Analysis
-
max time kernel
145s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
11-05-2022 11:01
Static task
static1
Behavioral task
behavioral1
Sample
DHL_AWB_NO#907853880911.exe
Resource
win7-20220414-en
General
-
Target
DHL_AWB_NO#907853880911.exe
-
Size
268KB
-
MD5
a4fce543204701289e529a5143a417dd
-
SHA1
e3b2091b4efaf71e5a9ea48c4c0c5764bef0e04c
-
SHA256
67df0a89b663af659b5f00979d5ecb52592f81ab32d55ab197963b5cfed28e8e
-
SHA512
d9c38a3750e0733410735f16061082165f96e1f761aa29957d1b2a4451110fe1bcc26396a5c085bc575919e5fd25102ee9969a0af53926de433b80f6f583de1e
Malware Config
Extracted
formbook
4.1
fw02
payer-breakers.com
thesiscoper.com
rental-villa.com
scovikinnovations.com
hydh33.com
allmyshit.rest
lovejaclyn.com
vanessaruizwriting.com
dufonddelaclasse.com
kiddee168.com
monumentalmarketsllc.com
musclegainfatloss.com
avida.info
cosmo-wellness.net
dandelionfusedigital.com
oversizeloadbanners.com
konstelle.store
sdjnsbd.com
czoqg.xyz
5p6xljjse1lq.xyz
10936.loan
primeiropasso.website
salarydetector.net
the6figureshow.com
ritzluxurytransportation.com
5145.design
web3ido.xyz
starweaverdesigns.com
cbdtz.com
sunwall.xyz
ornitv.com
curateddesignsconsulting.com
businesshairways.biz
willacloud.com
accusecures.com
hl243.com
coffellc.icu
eddrugs2018.com
lidakang.xyz
salesstorecolombia.com
ilina.xyz
partieslikethese.com
peymantasnimi.com
datthocu.xyz
cybertechsolutions.xyz
findy.guru
trybes.space
arulinks.com
yuriookinoart.com
largestjerseysstore.com
fortitude-tech.com
ywfjp.com
b1v097f2avze.xyz
abdullahnazhim.com
zhaoav111.info
cegrowing.com
llaveselmuerto.com
7477e.xyz
chabusinessloans.com
ht-brain.com
app-compound.finance
0085208.com
wewinaccidents.com
ztzfirst.xyz
shishlomarket24.biz
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1496-64-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1496-65-0x000000000041F150-mapping.dmp formbook behavioral1/memory/1496-68-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2008-74-0x00000000000A0000-0x00000000000CF000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
gvttgvwc.exegvttgvwc.exepid process 1100 gvttgvwc.exe 1496 gvttgvwc.exe -
Loads dropped DLL 3 IoCs
Processes:
DHL_AWB_NO#907853880911.exegvttgvwc.exepid process 732 DHL_AWB_NO#907853880911.exe 732 DHL_AWB_NO#907853880911.exe 1100 gvttgvwc.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
gvttgvwc.exegvttgvwc.exewlanext.exedescription pid process target process PID 1100 set thread context of 1496 1100 gvttgvwc.exe gvttgvwc.exe PID 1496 set thread context of 1344 1496 gvttgvwc.exe Explorer.EXE PID 2008 set thread context of 1344 2008 wlanext.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
gvttgvwc.exewlanext.exepid process 1496 gvttgvwc.exe 1496 gvttgvwc.exe 2008 wlanext.exe 2008 wlanext.exe 2008 wlanext.exe 2008 wlanext.exe 2008 wlanext.exe 2008 wlanext.exe 2008 wlanext.exe 2008 wlanext.exe 2008 wlanext.exe 2008 wlanext.exe 2008 wlanext.exe 2008 wlanext.exe 2008 wlanext.exe 2008 wlanext.exe 2008 wlanext.exe 2008 wlanext.exe 2008 wlanext.exe 2008 wlanext.exe 2008 wlanext.exe 2008 wlanext.exe 2008 wlanext.exe 2008 wlanext.exe 2008 wlanext.exe 2008 wlanext.exe 2008 wlanext.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
