Analysis
-
max time kernel
161s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
10-05-2022 10:54
Static task
static1
Behavioral task
behavioral1
Sample
DHL_AWB_NO#907853880911.exe
Resource
win7-20220414-en
General
-
Target
DHL_AWB_NO#907853880911.exe
-
Size
248KB
-
MD5
1b61be2437fb5806334b0bb10e0512e6
-
SHA1
ab7d1e8698a07ce9c4dc12f73f9c57e6abd0e618
-
SHA256
5276ea0f67b9003422fa937e91c3af7b805efc0b0b9506bdd2936abb4fdd5a9c
-
SHA512
e9b6a474800659b97c00545b36cef0827165f865a9eed75558a555d0d245db111d75c6fb7d1e8392e32a09fe6c29021bbb4665fcb3081bf99e8595872ceea85b
Malware Config
Extracted
formbook
4.1
fw02
payer-breakers.com
thesiscoper.com
rental-villa.com
scovikinnovations.com
hydh33.com
allmyshit.rest
lovejaclyn.com
vanessaruizwriting.com
dufonddelaclasse.com
kiddee168.com
monumentalmarketsllc.com
musclegainfatloss.com
avida.info
cosmo-wellness.net
dandelionfusedigital.com
oversizeloadbanners.com
konstelle.store
sdjnsbd.com
czoqg.xyz
5p6xljjse1lq.xyz
10936.loan
primeiropasso.website
salarydetector.net
the6figureshow.com
ritzluxurytransportation.com
5145.design
web3ido.xyz
starweaverdesigns.com
cbdtz.com
sunwall.xyz
ornitv.com
curateddesignsconsulting.com
businesshairways.biz
willacloud.com
accusecures.com
hl243.com
coffellc.icu
eddrugs2018.com
lidakang.xyz
salesstorecolombia.com
ilina.xyz
partieslikethese.com
peymantasnimi.com
datthocu.xyz
cybertechsolutions.xyz
findy.guru
trybes.space
arulinks.com
yuriookinoart.com
largestjerseysstore.com
fortitude-tech.com
ywfjp.com
b1v097f2avze.xyz
abdullahnazhim.com
zhaoav111.info
cegrowing.com
llaveselmuerto.com
7477e.xyz
chabusinessloans.com
ht-brain.com
app-compound.finance
0085208.com
wewinaccidents.com
ztzfirst.xyz
shishlomarket24.biz
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3596-136-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3596-139-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2876-145-0x0000000001370000-0x000000000139F000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
alxsiiy.exealxsiiy.exepid process 3420 alxsiiy.exe 3596 alxsiiy.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
alxsiiy.exealxsiiy.execscript.exedescription pid process target process PID 3420 set thread context of 3596 3420 alxsiiy.exe alxsiiy.exe PID 3596 set thread context of 3172 3596 alxsiiy.exe Explorer.EXE PID 2876 set thread context of 3172 2876 cscript.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
alxsiiy.execscript.exepid process 3596 alxsiiy.exe 3596 alxsiiy.exe 3596 alxsiiy.exe 3596 alxsiiy.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe 2876 cscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3172 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
alxsiiy.execscript.exepid process 3596 alxsiiy.exe 3596 alxsiiy.exe 3596 alxsiiy.exe 2876 cscript.exe 2876 cscript.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
alxsiiy.execscript.exedescription pid process Token: SeDebugPrivilege 3596 alxsiiy.exe Token: SeDebugPrivilege 2876 cscript.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
DHL_AWB_NO#907853880911.exealxsiiy.exeExplorer.EXEcscript.exedescription pid process target process PID 1388 wrote to memory of 3420 1388 DHL_AWB_NO#907853880911.exe alxsiiy.exe PID 1388 wrote to memory of 3420 1388 DHL_AWB_NO#907853880911.exe alxsiiy.exe PID 1388 wrote to memory of 3420 1388 DHL_AWB_NO#907853880911.exe alxsiiy.exe PID 3420 wrote to memory of 3596 3420 alxsiiy.exe alxsiiy.exe PID 3420 wrote to memory of 3596 3420 alxsiiy.exe alxsiiy.exe PID 3420 wrote to memory of 3596 3420 alxsiiy.exe alxsiiy.exe PID 3420 wrote to memory of 3596 3420 alxsiiy.exe alxsiiy.exe PID 3420 wrote to memory of 3596 3420 