Analysis
-
max time kernel
148s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
04-05-2022 06:30
Static task
static1
Behavioral task
behavioral1
Sample
DHL_AWB_NO#907853880911.exe
Resource
win7-20220414-en
General
-
Target
DHL_AWB_NO#907853880911.exe
-
Size
214KB
-
MD5
cb6473d9957727bbd81427834f50a805
-
SHA1
f1013f971cf73b3f31cc3e9b26c985101f48a524
-
SHA256
9ff4f71e3878c4aae12440d4f8e6a8fa2af51c60c5375b49f4e0a8d8ffc8c2b2
-
SHA512
b6bfd7b90bb9ba1e4e36fedfa95502202e68378a3257de5ee56593a08bd40abfe0e68ec5433d140adec77bc6e1586fc04f78df23e830b0d52fd617dee08c27a5
Malware Config
Extracted
formbook
4.1
fw02
payer-breakers.com
thesiscoper.com
rental-villa.com
scovikinnovations.com
hydh33.com
allmyshit.rest
lovejaclyn.com
vanessaruizwriting.com
dufonddelaclasse.com
kiddee168.com
monumentalmarketsllc.com
musclegainfatloss.com
avida.info
cosmo-wellness.net
dandelionfusedigital.com
oversizeloadbanners.com
konstelle.store
sdjnsbd.com
czoqg.xyz
5p6xljjse1lq.xyz
10936.loan
primeiropasso.website
salarydetector.net
the6figureshow.com
ritzluxurytransportation.com
5145.design
web3ido.xyz
starweaverdesigns.com
cbdtz.com
sunwall.xyz
ornitv.com
curateddesignsconsulting.com
businesshairways.biz
willacloud.com
accusecures.com
hl243.com
coffellc.icu
eddrugs2018.com
lidakang.xyz
salesstorecolombia.com
ilina.xyz
partieslikethese.com
peymantasnimi.com
datthocu.xyz
cybertechsolutions.xyz
findy.guru
trybes.space
arulinks.com
yuriookinoart.com
largestjerseysstore.com
fortitude-tech.com
ywfjp.com
b1v097f2avze.xyz
abdullahnazhim.com
zhaoav111.info
cegrowing.com
llaveselmuerto.com
7477e.xyz
chabusinessloans.com
ht-brain.com
app-compound.finance
0085208.com
wewinaccidents.com
ztzfirst.xyz
shishlomarket24.biz
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1112-63-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1112-64-0x000000000041F150-mapping.dmp formbook behavioral1/memory/1112-67-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1564-74-0x0000000000090000-0x00000000000BF000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
niqxldqr.exeniqxldqr.exepid process 1792 niqxldqr.exe 1112 niqxldqr.exe -
Loads dropped DLL 2 IoCs
Processes:
DHL_AWB_NO#907853880911.exeniqxldqr.exepid process 1864 DHL_AWB_NO#907853880911.exe 1792 niqxldqr.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
niqxldqr.exeniqxldqr.exeNETSTAT.EXEdescription pid process target process PID 1792 set thread context of 1112 1792 niqxldqr.exe niqxldqr.exe PID 1112 set thread context of 1256 1112 niqxldqr.exe Explorer.EXE PID 1564 set thread context of 1256 1564 NETSTAT.EXE Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 1564 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
niqxldqr.exeNETSTAT.EXEpid process 1112 niqxldqr.exe 1112 niqxldqr.exe 1564 NETSTAT.EXE 1564 NETSTAT.EXE 1564 NETSTAT.EXE 1564 NETSTAT.EXE 1564 NETSTAT.EXE 1564 NETSTAT.EXE 1564 NETSTAT.EXE 1564 NETSTAT.EXE 1564 NETSTAT.EXE 1564 NETSTAT.EXE 1564 NETSTAT.EXE 1564 NETSTAT.EXE 1564 NETSTAT.EXE 1564 NETSTAT.EXE 1564 NETSTAT.EXE 1564 NETSTAT.EXE 1564 NETSTAT.EXE 1564 NETSTAT.EXE 1564 NETSTAT.EXE 1564 NETSTAT.EXE 1564 NETSTAT.EXE 1564 NETSTAT.EXE 1564 NETSTAT.EXE 1564 NETSTAT.EXE 1564 NETSTAT.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
