Analysis
-
max time kernel
152s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-05-2022 12:33
Static task
static1
Behavioral task
behavioral1
Sample
DHL_AWB_NO#907853880911.exe
Resource
win7-20220414-en
General
-
Target
DHL_AWB_NO#907853880911.exe
-
Size
213KB
-
MD5
fb67faae4d6130eb562c38fc510dfeae
-
SHA1
1dde4f5576327e33d629a7ef382c149613f188b2
-
SHA256
e0586f6e028448a0dafda2bf958fd9d1d9b63636b29c8a8847e481a3122e71a2
-
SHA512
0aa32ce0ea540febe6bc3387235ec52fd5c7a8b4850f831aae0069acc9ea81455dfc422f61faba693782e6e5c899c0386aba0918f2c435fb43a0ef178c022502
Malware Config
Extracted
formbook
4.1
fw02
payer-breakers.com
thesiscoper.com
rental-villa.com
scovikinnovations.com
hydh33.com
allmyshit.rest
lovejaclyn.com
vanessaruizwriting.com
dufonddelaclasse.com
kiddee168.com
monumentalmarketsllc.com
musclegainfatloss.com
avida.info
cosmo-wellness.net
dandelionfusedigital.com
oversizeloadbanners.com
konstelle.store
sdjnsbd.com
czoqg.xyz
5p6xljjse1lq.xyz
10936.loan
primeiropasso.website
salarydetector.net
the6figureshow.com
ritzluxurytransportation.com
5145.design
web3ido.xyz
starweaverdesigns.com
cbdtz.com
sunwall.xyz
ornitv.com
curateddesignsconsulting.com
businesshairways.biz
willacloud.com
accusecures.com
hl243.com
coffellc.icu
eddrugs2018.com
lidakang.xyz
salesstorecolombia.com
ilina.xyz
partieslikethese.com
peymantasnimi.com
datthocu.xyz
cybertechsolutions.xyz
findy.guru
trybes.space
arulinks.com
yuriookinoart.com
largestjerseysstore.com
fortitude-tech.com
ywfjp.com
b1v097f2avze.xyz
abdullahnazhim.com
zhaoav111.info
cegrowing.com
llaveselmuerto.com
7477e.xyz
chabusinessloans.com
ht-brain.com
app-compound.finance
0085208.com
wewinaccidents.com
ztzfirst.xyz
shishlomarket24.biz
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2072-136-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2072-139-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3160-145-0x0000000000B70000-0x0000000000B9F000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
nceystz.exenceystz.exepid process 5084 nceystz.exe 2072 nceystz.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
nceystz.exenceystz.exewscript.exedescription pid process target process PID 5084 set thread context of 2072 5084 nceystz.exe nceystz.exe PID 2072 set thread context of 1880 2072 nceystz.exe Explorer.EXE PID 3160 set thread context of 1880 3160 wscript.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
nceystz.exewscript.exepid process 2072 nceystz.exe 2072 nceystz.exe 2072 nceystz.exe 2072 nceystz.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe 3160 wscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1880 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
nceystz.exewscript.exepid process 2072 nceystz.exe 2072 nceystz.exe 2072 nceystz.exe 3160 wscript.exe 3160 wscript.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
nceystz.exewscript.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 2072 nceystz.exe Token: SeDebugPrivilege 3160 wscript.exe Token: SeShutdownPrivilege 1880 Explorer.EXE Token: SeCreatePagefilePrivilege 1880 Explorer.EXE Token: SeShutdownPrivilege 1880 Explorer.EXE Token: SeCreatePagefilePrivilege 1880 Explorer.EXE Token: SeShutdownPrivilege 1880 Explorer.EXE Token: SeCreatePagefilePrivilege 1880 Explorer.EXE Token: SeShutdownPrivilege 1880 Explorer.EXE Token: SeCreatePagefilePrivilege 1880 Explorer.EXE Token: SeShutdownPrivilege 1880 Explorer.EXE Token: SeCreatePagefilePrivilege 1880 Explorer.EXE Token: SeShutdownPrivilege 1880 Explorer.EXE Token: SeCreatePagefilePrivilege 1880 Explorer.EXE Token: SeShutdownPrivilege 1880 Explorer.EXE Token: SeCreatePagefilePrivilege 1880 Explorer.EXE Token: SeShutdownPrivilege 1880 Explorer.EXE Token: SeCreatePagefilePrivilege 1880 Explorer.EXE Token: SeShutdownPrivilege 1880 Explorer.EXE Token: SeCreatePagefilePrivilege 1880 Explorer.EXE Token: SeShutdownPrivilege 1880 Explorer.EXE Token: SeCreatePagefilePrivilege 1880 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1880 Explorer.EXE 1880 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
