Analysis
-
max time kernel
148s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
14-03-2022 09:02
Static task
static1
Behavioral task
behavioral1
Sample
Payment_Advice.exe
Resource
win7-20220310-en
General
-
Target
Payment_Advice.exe
-
Size
347KB
-
MD5
7743639ddcae00f91ce46f21bf73a9a8
-
SHA1
1daa2f866b0abf7cd48d43011562938ae6543b95
-
SHA256
b011f06c7ab6d49b0dd9285e1e2d9dee21efae17f6be4281ec7a6a26e2bed812
-
SHA512
8651283009598240de0e870e7d22ad0e9cec2f64a57b04ff094dece68a8cda917289c5985011c26ae91450a7e4e585989420d661f96f8a13105e3c95c2f93714
Malware Config
Extracted
formbook
4.1
oh75
denizgidam.com
6cc06.com
charlottewaldburgzeil.com
medijanus.com
qingdaoyiersan.com
datcabilgisayar.xyz
111439d.com
xn--1ruo40k.com
wu6enxwcx5h3.xyz
vnscloud.net
brtka.xyz
showztime.com
promocoesdedezenbro.com
wokpy.com
chnowuk.online
rockshotscafe.com
pelrjy.com
nato-riness.com
feixiang-chem.com
thcoinexchange.com
fuelrescuereponse.com
digitaltunic.com
cellefill.com
paulbau.com
camillebeckman.xyz
ilico-media.com
603sa.com
firstechfedcu.com
koreaglp.com
thebeardedbrocksblends.com
musumeya-kotora.com
tocoteacanada.com
travelwitharden.com
diversamenteclinica.com
bw613.com
qe46.com
spectrumelectrolysis.com
maloyenterprises.com
inovasyon.xyz
remijoe.com
petsgallie.com
metagiphydownload.online
tigerdieect.com
jamedomp.com
peninsularbottling.com
1383fx.com
pandeymasala.online
spoilnet.com
itweu.com
ankxbi.icu
lm-safe-keepingyuchand92.xyz
dreamdsjoceo.com
providentview.com
newchinafortpayne.com
wu6bvnrlz4ra.xyz
intrasvp.com
ghoul-ambrose.com
alltenexpress.com
oniray.com
sistemaparadrogaria.com
zeidrei514-nifty.xyz
excaliburteacher.com
jennyandsteven.com
zakcotransportationllc.com
wwwccsuresults.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4668-134-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/5064-144-0x0000000000F20000-0x0000000000F4F000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
ndwtcegu.exendwtcegu.exepid process 3716 ndwtcegu.exe 4668 ndwtcegu.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
ndwtcegu.exendwtcegu.exeraserver.exedescription pid process target process PID 3716 set thread context of 4668 3716 ndwtcegu.exe ndwtcegu.exe PID 4668 set thread context of 2920 4668 ndwtcegu.exe Explorer.EXE PID 5064 set thread context of 2920 5064 raserver.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
ndwtcegu.exeraserver.exepid process 4668 ndwtcegu.exe 4668 ndwtcegu.exe 4668 ndwtcegu.exe 4668 ndwtcegu.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe 5064 raserver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2920 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
ndwtcegu.exeraserver.exepid process 4668 ndwtcegu.exe 4668 ndwtcegu.exe 4668 ndwtcegu.exe 5064 raserver.exe 5064 raserver.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ndwtcegu.exeraserver.exedescription pid process Token: SeDebugPrivilege 4668 ndwtcegu.exe Token: SeDebugPrivilege 5064 raserver.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Payment_Advice.exendwtcegu.exeExplorer.EXEraserver.exedescription pid process target process PID 2792 wrote to memory of 3716 2792 Payment_Advice.exe ndwtcegu.exe PID 2792 wrote to memory of 3716 2792 Payment_Advice.exe ndwtcegu.exe PID 2792 wrote to memory of 3716 2792 Payment_Advice.exe ndwtcegu.exe PID 3716 wrote to memory of 4668 3716 ndwtcegu.exe ndwtcegu.exe PID 3716 wrote to memory of 4668 3716 ndwtcegu.exe ndwtcegu.exe PID 3716 wrote to memory of 4668 3716 ndwtcegu.exe ndwtcegu.exe PID 3716 wrote to memory of 4668 3716 ndwtcegu.exe ndwtcegu.exe PID 3716 wrote to memory of 4668 3716 ndwtcegu.exe ndwtcegu.exe PID 3716 wrote to memory of 4668 3716 ndwtcegu.exe ndwtcegu.exe PID 2920 wrote to memory of 5064 2920 Explorer.EXE raserver.exe PID 2920 wrote to memory of 5064 2920 Explorer.EXE raserver.exe PID 2920 wrote to memory of 5064 2920 Explorer.EXE raserver.exe PID 5064 wrote to memory of 552 5064 raserver.exe cmd.exe PID 5064 wrote to memory of 552 5064 raserver.exe cmd.exe PID 5064 wrote to memory of 552 5064 raserver.