gvttgvwc.exewlanext.exepid process 1496 gvttgvwc.exe 1496 gvttgvwc.exe 1496 gvttgvwc.exe 2008 wlanext.exe 2008 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
gvttgvwc.exewlanext.exedescription pid process Token: SeDebugPrivilege 1496 gvttgvwc.exe Token: SeDebugPrivilege 2008 wlanext.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1344 Explorer.EXE 1344 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1344 Explorer.EXE 1344 Explorer.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
DHL_AWB_NO#907853880911.exegvttgvwc.exeExplorer.EXEwlanext.exedescription pid process target process PID 732 wrote to memory of 1100 732 DHL_AWB_NO#907853880911.exe gvttgvwc.exe PID 732 wrote to memory of 1100 732 DHL_AWB_NO#907853880911.exe gvttgvwc.exe PID 732 wrote to memory of 1100 732 DHL_AWB_NO#907853880911.exe gvttgvwc.exe PID 732 wrote to memory of 1100 732 DHL_AWB_NO#907853880911.exe gvttgvwc.exe PID 1100 wrote to memory of 1496 1100 gvttgvwc.exe gvttgvwc.exe PID 1100 wrote to memory of 1496 1100 gvttgvwc.exe gvttgvwc.exe PID 1100 wrote to memory of 1496 1100 gvttgvwc.exe gvttgvwc.exe PID 1100 wrote to memory of 1496 1100 gvttgvwc.exe gvttgvwc.exe PID 1100 wrote to memory of 1496 1100 gvttgvwc.exe gvttgvwc.exe PID 1100 wrote to memory of 1496 1100 gvttgvwc.exe gvttgvwc.exe PID 1100 wrote to memory of 1496 1100 gvttgvwc.exe gvttgvwc.exe PID 1344 wrote to memory of 2008 1344 Explorer.EXE wlanext.exe PID 1344 wrote to memory of 2008 1344 Explorer.EXE wlanext.exe PID 1344 wrote to memory of 2008 1344 Explorer.EXE wlanext.exe PID 1344 wrote to memory of 2008 1344 Explorer.EXE wlanext.exe PID 2008 wrote to memory of 944 2008 wlanext.exe cmd.exe PID 2008 wrote to memory of 944 2008 wlanext.exe cmd.exe PID 2008 wrote to memory of 944 2008 wlanext.exe cmd.exe PID 2008 wrote to memory of 944 2008 wlanext.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL_AWB_NO#907853880911.exe"C:\Users\Admin\AppData\Local\Temp\DHL_AWB_NO#907853880911.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gvttgvwc.exeC:\Users\Admin\AppData\Local\Temp\gvttgvwc.exe C:\Users\Admin\AppData\Local\Temp\bndphz3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gvttgvwc.exeC:\Users\Admin\AppData\Local\Temp\gvttgvwc.exe C:\Users\Admin\AppData\Local\Temp\bndphz4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\gvttgvwc.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3zjk5bodwmhkFilesize
184KB
MD5e22c1dae93f5eaa74cf061f3317cd8aa
SHA1cfd436e61a71c36b5cf9556be467d7ae4ed03dd2
SHA2568705a86e017ba79fb861cccfb6326f1e1d03652863bedf935d7f5178725e7d1b
SHA51238692fa9f000c980bcd736ac6324a62117a97141c8cc67500f0546c3d864ead104341ef935a0ffb5c17628ee5b3c14e8b47ec4c510861c3e5c4d9b70df36d886
-
C:\Users\Admin\AppData\Local\Temp\bndphzFilesize
5KB
MD591fad66d3669b29e96d4212b1742266b
SHA1d6e91d14bfc279a05665df9c3dd54345ca1b03f2
SHA256f013968269e40e178e31ee48b339fb69b71dae0ea6f9dcf4036f822483b45c2f
SHA5122ac0d59f48d55bb05eb88afd079e849821d4c6ac7a671210d0b3aecd0d73c6bcc9964f14a498a54ce429173b74e41859ce265b1ddbf459e98c49d91f457c95fc