alxsiiy.exe alxsiiy.exe PID 3420 wrote to memory of 3596 3420 alxsiiy.exe alxsiiy.exe PID 3172 wrote to memory of 2876 3172 Explorer.EXE cscript.exe PID 3172 wrote to memory of 2876 3172 Explorer.EXE cscript.exe PID 3172 wrote to memory of 2876 3172 Explorer.EXE cscript.exe PID 2876 wrote to memory of 4952 2876 cscript.exe cmd.exe PID 2876 wrote to memory of 4952 2876 cscript.exe cmd.exe PID 2876 wrote to memory of 4952 2876 cscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL_AWB_NO#907853880911.exe"C:\Users\Admin\AppData\Local\Temp\DHL_AWB_NO#907853880911.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\alxsiiy.exeC:\Users\Admin\AppData\Local\Temp\alxsiiy.exe C:\Users\Admin\AppData\Local\Temp\nbesgph3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\alxsiiy.exeC:\Users\Admin\AppData\Local\Temp\alxsiiy.exe C:\Users\Admin\AppData\Local\Temp\nbesgph4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\alxsiiy.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\6escjpcrke8i6Filesize
184KB
MD5f707e9b9c5039fd55390fbbf657fc778
SHA114757602a1af42adb184a435d87a69f6639a591c
SHA256c5ed8e9abfd27e99fceb5547ced9a6b941b10100213d6af4228b58d8c75af213
SHA5126c5e7b0a60029f28e1540827f449b89279bba44f501c6e0f9f62541e556970e44ac7cf20226cc21c2788f59c45c9e8ff39aab539c1058a019cec4fce8616e24d
-
C:\Users\Admin\AppData\Local\Temp\alxsiiy.exeFilesize
78KB
MD5ec3a3de6e908886ea6b4408f599d7b15
SHA177e52d60e0a4cf1bd9dc87b8bc70f4b9a4f1108d
SHA256ed10c8c988cf91693a760dec857309a1012cc4b6d0da597b6a7b11b7f6edd408
SHA51258dcec90327299bec3df9c0cac130c8ace5451c04970b546fa3bf3f779a37552d932c209f2577dc2d01fa7263e3e6cd3eae035546f144731dc1f27de6ee0b3fd
-
C:\Users\Admin\AppData\Local\Temp\alxsiiy.exeFilesize
78KB
MD5ec3a3de6e908886ea6b4408f599d7b15
SHA177e52d60e0a4cf1bd9dc87b8bc70f4b9a4f1108d
SHA256ed10c8c988cf91693a760dec857309a1012cc4b6d0da597b6a7b11b7f6edd408
SHA51258dcec90327299bec3df9c0cac130c8ace5451c04970b546fa3bf3f779a37552d932c209f2577dc2d01fa7263e3e6cd3eae035546f144731dc1f27de6ee0b3fd
-
C:\Users\Admin\AppData\Local\Temp\alxsiiy.exeFilesize
78KB
MD5ec3a3de6e908886ea6b4408f599d7b15
SHA177e52d60e0a4cf1bd9dc87b8bc70f4b9a4f1108d
SHA256ed10c8c988cf91693a760dec857309a1012cc4b6d0da597b6a7b11b7f6edd408
SHA51258dcec90327299bec3df9c0cac130c8ace5451c04970b546fa3bf3f779a37552d932c209f2577dc2d01fa7263e3e6cd3eae035546f144731dc1f27de6ee0b3fd
-
C:\Users\Admin\AppData\Local\Temp\nbesgphFilesize
5KB
MD518f6d7ca10e3ffc8c74fb860d7577c7c
SHA1c283a6c35c2fa3322b2b966996c544294dfa2cee
SHA256efe035b9d988a5734d64eb1efb40009150ba2998b3869ab63ad2130dc9264698
SHA512164527ce6e78518d3c0eb6fb3b24f0f4d3323b5346c268ffd8aeee1f46bcbf78d94e80b25657ff8176b5574d71678761e0c27a161cc593b858905dd5a94f3edc
-
memory/2876-143-0x0000000000000000-mapping.dmp
-
memory/2876-144-0x0000000000480000-0x00000000004A7000-memory.dmpFilesize
156KB
-
memory/2876-148-0x00000000032C0000-0x0000000003353000-memory.dmpFilesize
588KB
-
memory/2876-147-0x0000000003520000-0x000000000386A000-memory.dmpFilesize
3.3MB
-
memory/2876-145-0x0000000001370000-0x000000000139F000-memory.dmpFilesize
188KB
-
memory/3172-149-0x0000000002570000-0x0000000002632000-memory.dmpFilesize
776KB
-
memory/3172-142-0x0000000007D30000-0x0000000007E33000-memory.dmpFilesize
1.0MB
-
memory/3420-130-0x0000000000000000-mapping.dmp
-
memory/3596-140-0x00000000014F0000-0x000000000183A000-memory.dmpFilesize
3.3MB
-
memory/3596-141-0x0000000000F70000-0x0000000000F84000-memory.dmpFilesize
80KB
-
memory/3596-136-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3596-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3596-135-0x0000000000000000-mapping.dmp
-
memory/4952-146-0x0000000000000000-mapping.dmp