Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
28-01-2022 08:35
Static task
static1
Behavioral task
behavioral1
Sample
DHL AWB TRACKING DETAILS.exe
Resource
win7-en-20211208
General
-
Target
DHL AWB TRACKING DETAILS.exe
-
Size
248KB
-
MD5
4e358b432ba956c13627beee054d68e5
-
SHA1
8791318da047e93f2a16cc6535eba5159228f832
-
SHA256
836696cddebff5d522acb2c105a404ceeb635df69b3c9544b5bebcef13bc3e86
-
SHA512
a251f2f3e4fe9b0b44b3537983b406e9eb2d5e22298129ba9548f626c3657410adf23b50d0dd69f4601d7c873056e545ca7be0d808f8f0db3f9a38609b82dcff
Malware Config
Extracted
formbook
4.1
a34b
mesonarte.com
eksiwakun9.xyz
dustcollectionconsultant.com
heliosarchitecture.com
chinaanalysisgroup.com
nimbinhillshemp.com
ychain.biz
mountshastaart.com
monstermangoloco.com
bodhiandbear.com
rootednft.xyz
metayema.com
zw21.xyz
criccketworld.com
segurobarato.net
ananyacap.com
momo-momo.xyz
ezrealestatedeals.com
ghrde.xyz
idimol.com
pcthspoe.xyz
thewhiteswanharringworth.com
che8760.com
85111280.xyz
apteka-magnolia.com
proach.online
portfolioabeckford.com
affilinvest.com
subspank.xyz
odessamadrecoffeehouse.com
onetrade.biz
tianfuhg.com
kibtitalikeniwenti.com
terriblearttours.com
saudirelief.com
metacourting.xyz
kimera.blue
mgpsfm.com
metawzrd.com
veahhiodl.xyz
alimasurfhotel.com
sirensandiego.com
gd-hxgg.com
aurorarift.com
clingbee.com
zettavisor2021.xyz
gregoryryankramer.art
robertsonfandc.com
sociedadgeograficacafe.com
emilyhkeefer.com
v-hush.com
judithtuttle.xyz
itbrandlink.com
carrybicycles.com
storge-evolution.com
socnhhpa.xyz
victorzark.com
ghettoguy.com
redtruckguy.com
jeanmariewallendorf.com
ocpdtel.xyz
democracies.online
bw529twonineh5.world
chinhdohuyenthoai.xyz
hdetpnipa.xyz
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/900-57-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/900-62-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1592-66-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1376 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
DHL AWB TRACKING DETAILS.exepid process 948 DHL AWB TRACKING DETAILS.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
DHL AWB TRACKING DETAILS.exeDHL AWB TRACKING DETAILS.exenetsh.exedescription pid process target process PID 948 set thread context of 900 948 DHL AWB TRACKING DETAILS.exe DHL AWB TRACKING DETAILS.exe PID 900 set thread context of 1400 900 DHL AWB TRACKING DETAILS.exe Explorer.EXE PID 900 set thread context of 1400 900 DHL AWB TRACKING DETAILS.exe Explorer.EXE PID 1592 set thread context of 1400 1592 netsh.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
DHL AWB TRACKING DETAILS.exenetsh.exepid process 900 DHL AWB TRACKING DETAILS.exe 900 DHL AWB TRACKING DETAILS.exe 900 DHL AWB TRACKING DETAILS.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe 1592 netsh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1400 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
DHL AWB TRACKING DETAILS.exenetsh.exepid process 900 DHL AWB TRACKING DETAILS.exe 900 DHL AWB TRACKING DETAILS.exe 900 DHL AWB TRACKING DETAILS.exe 900 DHL AWB TRACKING DETAILS.exe 1592 netsh.exe 1592 netsh.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DHL AWB TRACKING DETAILS.exenetsh.exedescription pid process Token: SeDebugPrivilege 900 DHL AWB TRACKING DETAILS.exe Token: SeDebugPrivilege 1592 netsh.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1400 Explorer.EXE 1400 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1400 Explorer.EXE 1400 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
DHL AWB TRACKING DETAILS.exeExplorer.EXEnetsh.exedescription pid process target process PID 948 wrote to memory of 900 948 DHL AWB TRACKING DETAILS.exe DHL AWB TRACKING DETAILS.exe PID 948 wrote to memory of 900 948 DHL AWB TRACKING DETAILS.exe DHL AWB TRACKING DETAILS.exe PID 948 wrote to memory of 900 948 DHL AWB TRACKING DETAILS.exe DHL AWB TRACKING DETAILS.exe PID 948 wrote to memory of 900 948 DHL AWB TRACKING DETAILS.exe DHL AWB TRACKING DETAILS.exe PID 948 wrote to memory of 900 948 DHL AWB TRACKING DETAILS.exe DHL AWB TRACKING DETAILS.exe PID 948 wrote to memory of 900 948 DHL AWB TRACKING DETAILS.exe DHL AWB TRACKING DETAILS.exe PID 948 wrote to memory of 900 948 DHL AWB TRACKING DETAILS.exe DHL AWB TRACKING DETAILS.exe PID 1400 wrote to memory of 1592 1400 Explorer.EXE netsh.exe PID 1400 wrote to memory of 1592 1400 Explorer.EXE netsh.exe PID 1400 wrote to memory of 1592 1400 Explorer.EXE netsh.exe PID 1400 wrote to memory of 1592 1400 Explorer.EXE netsh.exe PID 1592 wrote to memory of 1376 1592 netsh.exe cmd.exe PID 1592 wrote to memory of 1376 1592 netsh.exe cmd.exe PID 1592 wrote to memory of 1376 1592 netsh.exe cmd.exe PID 1592 wrote to memory of 1376 1592 netsh.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL AWB TRACKING DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\DHL AWB TRACKING DETAILS.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL AWB TRACKING DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\DHL AWB TRACKING DETAILS.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\DHL AWB TRACKING DETAILS.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nstEF8F.tmp\vzhghptrhu.dllMD5
d2b96d84df88876d02820ca05c8254e2
SHA166c575874197ace26e2d77c408154891c1c2a464
SHA256ac4f4fc273432d090b87cc740b2668bb105aea12d35b9f48be82885607172708
SHA512123b2255f5598bc7d51872cb2e0cba58367b22ad638df786aaefa4cfddda11a0daec36002559cd9a2bdcd74cc78f903642595e0438fdd82681a938b9cb1b97f1
-
memory/900-62-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/900-57-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/900-59-0x00000000008E0000-0x0000000000BE3000-memory.dmpFilesize
3.0MB
-
memory/900-60-0x0000000000340000-0x0000000000354000-memory.dmpFilesize
80KB
-
memory/900-63-0x0000000000390000-0x00000000003A4000-memory.dmpFilesize
80KB
-
memory/948-55-0x0000000076B81000-0x0000000076B83000-memory.dmpFilesize
8KB
-
memory/1400-61-0x0000000004D30000-0x0000000004E68000-memory.dmpFilesize
1.2MB
-
memory/1400-64-0x00000000049E0000-0x0000000004B03000-memory.dmpFilesize
1.1MB
-
memory/1400-69-0x0000000006820000-0x000000000690D000-memory.dmpFilesize
948KB
-
memory/1592-65-0x0000000000BD0000-0x0000000000BEB000-memory.dmpFilesize
108KB
-
memory/1592-66-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/1592-67-0x00000000022C0000-0x00000000025C3000-memory.dmpFilesize
3.0MB
-
memory/1592-68-0x00000000003D0000-0x0000000000463000-memory.dmpFilesize
588KB