Analysis
-
max time kernel
157s -
max time network
153s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
26-01-2022 13:27
Static task
static1
Behavioral task
behavioral1
Sample
ORDER_26.exe
Resource
win7-en-20211208
General
-
Target
ORDER_26.exe
-
Size
1007KB
-
MD5
2a7891d958327a9c60b079ee3d487fd8
-
SHA1
fd828cc4ac3c2e8dd0319b146c0886677543c5d3
-
SHA256
0fcca302c4bcf8f490650685b46d1ea92edcb126aaf959c4b8ad0897511ee7d5
-
SHA512
945e51519051fa89023cf74e3935ae1a2ab98d5f758529908829e7b604c9cff56dd38af4446558d97fa8f918601e19e5c9ddb736578969768ae69966f163290f
Malware Config
Extracted
formbook
4.1
je16
antonavt.com
sdfvlog.xyz
xn--arbetslivsaktren-ywb.com
propelcolor.com
uniqueclsssiccars.com
colorbells.com
synjive.com
cloudymellows.com
walltage.com
qterps.com
kezorup.online
soakedindelight.online
thefirstgroupscam.biz
miclanka.com
mwm-security.com
trinksaifenradiodocumentary.com
spineklinik.com
javacodecafe.com
groovyrelease-toknowtoday.info
ventadesillasymesas.com
metaheaven.global
supershhhbros.com
tradecardsbtz.com
parcel-alert-redelivery.com
manoncollinet.com
yfsallegiance.com
my12127.com
connectedmk.com
m7ssucx.xyz
chefjeffrecipes.com
tgogziae.com
xu7d7mfh6fht.xyz
cdamanagementservices.com
tampanazareno.com
albanybestbuyers.com
cowboychannellpus.com
dreamyhousewife.com
wu8jvohkp12w.xyz
mohaisen.xyz
s-h-a-h.com
hainanmizhi.xyz
hypedrize.com
77hub.cloud
phxpowdercoating.com
vozeestore.com
infostate.store
woshinidie1990.com
riskfreeenergy.com
southernfreelancersph.com
smithstores.net
cryptopal.xyz
xk8abxci6ogf.xyz
explainersadvids.team
ponpesihsaniyah.com
szabossteakandseafood.com
willtuckfinancial.com
unitedwii.com
thenftlotterys.com
599qu.com
threegalasdesigns.com
bedplot.xyz
liquidministry.store
amazingfactsabouteverything.com
wofdex.com
wakilin.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3500-123-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3500-126-0x0000000000EA0000-0x00000000011C2000-memory.dmp formbook behavioral2/memory/380-129-0x0000000000980000-0x00000000009AF000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
ORDER_26.exeORDER_26.exewscript.exedescription pid process target process PID 2604 set thread context of 3500 2604 ORDER_26.exe ORDER_26.exe PID 3500 set thread context of 2364 3500 ORDER_26.exe Explorer.EXE PID 380 set thread context of 2364 380 wscript.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 40 IoCs
Processes:
ORDER_26.exeORDER_26.exewscript.exepid process 2604 ORDER_26.exe 2604 ORDER_26.exe 2604 ORDER_26.exe 2604 ORDER_26.exe 3500 ORDER_26.exe 3500 ORDER_26.exe 3500 ORDER_26.exe 3500 ORDER_26.exe 380 wscript.exe 380 wscript.exe 380 wscript.exe 380 wscript.exe 380 wscript.exe 380 wscript.exe 380 wscript.exe 380 wscript.exe 380 wscript.exe 380 wscript.exe 380 wscript.exe 380 wscript.exe 380 wscript.exe 380 wscript.exe 380 wscript.exe 380 wscript.exe 380 wscript.exe 380 wscript.exe 380 wscript.exe 380 wscript.exe 380 wscript.exe 380 wscript.exe 380 wscript.exe 380 wscript.exe 380 wscript.exe 380 wscript.exe 380 wscript.exe 380 wscript.exe 380 wscript.exe 380 wscript.exe 380 wscript.exe 380 wscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2364 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
ORDER_26.exewscript.exepid process 3500 ORDER_26.exe 3500 ORDER_26.exe 3500 ORDER_26.exe 380 wscript.exe 380 wscript.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