-
C:\Users\Admin\AppData\Local\Temp\gvttgvwc.exeFilesize
74KB
MD5edfb926367eb32980768270b264fbfc7
SHA1e51e7deb61ebc6bc8a9f74c9b954ef1b01236f81
SHA256234746ef5cb7e35013efdb2935837ccd94cb9d03fdc2d05498efe632c854714f
SHA5120ccaa54ee8e3f875900422783e3f92b02c2b81e293765d026b423fe5e6f9aa6fd46796c697ca2001785f1b36348a5c6c1330c86dc59d75867b05db0399a03162
-
C:\Users\Admin\AppData\Local\Temp\gvttgvwc.exeFilesize
74KB
MD5edfb926367eb32980768270b264fbfc7
SHA1e51e7deb61ebc6bc8a9f74c9b954ef1b01236f81
SHA256234746ef5cb7e35013efdb2935837ccd94cb9d03fdc2d05498efe632c854714f
SHA5120ccaa54ee8e3f875900422783e3f92b02c2b81e293765d026b423fe5e6f9aa6fd46796c697ca2001785f1b36348a5c6c1330c86dc59d75867b05db0399a03162
-
C:\Users\Admin\AppData\Local\Temp\gvttgvwc.exeFilesize
74KB
MD5edfb926367eb32980768270b264fbfc7
SHA1e51e7deb61ebc6bc8a9f74c9b954ef1b01236f81
SHA256234746ef5cb7e35013efdb2935837ccd94cb9d03fdc2d05498efe632c854714f
SHA5120ccaa54ee8e3f875900422783e3f92b02c2b81e293765d026b423fe5e6f9aa6fd46796c697ca2001785f1b36348a5c6c1330c86dc59d75867b05db0399a03162
-
\Users\Admin\AppData\Local\Temp\gvttgvwc.exeFilesize
74KB
MD5edfb926367eb32980768270b264fbfc7
SHA1e51e7deb61ebc6bc8a9f74c9b954ef1b01236f81
SHA256234746ef5cb7e35013efdb2935837ccd94cb9d03fdc2d05498efe632c854714f
SHA5120ccaa54ee8e3f875900422783e3f92b02c2b81e293765d026b423fe5e6f9aa6fd46796c697ca2001785f1b36348a5c6c1330c86dc59d75867b05db0399a03162
-
\Users\Admin\AppData\Local\Temp\gvttgvwc.exeFilesize
74KB
MD5edfb926367eb32980768270b264fbfc7
SHA1e51e7deb61ebc6bc8a9f74c9b954ef1b01236f81
SHA256234746ef5cb7e35013efdb2935837ccd94cb9d03fdc2d05498efe632c854714f
SHA5120ccaa54ee8e3f875900422783e3f92b02c2b81e293765d026b423fe5e6f9aa6fd46796c697ca2001785f1b36348a5c6c1330c86dc59d75867b05db0399a03162
-
\Users\Admin\AppData\Local\Temp\gvttgvwc.exeFilesize
74KB
MD5edfb926367eb32980768270b264fbfc7
SHA1e51e7deb61ebc6bc8a9f74c9b954ef1b01236f81
SHA256234746ef5cb7e35013efdb2935837ccd94cb9d03fdc2d05498efe632c854714f
SHA5120ccaa54ee8e3f875900422783e3f92b02c2b81e293765d026b423fe5e6f9aa6fd46796c697ca2001785f1b36348a5c6c1330c86dc59d75867b05db0399a03162
-
memory/732-54-0x0000000076561000-0x0000000076563000-memory.dmpFilesize
8KB
-
memory/944-75-0x0000000000000000-mapping.dmp
-
memory/1100-57-0x0000000000000000-mapping.dmp
-
memory/1344-78-0x0000000004120000-0x0000000004208000-memory.dmpFilesize
928KB
-
memory/1344-71-0x0000000007000000-0x000000000718C000-memory.dmpFilesize
1.5MB
-
memory/1496-69-0x0000000000750000-0x0000000000A53000-memory.dmpFilesize
3.0MB
-
memory/1496-70-0x0000000000460000-0x0000000000474000-memory.dmpFilesize
80KB
-
memory/1496-68-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1496-65-0x000000000041F150-mapping.dmp
-
memory/1496-64-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2008-72-0x0000000000000000-mapping.dmp
-
memory/2008-74-0x00000000000A0000-0x00000000000CF000-memory.dmpFilesize
188KB
-
memory/2008-73-0x0000000000030000-0x0000000000046000-memory.dmpFilesize
88KB
-
memory/2008-76-0x0000000001F30000-0x0000000002233000-memory.dmpFilesize
3.0MB
-
memory/2008-77-0x0000000001DA0000-0x0000000001E33000-memory.dmpFilesize
588KB