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payment_Advice.exe"C:\Users\Admin\AppData\Local\Temp\Payment_Advice.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ndwtcegu.exeC:\Users\Admin\AppData\Local\Temp\ndwtcegu.exe C:\Users\Admin\AppData\Local\Temp\jmwabcbx3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ndwtcegu.exeC:\Users\Admin\AppData\Local\Temp\ndwtcegu.exe C:\Users\Admin\AppData\Local\Temp\jmwabcbx4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\ndwtcegu.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\6veiai77a5MD5
c9037e076486dd830a5991b26e863a6c
SHA1614addbb9e6080ff98ffa4cf044817ff4efe1c55
SHA25690a660a915fc7fdc772206d8e5a6ff2837cd58923497f2314826f1fdf1ee7b93
SHA512fcecfc62bb5e7939f87febf08196cce1edf2ec18986263f2290f2acfdd1f9dddaf682c35eb6735ab9af961832964a3231fb3bf357f7bf05a4589be75dad4c8eb
-
C:\Users\Admin\AppData\Local\Temp\jmwabcbxMD5
4ed244db6765b1087ab8418518adfa5f
SHA10096a7e1107ed124324e36752403c63ce9d79c0b
SHA25605504ec086be56151f3808e61c5845c8f28b031c9a992772842ea6fb62fb13e9
SHA51295568124d08cec2601fdee1b343e351ad07721f9626c426cc67060559db6959fb2afe158bf28b874b8605f457a65c0c29a339cd77b901820008e62a37701eb1f
-
C:\Users\Admin\AppData\Local\Temp\ndwtcegu.exeMD5
c25603e52a6dbefa8f29394cdcfe8f0c
SHA164561c78eded3f3ef183b36b966fdaefc02d81a0
SHA256656e1e9f05e4642314277019eb68dc3be47fb02d6017673537b7067623315202
SHA512dcc0668345d9eba1d8a699c7c3e26e2487bf0658e92968d8fafcdadfcd17e893fc51cb3586e9f061c70260d30fe293b8bcc4ac2d27a755bbd052faf9134585ac
-
C:\Users\Admin\AppData\Local\Temp\ndwtcegu.exeMD5
c25603e52a6dbefa8f29394cdcfe8f0c
SHA164561c78eded3f3ef183b36b966fdaefc02d81a0
SHA256656e1e9f05e4642314277019eb68dc3be47fb02d6017673537b7067623315202
SHA512dcc0668345d9eba1d8a699c7c3e26e2487bf0658e92968d8fafcdadfcd17e893fc51cb3586e9f061c70260d30fe293b8bcc4ac2d27a755bbd052faf9134585ac
-
C:\Users\Admin\AppData\Local\Temp\ndwtcegu.exeMD5
c25603e52a6dbefa8f29394cdcfe8f0c
SHA164561c78eded3f3ef183b36b966fdaefc02d81a0
SHA256656e1e9f05e4642314277019eb68dc3be47fb02d6017673537b7067623315202
SHA512dcc0668345d9eba1d8a699c7c3e26e2487bf0658e92968d8fafcdadfcd17e893fc51cb3586e9f061c70260d30fe293b8bcc4ac2d27a755bbd052faf9134585ac
-
memory/2920-146-0x00000000078F0000-0x00000000079C1000-memory.dmpFilesize
836KB
-
memory/2920-141-0x0000000007F30000-0x000000000807C000-memory.dmpFilesize
1.3MB
-
memory/3716-136-0x0000000000810000-0x0000000000814000-memory.dmpFilesize
16KB
-
memory/4668-138-0x0000000001820000-0x0000000001B6A000-memory.dmpFilesize
3.3MB
-
memory/4668-140-0x00000000014B0000-0x00000000014C4000-memory.dmpFilesize
80KB
-
memory/4668-139-0x000000000041F000-0x0000000000420000-memory.dmpFilesize
4KB
-
memory/4668-134-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/5064-142-0x0000000000560000-0x000000000057F000-memory.dmpFilesize
124KB
-
memory/5064-143-0x0000000002FC0000-0x000000000330A000-memory.dmpFilesize
3.3MB
-
memory/5064-144-0x0000000000F20000-0x0000000000F4F000-memory.dmpFilesize
188KB
-
memory/5064-145-0x0000000002E30000-0x0000000002EC3000-memory.dmpFilesize
588KB