ORDER_26.exeORDER_26.exewscript.exedescription pid process Token: SeDebugPrivilege 2604 ORDER_26.exe Token: SeDebugPrivilege 3500 ORDER_26.exe Token: SeDebugPrivilege 380 wscript.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
ORDER_26.exeExplorer.EXEwscript.exedescription pid process target process PID 2604 wrote to memory of 1500 2604 ORDER_26.exe ORDER_26.exe PID 2604 wrote to memory of 1500 2604 ORDER_26.exe ORDER_26.exe PID 2604 wrote to memory of 1500 2604 ORDER_26.exe ORDER_26.exe PID 2604 wrote to memory of 1328 2604 ORDER_26.exe ORDER_26.exe PID 2604 wrote to memory of 1328 2604 ORDER_26.exe ORDER_26.exe PID 2604 wrote to memory of 1328 2604 ORDER_26.exe ORDER_26.exe PID 2604 wrote to memory of 3500 2604 ORDER_26.exe ORDER_26.exe PID 2604 wrote to memory of 3500 2604 ORDER_26.exe ORDER_26.exe PID 2604 wrote to memory of 3500 2604 ORDER_26.exe ORDER_26.exe PID 2604 wrote to memory of 3500 2604 ORDER_26.exe ORDER_26.exe PID 2604 wrote to memory of 3500 2604 ORDER_26.exe ORDER_26.exe PID 2604 wrote to memory of 3500 2604 ORDER_26.exe ORDER_26.exe PID 2364 wrote to memory of 380 2364 Explorer.EXE wscript.exe PID 2364 wrote to memory of 380 2364 Explorer.EXE wscript.exe PID 2364 wrote to memory of 380 2364 Explorer.EXE wscript.exe PID 380 wrote to memory of 1144 380 wscript.exe cmd.exe PID 380 wrote to memory of 1144 380 wscript.exe cmd.exe PID 380 wrote to memory of 1144 380 wscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ORDER_26.exe"C:\Users\Admin\AppData\Local\Temp\ORDER_26.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ORDER_26.exe"C:\Users\Admin\AppData\Local\Temp\ORDER_26.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\ORDER_26.exe"C:\Users\Admin\AppData\Local\Temp\ORDER_26.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\ORDER_26.exe"C:\Users\Admin\AppData\Local\Temp\ORDER_26.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\ORDER_26.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/380-131-0x0000000004480000-0x0000000004614000-memory.dmpFilesize
1.6MB
-
memory/380-130-0x0000000004620000-0x0000000004940000-memory.dmpFilesize
3.1MB
-
memory/380-128-0x0000000000AA0000-0x0000000000AC7000-memory.dmpFilesize
156KB
-
memory/380-129-0x0000000000980000-0x00000000009AF000-memory.dmpFilesize
188KB
-
memory/2364-127-0x00000000056E0000-0x00000000057EC000-memory.dmpFilesize
1.0MB
-
memory/2364-132-0x0000000000E50000-0x0000000000EF3000-memory.dmpFilesize
652KB
-
memory/2604-119-0x0000000004DC0000-0x0000000004DCA000-memory.dmpFilesize
40KB
-
memory/2604-122-0x00000000077C0000-0x000000000782A000-memory.dmpFilesize
424KB
-
memory/2604-121-0x0000000007720000-0x00000000077BC000-memory.dmpFilesize
624KB
-
memory/2604-120-0x0000000004FF0000-0x0000000004FFC000-memory.dmpFilesize
48KB
-
memory/2604-115-0x0000000000470000-0x0000000000572000-memory.dmpFilesize
1.0MB
-
memory/2604-118-0x0000000004DB0000-0x00000000052AE000-memory.dmpFilesize
5.0MB
-
memory/2604-117-0x0000000004E50000-0x0000000004EE2000-memory.dmpFilesize
584KB
-
memory/2604-116-0x00000000052B0000-0x00000000057AE000-memory.dmpFilesize
5.0MB
-
memory/3500-123-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3500-125-0x00000000011D0000-0x00000000014F0000-memory.dmpFilesize
3.1MB
-
memory/3500-126-0x0000000000EA0000-0x00000000011C2000-memory.dmpFilesize
3.1MB