DHL_AWB_NO#907853880911.exenceystz.exeExplorer.EXEwscript.exedescription pid process target process PID 4392 wrote to memory of 5084 4392 DHL_AWB_NO#907853880911.exe nceystz.exe PID 4392 wrote to memory of 5084 4392 DHL_AWB_NO#907853880911.exe nceystz.exe PID 4392 wrote to memory of 5084 4392 DHL_AWB_NO#907853880911.exe nceystz.exe PID 5084 wrote to memory of 2072 5084 nceystz.exe nceystz.exe PID 5084 wrote to memory of 2072 5084 nceystz.exe nceystz.exe PID 5084 wrote to memory of 2072 5084 nceystz.exe nceystz.exe PID 5084 wrote to memory of 2072 5084 nceystz.exe nceystz.exe PID 5084 wrote to memory of 2072 5084 nceystz.exe nceystz.exe PID 5084 wrote to memory of 2072 5084 nceystz.exe nceystz.exe PID 1880 wrote to memory of 3160 1880 Explorer.EXE wscript.exe PID 1880 wrote to memory of 3160 1880 Explorer.EXE wscript.exe PID 1880 wrote to memory of 3160 1880 Explorer.EXE wscript.exe PID 3160 wrote to memory of 2480 3160 wscript.exe cmd.exe PID 3160 wrote to memory of 2480 3160 wscript.exe cmd.exe PID 3160 wrote to memory of 2480 3160 wscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL_AWB_NO#907853880911.exe"C:\Users\Admin\AppData\Local\Temp\DHL_AWB_NO#907853880911.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nceystz.exeC:\Users\Admin\AppData\Local\Temp\nceystz.exe C:\Users\Admin\AppData\Local\Temp\oqkvcyrte3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nceystz.exeC:\Users\Admin\AppData\Local\Temp\nceystz.exe C:\Users\Admin\AppData\Local\Temp\oqkvcyrte4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\nceystz.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\jc417bh38wtxpFilesize
184KB
MD5f099fbc4726b5a8ec66677fbd4d84c97
SHA18f4cff97664bce30e19596e8a0ab3dd51e84ad12
SHA256d01d597fc03bb0e441c5d83bd0298c2ba37185dfbcab182f378ceacbd5f874eb
SHA5127d9b734b9df0e53e26059dc37f0738a5e62e1eef427575796e4f7c71f24b7800abc2c9890fb8a3bde76cc6abf0cdd270312afe3541611a0c31b6f3f669231fdc
-
C:\Users\Admin\AppData\Local\Temp\nceystz.exeFilesize
3KB
MD58a6050af69a12ca8a3b820ec718fd7d8
SHA114270710f3a3c98f5ec41fc3a3b77851114881f0
SHA25686474c7d4e6c80d28cbe983b9a305b4d1c7911a3af84975b1757cc104d0f35f5
SHA5125c7cccc5389983d4aae25d6ee1bcd7d45c34e96818eede4876f5ca1ac2a4c38391ffdff5932670ea800bb023347d9f83b08c6877491348aa6c28f26837f25000
-
C:\Users\Admin\AppData\Local\Temp\nceystz.exeFilesize
3KB
MD58a6050af69a12ca8a3b820ec718fd7d8
SHA114270710f3a3c98f5ec41fc3a3b77851114881f0
SHA25686474c7d4e6c80d28cbe983b9a305b4d1c7911a3af84975b1757cc104d0f35f5
SHA5125c7cccc5389983d4aae25d6ee1bcd7d45c34e96818eede4876f5ca1ac2a4c38391ffdff5932670ea800bb023347d9f83b08c6877491348aa6c28f26837f25000
-
C:\Users\Admin\AppData\Local\Temp\nceystz.exeFilesize
3KB
MD58a6050af69a12ca8a3b820ec718fd7d8
SHA114270710f3a3c98f5ec41fc3a3b77851114881f0
SHA25686474c7d4e6c80d28cbe983b9a305b4d1c7911a3af84975b1757cc104d0f35f5
SHA5125c7cccc5389983d4aae25d6ee1bcd7d45c34e96818eede4876f5ca1ac2a4c38391ffdff5932670ea800bb023347d9f83b08c6877491348aa6c28f26837f25000
-
C:\Users\Admin\AppData\Local\Temp\oqkvcyrteFilesize
5KB
MD5944b9f8116d9b2688b69a8f4a8ec6df6
SHA1b7aa154fe6c87852123f760e00b1906ea6b9c39e
SHA256370a10405e857c3f44059dd6cbd0e9ebb17302c3c2081fc6de73974ebcecc489
SHA512a8c975df92fa0731a2729c9401cd967efc47cf3dec1e050fc117ecd8a310e05737408bd1f135e16f06016488bc4e97653c348b8b03afb22f0e4828f84b9cb0b6
-
memory/1880-141-0x0000000002F30000-0x000000000302B000-memory.dmpFilesize
1004KB
-
memory/1880-149-0x00000000086A0000-0x00000000087BB000-memory.dmpFilesize
1.1MB
-
memory/2072-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2072-140-0x0000000000A20000-0x0000000000D6A000-memory.dmpFilesize
3.3MB
-
memory/2072-136-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2072-142-0x00000000009E0000-0x00000000009F4000-memory.dmpFilesize
80KB
-
memory/2072-135-0x0000000000000000-mapping.dmp
-
memory/2480-146-0x0000000000000000-mapping.dmp
-
memory/3160-143-0x0000000000000000-mapping.dmp
-
memory/3160-144-0x00000000005A0000-0x00000000005C7000-memory.dmpFilesize
156KB
-
memory/3160-145-0x0000000000B70000-0x0000000000B9F000-memory.dmpFilesize
188KB
-
memory/3160-147-0x0000000002F20000-0x000000000326A000-memory.dmpFilesize
3.3MB
-
memory/3160-148-0x0000000002D50000-0x0000000002DE3000-memory.dmpFilesize
588KB
-
memory/5084-130-0x0000000000000000-mapping.dmp