Analysis
-
max time kernel
151s -
max time network
140s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
28-10-2021 18:36
Static task
static1
Behavioral task
behavioral1
Sample
TT copy for our payment.exe
Resource
win7-en-20210920
General
-
Target
TT copy for our payment.exe
-
Size
430KB
-
MD5
b87c1e2bb5ba0a04b614ba14b6ef91c2
-
SHA1
a02e178c8f33b48f3fa8d548762a29adcc359cac
-
SHA256
fc9165f2702032e355b392fe6ada38cfd6e1eceafb5453de7991369addd266a6
-
SHA512
36889e872c6eb47d664601c39dc789d016260b348a32f2b26ddffbc7603445f492749d3b0c00c2733a7c8a169fb95aa42b0e46166322ef1379f83f89004358f8
Malware Config
Extracted
formbook
4.1
r4gk
http://www.aprilsaak.quest/r4gk/
quantalix.com
animalblog-eggs.com
039skz.xyz
guttas.net
lasantadayparty.com
protegerfinanceservices.com
vixtest.xyz
digitaleconomy.global
0xpax.xyz
mobilehome1688.com
themotionpartners.com
valueney.com
hattuafhv.quest
js0061gj.net
360metaverse.biz
seculardata.com
346727688.xyz
smartmapom.com
moksel.com
exoduswatchco.com
cryptopazar.com
constructioncdr.com
teamlsu.club
vitalflowscam.com
participatetn.info
daysyou.com
beautifulhandwriting.net
risccredit.com
coachingwithkyle.com
tedthemusicguy.com
theukulelejournal.com
enpratikyemektarifleri.com
reaching-far.com
investmentcomp.com
digitalzonecorp.com
internet-treat.com
oligopoly.club
thepropertiesmatterlawfirm.com
jsi.money
8mlcvtd4y.com
tjc075kcn.xyz
floribunda.space
clinpic.com
zhizhengsf.com
thebestsmartphones.com
robertaeelton.com
upcxi.xyz
graywolfdesign.com
elitespeedco.com
asia99.asia
021parkert.com
seo-clicks7.com
com103940689794.icu
thegisguru.com
api-22nnys.com
srothientu.com
hfhcatering.com
strukuwehtet.quest
extramovies.quest
monamodda.com
markbuyskes.com
smartar8.xyz
illarrivelatebut.space
gestionestrategicadl.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1324-61-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1324-62-0x000000000041F110-mapping.dmp formbook behavioral1/memory/340-70-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1408 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
TT copy for our payment.exeTT copy for our payment.execmmon32.exedescription pid process target process PID 932 set thread context of 1324 932 TT copy for our payment.exe TT copy for our payment.exe PID 1324 set thread context of 1428 1324 TT copy for our payment.exe Explorer.EXE PID 340 set thread context of 1428 340 cmmon32.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
TT copy for our payment.exeTT copy for our payment.execmmon32.exepid process 932 TT copy for our payment.exe 932 TT copy for our payment.exe 932 TT copy for our payment.exe 932 TT copy for our payment.exe 1324 TT copy for our payment.exe 1324 TT copy for our payment.exe 340 cmmon32.exe 340 cmmon32.exe 340 cmmon32.exe 340 cmmon32.exe 340 cmmon32.exe 340 cmmon32.exe 340 cmmon32.exe 340 cmmon32.exe 340 cmmon32.exe 340 cmmon32.exe 340 cmmon32.exe 340 cmmon32.exe 340 cmmon32.exe 340 cmmon32.exe 340 cmmon32.exe 340 cmmon32.exe 340 cmmon32.exe 340 cmmon32.exe 340 cmmon32.exe 340 cmmon32.exe 340 cmmon32.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
TT copy for our payment.execmmon32.exepid process 1324 TT copy for our payment.exe 1324 TT copy for our payment.exe 1324 TT copy for our payment.exe 340 cmmon32.exe 340 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
TT copy for our payment.exeTT copy for our payment.execmmon32.exedescription pid process Token: SeDebugPrivilege 932 TT copy for our payment.exe Token: SeDebugPrivilege 1324 TT copy for our payment.exe Token: SeDebugPrivilege 340 cmmon32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1428 Explorer.EXE 1428 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1428 Explorer.EXE 1428 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
TT copy for our payment.exeExplorer.EXEcmmon32.exedescription pid process target process PID 932 wrote to memory of 1324 932 TT copy for our payment.exe TT copy for our payment.exe PID 932 wrote to memory of 1324 932 TT copy for our payment.exe TT copy for our payment.exe PID 932 wrote to memory of 1324 932 TT copy for our payment.exe TT copy for our payment.exe PID 932 wrote to memory of 1324 932 TT copy for our payment.exe TT copy for our payment.exe PID 932 wrote to memory of 1324 932 TT copy for our payment.exe TT copy for our payment.exe PID 932 wrote to memory of 1324 932 TT copy for our payment.exe TT copy for our payment.exe PID 932 wrote to memory of 1324 932 TT copy for our payment.exe TT copy for our payment.exe PID 1428 wrote to memory of 340 1428 Explorer.EXE cmmon32.exe PID 1428 wrote to memory of 340 1428 Explorer.EXE cmmon32.exe PID 1428 wrote to memory of 340 1428 Explorer.EXE cmmon32.exe PID 1428 wrote to memory of 340 1428 Explorer.EXE cmmon32.exe PID 340 wrote to memory of 1408 340 cmmon32.exe cmd.exe PID 340 wrote to memory of 1408 340 cmmon32.exe cmd.exe PID 340 wrote to memory of 1408 340 cmmon32.exe cmd.exe PID 340 wrote to memory of 1408 340 cmmon32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TT copy for our payment.exe"C:\Users\Admin\AppData\Local\Temp\TT copy for our payment.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TT copy for our payment.exe"C:\Users\Admin\AppData\Local\Temp\TT copy for our payment.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\TT copy for our payment.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/340-67-0x0000000000000000-mapping.dmp
-
memory/340-72-0x0000000000820000-0x00000000008B3000-memory.dmpFilesize
588KB
-
memory/340-71-0x00000000009B0000-0x0000000000CB3000-memory.dmpFilesize
3.0MB
-
memory/340-70-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/340-69-0x0000000000D10000-0x0000000000D1D000-memory.dmpFilesize
52KB
-
memory/932-56-0x0000000000A20000-0x0000000000A21000-memory.dmpFilesize
4KB
-
memory/932-57-0x0000000000540000-0x0000000000546000-memory.dmpFilesize
24KB
-
memory/932-58-0x0000000004500000-0x0000000004550000-memory.dmpFilesize
320KB
-
memory/932-54-0x0000000000F40000-0x0000000000F41000-memory.dmpFilesize
4KB
-
memory/1324-65-0x0000000000110000-0x0000000000124000-memory.dmpFilesize
80KB
-
memory/1324-64-0x0000000000860000-0x0000000000B63000-memory.dmpFilesize
3.0MB
-
memory/1324-62-0x000000000041F110-mapping.dmp
-
memory/1324-61-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1324-60-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1324-59-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1408-68-0x0000000000000000-mapping.dmp
-
memory/1428-66-0x0000000004140000-0x000000000420F000-memory.dmpFilesize
828KB
-
memory/1428-73-0x0000000006590000-0x0000000006628000-memory.dmpFilesize
608KB