunnels.xyz
sz-videocom.com
budteeshirts.com
teinkstash.com
aohuajz.com
awcarsales.com
thankful.love
yukselfirca.com
gamblz.com
prologuepr.com
georgemanuel.com
crewcamel.team
digesters.info
diosaempoderada.com
pobbs65.xyz
monoscribe.com
kelseycoding.com
lauertmouku.quest
techtalks-2021.com
zhi2021.com
bslf.xyz
socialdiseaseshop.com
bsnguyenhuunam.com
glozhair.com
pieko.net
hirenearyou.com
xoarin.online
beyondracula.com
hoshikoblog1.com
bigbet2298.com
pricetrust-shop.com
afiliadosilva.com
alrayangroups.com
sittingonforgis.online
fiitnutr.com
killeendirectconnection.com
princesstvchannels.com
belleshopdz.com
vanillanoir.com
homodont.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1156-56-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1156-57-0x000000000041F0C0-mapping.dmp formbook behavioral1/memory/540-66-0x00000000000D0000-0x00000000000FF000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 816 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
dhlexcel9078.excel.exepid process 1776 dhlexcel9078.excel.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
dhlexcel9078.excel.exedhlexcel9078.excel.execmstp.exedescription pid process target process PID 1776 set thread context of 1156 1776 dhlexcel9078.excel.exe dhlexcel9078.excel.exe PID 1156 set thread context of 1204 1156 dhlexcel9078.excel.exe Explorer.EXE PID 540 set thread context of 1204 540 cmstp.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
dhlexcel9078.excel.execmstp.exepid process 1156 dhlexcel9078.excel.exe 1156 dhlexcel9078.excel.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1204 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
dhlexcel9078.excel.execmstp.exepid process 1156 dhlexcel9078.excel.exe 1156 dhlexcel9078.excel.exe 1156 dhlexcel9078.excel.exe 540 cmstp.exe 540 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
dhlexcel9078.excel.execmstp.exedescription pid process Token: SeDebugPrivilege 1156 dhlexcel9078.excel.exe Token: SeDebugPrivilege 540 cmstp.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1204 Explorer.EXE 1204 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1204 Explorer.EXE 1204 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
dhlexcel9078.excel.exeExplorer.EXEcmstp.exedescription pid process target process PID 1776 wrote to memory of 1156 1776 dhlexcel9078.excel.exe dhlexcel9078.excel.exe PID 1776 wrote to memory of 1156 1776 dhlexcel9078.excel.exe dhlexcel9078.excel.exe PID 1776 wrote to memory of 1156 1776 dhlexcel9078.excel.exe dhlexcel9078.excel.exe PID 1776 wrote to memory of 1156 1776 dhlexcel9078.excel.exe dhlexcel9078.excel.exe PID 1776 wrote to memory of 1156 1776 dhlexcel9078.excel.exe dhlexcel9078.excel.exe PID 1776 wrote to memory of 1156 1776 dhlexcel9078.excel.exe dhlexcel9078.excel.exe PID 1776 wrote to memory of 1156 1776 dhlexcel9078.excel.exe dhlexcel9078.excel.exe PID 1204 wrote to memory of 540 1204 Explorer.EXE cmstp.exe PID 1204 wrote to memory of 540 1204 Explorer.EXE cmstp.exe PID 1204 wrote to memory of 540 1204 Explorer.EXE cmstp.exe PID 1204 wrote to memory of 540 1204 Explorer.EXE cmstp.exe PID 1204 wrote to memory of 540 1204 Explorer.EXE cmstp.exe PID 1204 wrote to memory of 540 1204 Explorer.EXE cmstp.exe PID 1204 wrote to memory of 540 1204 Explorer.EXE cmstp.exe PID 540 wrote to memory of 816 540 cmstp.exe cmd.exe PID 540 wrote to memory of 816 540 cmstp.exe cmd.exe PID 540 wrote to memory of 816 540 cmstp.exe cmd.exe PID 540 wrote to memory of 816 540 cmstp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\dhlexcel9078.excel.exe"C:\Users\Admin\AppData\Local\Temp\dhlexcel9078.excel.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Users\Admin\AppData\Local\Temp\dhlexcel9078.excel.exe"C:\Users\Admin\AppData\Local\Temp\dhlexcel9078.excel.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1156 -
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\dhlexcel9078.excel.exe"3⤵
- Deletes itself
PID:816
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsdBC4E.tmp\czzinqps.dllMD5
f0527931a6c735a6a86502f782c87fa3
SHA1a36b487436cdca6bc61939fb0593c76ac4cdc75d
SHA2560e678111629aa0995633ce91152e618c13abfa6235f86011cc5274fe19712313
SHA512c3e0a2c61f2979936f0fa545c5f4520041b0e9c11f0b836062dbc272e126bf155e541553e8fca9652fe2ace2de409733583ca74a0378fe7bc6b085a48f851623
-
memory/540-62-0x0000000000000000-mapping.dmp
-
memory/540-68-0x0000000001C90000-0x0000000001D23000-memory.dmpFilesize
588KB
-
memory/540-66-0x00000000000D0000-0x00000000000FF000-memory.dmpFilesize
188KB
-
memory/540-67-0x0000000001EC0000-0x00000000021C3000-memory.dmpFilesize
3.0MB
-
memory/540-65-0x0000000000460000-0x0000000000478000-memory.dmpFilesize
96KB
-
memory/816-64-0x0000000000000000-mapping.dmp
-
memory/1156-57-0x000000000041F0C0-mapping.dmp
-
memory/1156-59-0x00000000008A0000-0x0000000000BA3000-memory.dmpFilesize
3.0MB
-
memory/1156-60-0x0000000000340000-0x0000000000354000-memory.dmpFilesize
80KB
-
memory/1156-56-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1204-61-0x0000000003F00000-0x000000000402A000-memory.dmpFilesize
1.2MB
-
memory/1204-69-0x0000000005F90000-0x0000000006080000-memory.dmpFilesize
960KB
-
memory/1776-54-0x0000000076961000-0x0000000076963000-memory.dmpFilesize
8KB