niqxldqr.exeNETSTAT.EXEpid process 1112 niqxldqr.exe 1112 niqxldqr.exe 1112 niqxldqr.exe 1564 NETSTAT.EXE 1564 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
niqxldqr.exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 1112 niqxldqr.exe Token: SeDebugPrivilege 1564 NETSTAT.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
DHL_AWB_NO#907853880911.exeniqxldqr.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 1864 wrote to memory of 1792 1864 DHL_AWB_NO#907853880911.exe niqxldqr.exe PID 1864 wrote to memory of 1792 1864 DHL_AWB_NO#907853880911.exe niqxldqr.exe PID 1864 wrote to memory of 1792 1864 DHL_AWB_NO#907853880911.exe niqxldqr.exe PID 1864 wrote to memory of 1792 1864 DHL_AWB_NO#907853880911.exe niqxldqr.exe PID 1792 wrote to memory of 1112 1792 niqxldqr.exe niqxldqr.exe PID 1792 wrote to memory of 1112 1792 niqxldqr.exe niqxldqr.exe PID 1792 wrote to memory of 1112 1792 niqxldqr.exe niqxldqr.exe PID 1792 wrote to memory of 1112 1792 niqxldqr.exe niqxldqr.exe PID 1792 wrote to memory of 1112 1792 niqxldqr.exe niqxldqr.exe PID 1792 wrote to memory of 1112 1792 niqxldqr.exe niqxldqr.exe PID 1792 wrote to memory of 1112 1792 niqxldqr.exe niqxldqr.exe PID 1256 wrote to memory of 1564 1256 Explorer.EXE NETSTAT.EXE PID 1256 wrote to memory of 1564 1256 Explorer.EXE NETSTAT.EXE PID 1256 wrote to memory of 1564 1256 Explorer.EXE NETSTAT.EXE PID 1256 wrote to memory of 1564 1256 Explorer.EXE NETSTAT.EXE PID 1564 wrote to memory of 1484 1564 NETSTAT.EXE cmd.exe PID 1564 wrote to memory of 1484 1564 NETSTAT.EXE cmd.exe PID 1564 wrote to memory of 1484 1564 NETSTAT.EXE cmd.exe PID 1564 wrote to memory of 1484 1564 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL_AWB_NO#907853880911.exe"C:\Users\Admin\AppData\Local\Temp\DHL_AWB_NO#907853880911.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\niqxldqr.exeC:\Users\Admin\AppData\Local\Temp\niqxldqr.exe C:\Users\Admin\AppData\Local\Temp\qwmuparjjb3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\niqxldqr.exeC:\Users\Admin\AppData\Local\Temp\niqxldqr.exe C:\Users\Admin\AppData\Local\Temp\qwmuparjjb4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\niqxldqr.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\jv6sl5sq4bnx22fi5oxFilesize
184KB
MD59b1336dabaae1f804ddf1808f1567091
SHA19f7786bcf569eefc8010af02180fb0a56252f4b0
SHA2568c47843c011156564f51b8cb5ad85d511f7e4f8a7d603c49bda0a6bb9f8e698d
SHA51229d9b78662152b19a62aaaca5f10bdea2e71d4ec46e4ba890bd6c8dbb7e4b88e6dc25cc3c44a2d80fb53192858367a11c19e1fb8e44d9bec378b57e32c223c05
-
C:\Users\Admin\AppData\Local\Temp\niqxldqr.exeFilesize
3KB
MD54d5096cfc008db421ac8bc0ea97475ba
SHA1177487b2d7f073749c0f8e19014523689fe04fc1
