Analysis
-
max time kernel
152s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 08:35
Static task
static1
Behavioral task
behavioral1
Sample
DHL AWB TRACKING DETAILS.exe
Resource
win7-en-20211208
General
-
Target
DHL AWB TRACKING DETAILS.exe
-
Size
248KB
-
MD5
4e358b432ba956c13627beee054d68e5
-
SHA1
8791318da047e93f2a16cc6535eba5159228f832
-
SHA256
836696cddebff5d522acb2c105a404ceeb635df69b3c9544b5bebcef13bc3e86
-
SHA512
a251f2f3e4fe9b0b44b3537983b406e9eb2d5e22298129ba9548f626c3657410adf23b50d0dd69f4601d7c873056e545ca7be0d808f8f0db3f9a38609b82dcff
Malware Config
Extracted
formbook
4.1
a34b
mesonarte.com
eksiwakun9.xyz
dustcollectionconsultant.com
heliosarchitecture.com
chinaanalysisgroup.com
nimbinhillshemp.com
ychain.biz
mountshastaart.com
monstermangoloco.com
bodhiandbear.com
rootednft.xyz
metayema.com
zw21.xyz
criccketworld.com
segurobarato.net
ananyacap.com
momo-momo.xyz
ezrealestatedeals.com
ghrde.xyz
idimol.com
pcthspoe.xyz
thewhiteswanharringworth.com
che8760.com
85111280.xyz
apteka-magnolia.com
proach.online
portfolioabeckford.com
affilinvest.com
subspank.xyz
odessamadrecoffeehouse.com
onetrade.biz
tianfuhg.com
kibtitalikeniwenti.com
terriblearttours.com
saudirelief.com
metacourting.xyz
kimera.blue
mgpsfm.com
metawzrd.com
veahhiodl.xyz
alimasurfhotel.com
sirensandiego.com
gd-hxgg.com
aurorarift.com
clingbee.com
zettavisor2021.xyz
gregoryryankramer.art
robertsonfandc.com
sociedadgeograficacafe.com
emilyhkeefer.com
v-hush.com
judithtuttle.xyz
itbrandlink.com
carrybicycles.com
storge-evolution.com
socnhhpa.xyz
victorzark.com
ghettoguy.com
redtruckguy.com
jeanmariewallendorf.com
ocpdtel.xyz
democracies.online
bw529twonineh5.world
chinhdohuyenthoai.xyz
hdetpnipa.xyz
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2840-120-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/424-126-0x0000000003280000-0x00000000032AF000-memory.dmp formbook -
Loads dropped DLL 1 IoCs
Processes:
DHL AWB TRACKING DETAILS.exepid process 2504 DHL AWB TRACKING DETAILS.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
DHL AWB TRACKING DETAILS.exeDHL AWB TRACKING DETAILS.exeNETSTAT.EXEdescription pid process target process PID 2504 set thread context of 2840 2504 DHL AWB TRACKING DETAILS.exe DHL AWB TRACKING DETAILS.exe PID 2840 set thread context of 2892 2840 DHL AWB TRACKING DETAILS.exe Explorer.EXE PID 424 set thread context of 2892 424 NETSTAT.EXE Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 424 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
DHL AWB TRACKING DETAILS.exeNETSTAT.EXEpid process 2840 DHL AWB TRACKING DETAILS.exe 2840 DHL AWB TRACKING DETAILS.exe 2840 DHL AWB TRACKING DETAILS.exe 2840 DHL AWB TRACKING DETAILS.exe 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE 424 NETSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2892 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
DHL AWB TRACKING DETAILS.exeNETSTAT.EXEpid process 2840 DHL AWB TRACKING DETAILS.exe 2840 DHL AWB TRACKING DETAILS.exe 2840 DHL AWB TRACKING DETAILS.exe 424 NETSTAT.EXE 424 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DHL AWB TRACKING DETAILS.exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 2840 DHL AWB TRACKING DETAILS.exe Token: SeDebugPrivilege 424 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
DHL AWB TRACKING DETAILS.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 2504 wrote to memory of 2840 2504 DHL AWB TRACKING DETAILS.exe DHL AWB TRACKING DETAILS.exe PID 2504 wrote to memory of 2840 2504 DHL AWB TRACKING DETAILS.exe DHL AWB TRACKING DETAILS.exe PID 2504 wrote to memory of 2840 2504 DHL AWB TRACKING DETAILS.exe DHL AWB TRACKING DETAILS.exe PID 2504 wrote to memory of 2840 2504 DHL AWB TRACKING DETAILS.exe DHL AWB TRACKING DETAILS.exe PID 2504 wrote to memory of 2840 2504 DHL AWB TRACKING DETAILS.exe DHL AWB TRACKING DETAILS.exe PID 2504 wrote to memory of 2840 2504 DHL AWB TRACKING DETAILS.exe DHL AWB TRACKING DETAILS.exe PID 2892 wrote to memory of 424 2892 Explorer.EXE NETSTAT.EXE PID 2892 wrote to memory of 424 2892 Explorer.EXE NETSTAT.EXE PID 2892 wrote to memory of 424 2892 Explorer.EXE NETSTAT.EXE PID 424 wrote to memory of 3376 424 NETSTAT.EXE cmd.exe PID 424 wrote to memory of 3376 424 NETSTAT.EXE cmd.exe PID 424 wrote to memory of 3376 424 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL AWB TRACKING DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\DHL AWB TRACKING DETAILS.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL AWB TRACKING DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\DHL AWB TRACKING DETAILS.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\DHL AWB TRACKING DETAILS.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsfAB27.tmp\vzhghptrhu.dllMD5
d2b96d84df88876d02820ca05c8254e2
SHA166c575874197ace26e2d77c408154891c1c2a464
SHA256ac4f4fc273432d090b87cc740b2668bb105aea12d35b9f48be82885607172708
SHA512123b2255f5598bc7d51872cb2e0cba58367b22ad638df786aaefa4cfddda11a0daec36002559cd9a2bdcd74cc78f903642595e0438fdd82681a938b9cb1b97f1
-
memory/424-125-0x0000000000150000-0x000000000015B000-memory.dmpFilesize
44KB
-
memory/424-126-0x0000000003280000-0x00000000032AF000-memory.dmpFilesize
188KB
-
memory/424-127-0x0000000003430000-0x0000000003750000-memory.dmpFilesize
3.1MB
-
memory/424-128-0x00000000037F0000-0x0000000003883000-memory.dmpFilesize
588KB
-
memory/2504-119-0x0000000000660000-0x0000000000662000-memory.dmpFilesize
8KB
-
memory/2840-120-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2840-122-0x0000000000A40000-0x0000000000D60000-memory.dmpFilesize
3.1MB
-
memory/2840-123-0x0000000000480000-0x000000000052E000-memory.dmpFilesize
696KB
-
memory/2892-124-0x0000000005430000-0x0000000005575000-memory.dmpFilesize
1.3MB
-
memory/2892-129-0x0000000005580000-0x0000000005707000-memory.dmpFilesize
1.5MB