Analysis
-
max time kernel
148s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
03-05-2022 12:33
Static task
static1
Behavioral task
behavioral1
Sample
DHL_AWB_NO#907853880911.exe
Resource
win7-20220414-en
General
-
Target
DHL_AWB_NO#907853880911.exe
-
Size
213KB
-
MD5
5a835f602ce0e1eea9acc3f6b36819b5
-
SHA1
319e3bca310f93fbe53ff095c26b53a531c45929
-
SHA256
05007c4012529b5d5376909fae3f9c4103f49b3cc5e4342bb1fc790ffeb49cfa
-
SHA512
f8c6f18c9191bedc9194211bd809bf45f2f010b9966e7709dc72c2289aba86cadf55ac0abf667863892104291b00f23a2c1cc48e704881c4e8387c7d31ce81f6
Malware Config
Extracted
formbook
4.1
fw02
payer-breakers.com
thesiscoper.com
rental-villa.com
scovikinnovations.com
hydh33.com
allmyshit.rest
lovejaclyn.com
vanessaruizwriting.com
dufonddelaclasse.com
kiddee168.com
monumentalmarketsllc.com
musclegainfatloss.com
avida.info
cosmo-wellness.net
dandelionfusedigital.com
oversizeloadbanners.com
konstelle.store
sdjnsbd.com
czoqg.xyz
5p6xljjse1lq.xyz
10936.loan
primeiropasso.website
salarydetector.net
the6figureshow.com
ritzluxurytransportation.com
5145.design
web3ido.xyz
starweaverdesigns.com
cbdtz.com
sunwall.xyz
ornitv.com
curateddesignsconsulting.com
businesshairways.biz
willacloud.com
accusecures.com
hl243.com
coffellc.icu
eddrugs2018.com
lidakang.xyz
salesstorecolombia.com
ilina.xyz
partieslikethese.com
peymantasnimi.com
datthocu.xyz
cybertechsolutions.xyz
findy.guru
trybes.space
arulinks.com
yuriookinoart.com
largestjerseysstore.com
fortitude-tech.com
ywfjp.com
b1v097f2avze.xyz
abdullahnazhim.com
zhaoav111.info
cegrowing.com
llaveselmuerto.com
7477e.xyz
chabusinessloans.com
ht-brain.com
app-compound.finance
0085208.com
wewinaccidents.com
ztzfirst.xyz
shishlomarket24.biz
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/964-63-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/964-64-0x000000000041F150-mapping.dmp formbook behavioral1/memory/1392-74-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
okhrhf.exeokhrhf.exepid process 2000 okhrhf.exe 964 okhrhf.exe -
Loads dropped DLL 2 IoCs
Processes:
DHL_AWB_NO#907853880911.exeokhrhf.exepid process 1684 DHL_AWB_NO#907853880911.exe 2000 okhrhf.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
okhrhf.exeokhrhf.exemstsc.exedescription pid process target process PID 2000 set thread context of 964 2000 okhrhf.exe okhrhf.exe PID 964 set thread context of 1292 964 okhrhf.exe Explorer.EXE PID 1392 set thread context of 1292 1392 mstsc.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
okhrhf.exemstsc.exepid process 964 okhrhf.exe 964 okhrhf.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
okhrhf.exemstsc.exepid process 964 okhrhf.exe 964 okhrhf.exe 964 okhrhf.exe 1392 mstsc.exe 1392 mstsc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
okhrhf.exemstsc.exedescription pid process Token: SeDebugPrivilege 964 okhrhf.exe Token: SeDebugPrivilege 1392 mstsc.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1292 Explorer.EXE 1292 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1292 Explorer.EXE 1292 Explorer.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
DHL_AWB_NO#907853880911.exeokhrhf.exeExplorer.EXEmstsc.exedescription pid process target process PID 1684 wrote to memory of 2000 1684 DHL_AWB_NO#907853880911.exe okhrhf.exe PID 1684 wrote to memory of 2000 1684 DHL_AWB_NO#907853880911.exe okhrhf.exe PID 1684 wrote to memory of 2000 1684 DHL_AWB_NO#907853880911.exe okhrhf.exe PID 1684 wrote to memory of 2000 1684 DHL_AWB_NO#907853880911.exe okhrhf.exe PID 2000 wrote to memory of 964 2000 okhrhf.exe okhrhf.exe PID 2000 wrote to memory of 964 2000 okhrhf.exe okhrhf.exe PID 2000 wrote to memory of 964 2000 okhrhf.exe okhrhf.exe PID 2000 wrote to memory of 964 2000 okhrhf.exe okhrhf.exe PID 2000 wrote to memory of 964 2000 okhrhf.exe okhrhf.exe PID 2000 wrote to memory of 964 2000 okhrhf.exe okhrhf.exe PID 2000 wrote to memory of 964 2000 okhrhf.exe okhrhf.exe PID 1292 wrote to memory of 1392 1292 Explorer.EXE mstsc.exe PID 1292 wrote to memory of 1392 1292 Explorer.EXE mstsc.exe PID 1292 wrote to memory of 1392 1292 Explorer.EXE mstsc.exe PID 1292 wrote to memory of 1392 1292 Explorer.EXE mstsc.exe PID 1392 wrote to memory of 860 1392 mstsc.exe cmd.exe PID 1392 wrote to memory of 860 1392 mstsc.exe cmd.exe PID 1392 wrote to memory of 860 1392 mstsc.exe cmd.exe PID 1392 wrote to memory of 860 1392 mstsc.