SHA256b7d02490ef2d490de1982ca29c2d9f8737dc5203c60eabf20273d57dd7c6fb84
SHA512ebc9b08510b2a1910ee49d3204dd38e71b54072e67bc2dd7c163647d545280867e6e1de45ea87bd021f283e2198ac652d1718f2af2c19d5a1408f26e4a1bfafd
-
C:\Users\Admin\AppData\Local\Temp\niqxldqr.exeFilesize
3KB
MD54d5096cfc008db421ac8bc0ea97475ba
SHA1177487b2d7f073749c0f8e19014523689fe04fc1
SHA256b7d02490ef2d490de1982ca29c2d9f8737dc5203c60eabf20273d57dd7c6fb84
SHA512ebc9b08510b2a1910ee49d3204dd38e71b54072e67bc2dd7c163647d545280867e6e1de45ea87bd021f283e2198ac652d1718f2af2c19d5a1408f26e4a1bfafd
-
C:\Users\Admin\AppData\Local\Temp\niqxldqr.exeFilesize
3KB
MD54d5096cfc008db421ac8bc0ea97475ba
SHA1177487b2d7f073749c0f8e19014523689fe04fc1
SHA256b7d02490ef2d490de1982ca29c2d9f8737dc5203c60eabf20273d57dd7c6fb84
SHA512ebc9b08510b2a1910ee49d3204dd38e71b54072e67bc2dd7c163647d545280867e6e1de45ea87bd021f283e2198ac652d1718f2af2c19d5a1408f26e4a1bfafd
-
C:\Users\Admin\AppData\Local\Temp\qwmuparjjbFilesize
4KB
MD50026cbf7d2d6b1347887dc373dfa9d68
SHA1fcffc36133a96798ede914bdca44105302592001
SHA256f5a1620e896bf161a8e83461276ac252619ce8f775815cafd88555a728eae9d2
SHA512d825335c7e5d76938d36516c4f4e0f42c4c4bfd98225a508ecd6fafaaed41fda16ca8a7da67b8d2411d2a57c25fef8ca24c1298ae98243598ed8be7e89ab6b3a
-
\Users\Admin\AppData\Local\Temp\niqxldqr.exeFilesize
3KB
MD54d5096cfc008db421ac8bc0ea97475ba
SHA1177487b2d7f073749c0f8e19014523689fe04fc1
SHA256b7d02490ef2d490de1982ca29c2d9f8737dc5203c60eabf20273d57dd7c6fb84
SHA512ebc9b08510b2a1910ee49d3204dd38e71b54072e67bc2dd7c163647d545280867e6e1de45ea87bd021f283e2198ac652d1718f2af2c19d5a1408f26e4a1bfafd
-
\Users\Admin\AppData\Local\Temp\niqxldqr.exeFilesize
3KB
MD54d5096cfc008db421ac8bc0ea97475ba
SHA1177487b2d7f073749c0f8e19014523689fe04fc1
SHA256b7d02490ef2d490de1982ca29c2d9f8737dc5203c60eabf20273d57dd7c6fb84
SHA512ebc9b08510b2a1910ee49d3204dd38e71b54072e67bc2dd7c163647d545280867e6e1de45ea87bd021f283e2198ac652d1718f2af2c19d5a1408f26e4a1bfafd
-
memory/1112-68-0x0000000000800000-0x0000000000B03000-memory.dmpFilesize
3.0MB
-
memory/1112-69-0x00000000002C0000-0x00000000002D4000-memory.dmpFilesize
80KB
-
memory/1112-64-0x000000000041F150-mapping.dmp
-
memory/1112-63-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1112-67-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1256-70-0x0000000004C30000-0x0000000004CF1000-memory.dmpFilesize
772KB
-
memory/1256-77-0x0000000004D00000-0x0000000004E0F000-memory.dmpFilesize
1.1MB
-
memory/1484-72-0x0000000000000000-mapping.dmp
-
memory/1564-71-0x0000000000000000-mapping.dmp
-
memory/1564-73-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB
-
memory/1564-74-0x0000000000090000-0x00000000000BF000-memory.dmpFilesize
188KB
-
memory/1564-75-0x00000000020B0000-0x00000000023B3000-memory.dmpFilesize
3.0MB
-
memory/1564-76-0x0000000001DA0000-0x0000000001E33000-memory.dmpFilesize
588KB
-
memory/1792-56-0x0000000000000000-mapping.dmp
-
memory/1864-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmpFilesize
8KB