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL_AWB_NO#907853880911.exe"C:\Users\Admin\AppData\Local\Temp\DHL_AWB_NO#907853880911.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\okhrhf.exeC:\Users\Admin\AppData\Local\Temp\okhrhf.exe C:\Users\Admin\AppData\Local\Temp\jccwgv3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\okhrhf.exeC:\Users\Admin\AppData\Local\Temp\okhrhf.exe C:\Users\Admin\AppData\Local\Temp\jccwgv4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\okhrhf.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\j2bi89rpdq6fcFilesize
184KB
MD5be1d099a34ee96edbea1398ef57d970a
SHA1846bbb888536838e82c6242d39594d424219a9f7
SHA256b261414063bbf5e7227d194f93806aefa14c225f23af092325f7a2b167d7b40c
SHA5121d29942f2d8a0b024c5ac70d6c9a4b9fe12bda6a6c0822bf7aeb84f2ceb7e9bf5d9f243eb548e28af856375e1b328900a3cea5df10f12c05e0fb047866c5b1cf
-
C:\Users\Admin\AppData\Local\Temp\jccwgvFilesize
5KB
MD509b05f7fc9cf06ed107fc53bd9ae45d7
SHA1d5fc1cff7193b5397ce56901d3242a8ff9e6b6df
SHA25654276a6f214def22332a66d17d859a6263333fee87082b38424cb9212040dc54
SHA512dbef04969daea5c8f9d58d40e608c1f0c2d30e6900740e7b9e7b739ca6f26943f54543a43cfc6c6921b4fc311800b5076c940c99345624c7945535abd6cfb755
-
C:\Users\Admin\AppData\Local\Temp\okhrhf.exeFilesize
3KB
MD53415ac392ee37434415ee73efe842400
SHA1aa56116ffe42dbeef0089562293f673bb8313ff0
SHA25661868f1f4b6aaa4ecf6f5669b4930591d5ba43bdc4bbafd6f65cb1dfd0134bc8
SHA51271041a7dad4729eb473daa464dda9a938a9e21e21f085aafe5b5d9fc09aa04841852e18000408f38284793ab0c0edb3a6eecfc5aaba9231e04196901884338fc
-
C:\Users\Admin\AppData\Local\Temp\okhrhf.exeFilesize
3KB
MD53415ac392ee37434415ee73efe842400
SHA1aa56116ffe42dbeef0089562293f673bb8313ff0
SHA25661868f1f4b6aaa4ecf6f5669b4930591d5ba43bdc4bbafd6f65cb1dfd0134bc8
SHA51271041a7dad4729eb473daa464dda9a938a9e21e21f085aafe5b5d9fc09aa04841852e18000408f38284793ab0c0edb3a6eecfc5aaba9231e04196901884338fc
-
C:\Users\Admin\AppData\Local\Temp\okhrhf.exeFilesize
3KB
MD53415ac392ee37434415ee73efe842400
SHA1aa56116ffe42dbeef0089562293f673bb8313ff0
SHA25661868f1f4b6aaa4ecf6f5669b4930591d5ba43bdc4bbafd6f65cb1dfd0134bc8
SHA51271041a7dad4729eb473daa464dda9a938a9e21e21f085aafe5b5d9fc09aa04841852e18000408f38284793ab0c0edb3a6eecfc5aaba9231e04196901884338fc
-
\Users\Admin\AppData\Local\Temp\okhrhf.exeFilesize
3KB
MD53415ac392ee37434415ee73efe842400
SHA1aa56116ffe42dbeef0089562293f673bb8313ff0
SHA25661868f1f4b6aaa4ecf6f5669b4930591d5ba43bdc4bbafd6f65cb1dfd0134bc8
SHA51271041a7dad4729eb473daa464dda9a938a9e21e21f085aafe5b5d9fc09aa04841852e18000408f38284793ab0c0edb3a6eecfc5aaba9231e04196901884338fc
-
\Users\Admin\AppData\Local\Temp\okhrhf.exeFilesize
3KB
MD53415ac392ee37434415ee73efe842400
SHA1aa56116ffe42dbeef0089562293f673bb8313ff0
SHA25661868f1f4b6aaa4ecf6f5669b4930591d5ba43bdc4bbafd6f65cb1dfd0134bc8
SHA51271041a7dad4729eb473daa464dda9a938a9e21e21f085aafe5b5d9fc09aa04841852e18000408f38284793ab0c0edb3a6eecfc5aaba9231e04196901884338fc
-
memory/860-72-0x0000000000000000-mapping.dmp
-
memory/964-68-0x0000000000310000-0x0000000000324000-memory.dmpFilesize
80KB
-
memory/964-63-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/964-64-0x000000000041F150-mapping.dmp
-
memory/964-67-0x0000000000890000-0x0000000000B93000-memory.dmpFilesize
3.0MB
-
memory/1292-69-0x00000000047B0000-0x0000000004873000-memory.dmpFilesize
780KB
-
memory/1292-77-0x0000000004880000-0x000000000495C000-memory.dmpFilesize
880KB
-
memory/1392-70-0x0000000000000000-mapping.dmp
-
memory/1392-73-0x0000000000850000-0x0000000000954000-memory.dmpFilesize
1.0MB
-
memory/1392-74-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/1392-75-0x00000000022C0000-0x00000000025C3000-memory.dmpFilesize
3.0MB
-
memory/1392-76-0x0000000000550000-0x00000000005E3000-memory.dmpFilesize
588KB
-
memory/1684-54-0x00000000752D1000-0x00000000752D3000-memory.dmpFilesize
8KB
-
memory/2000-56-0x0000000000000000-mapping.dmp