Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
11-05-2022 11:01
Static task
static1
Behavioral task
behavioral1
Sample
DHL_AWB_NO#907853880911.exe
Resource
win7-20220414-en
General
-
Target
DHL_AWB_NO#907853880911.exe
-
Size
268KB
-
MD5
a4fce543204701289e529a5143a417dd
-
SHA1
e3b2091b4efaf71e5a9ea48c4c0c5764bef0e04c
-
SHA256
67df0a89b663af659b5f00979d5ecb52592f81ab32d55ab197963b5cfed28e8e
-
SHA512
d9c38a3750e0733410735f16061082165f96e1f761aa29957d1b2a4451110fe1bcc26396a5c085bc575919e5fd25102ee9969a0af53926de433b80f6f583de1e
Malware Config
Extracted
formbook
4.1
fw02
payer-breakers.com
thesiscoper.com
rental-villa.com
scovikinnovations.com
hydh33.com
allmyshit.rest
lovejaclyn.com
vanessaruizwriting.com
dufonddelaclasse.com
kiddee168.com
monumentalmarketsllc.com
musclegainfatloss.com
avida.info
cosmo-wellness.net
dandelionfusedigital.com
oversizeloadbanners.com
konstelle.store
sdjnsbd.com
czoqg.xyz
5p6xljjse1lq.xyz
10936.loan
primeiropasso.website
salarydetector.net
the6figureshow.com
ritzluxurytransportation.com
5145.design
web3ido.xyz
starweaverdesigns.com
cbdtz.com
sunwall.xyz
ornitv.com
curateddesignsconsulting.com
businesshairways.biz
willacloud.com
accusecures.com
hl243.com
coffellc.icu
eddrugs2018.com
lidakang.xyz
salesstorecolombia.com
ilina.xyz
partieslikethese.com
peymantasnimi.com
datthocu.xyz
cybertechsolutions.xyz
findy.guru
trybes.space
arulinks.com
yuriookinoart.com
largestjerseysstore.com
fortitude-tech.com
ywfjp.com
b1v097f2avze.xyz
abdullahnazhim.com
zhaoav111.info
cegrowing.com
llaveselmuerto.com
7477e.xyz
chabusinessloans.com
ht-brain.com
app-compound.finance
0085208.com
wewinaccidents.com
ztzfirst.xyz
shishlomarket24.biz
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1432-136-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/1724-145-0x0000000000C00000-0x0000000000C2F000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 67 1724 rundll32.exe -
Executes dropped EXE 2 IoCs
Processes:
gvttgvwc.exegvttgvwc.exepid process 1920 gvttgvwc.exe 1432 gvttgvwc.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
gvttgvwc.exegvttgvwc.exerundll32.exedescription pid process target process PID 1920 set thread context of 1432 1920 gvttgvwc.exe gvttgvwc.exe PID 1432 set thread context of 2284 1432 gvttgvwc.exe Explorer.EXE PID 1724 set thread context of 2284 1724 rundll32.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
gvttgvwc.exerundll32.exepid process 1432 gvttgvwc.exe 1432 gvttgvwc.exe 1432 gvttgvwc.exe 1432 gvttgvwc.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe 1724 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2284 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
gvttgvwc.exerundll32.exepid process 1432 gvttgvwc.exe 1432 gvttgvwc.exe 1432 gvttgvwc.exe 1724 rundll32.exe 1724 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
gvttgvwc.exerundll32.exedescription pid process Token: SeDebugPrivilege 1432 gvttgvwc.exe Token: SeDebugPrivilege 1724 rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
DHL_AWB_NO#907853880911.exegvttgvwc.exeExplorer.EXErundll32.exedescription pid process target process PID 4964 wrote to memory of 1920 4964 DHL_AWB_NO#907853880911.exe gvttgvwc.exe PID 4964 wrote to memory of 1920 4964 DHL_AWB_NO#907853880911.exe gvttgvwc.exe PID 4964 wrote to memory of 1920 4964 DHL_AWB_NO#907853880911.exe gvttgvwc.exe PID 1920 wrote to memory of 1432 1920 gvttgvwc.exe gvttgvwc.exe PID 1920 wrote to memory of 1432 1920 gvttgvwc.exe gvttgvwc.exe PID 1920 wrote to memory of 1432 1920 gvttgvwc.exe gvttgvwc.exe PID 1920 wrote to memory of 1432 1920 gvttgvwc.exe gvttgvwc.exe PID 1920 wrote to memory of 1432 1920 gvttgvwc.exe gvttgvwc.exe PID 1920 wrote to memory of 1432 1920 gvttgvwc.exe gvttgvwc.exe PID 2284 wrote to memory of 1724 2284 Explorer.EXE rundll32.exe PID 2284 wrote to memory of 1724 2284 Explorer.EXE rundll32.exe PID 2284 wrote to memory of 1724 2284 Explorer.EXE rundll32.exe PID 1724 wrote to memory of 3584 1724 rundll32.exe cmd.exe PID 1724 wrote to memory of 3584 1724 rundll32.exe cmd.exe PID 1724 wrote to memory of 3584 1724 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL_AWB_NO#907853880911.exe"C:\Users\Admin\AppData\Local\Temp\DHL_AWB_NO#907853880911.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gvttgvwc.exeC:\Users\Admin\AppData\Local\Temp\gvttgvwc.exe C:\Users\Admin\AppData\Local\Temp\bndphz3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gvttgvwc.exeC:\Users\Admin\AppData\Local\Temp\gvttgvwc.exe C:\Users\Admin\AppData\Local\Temp\bndphz4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\gvttgvwc.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3zjk5bodwmhkFilesize
184KB
MD5e22c1dae93f5eaa74cf061f3317cd8aa
SHA1cfd436e61a71c36b5cf9556be467d7ae4ed03dd2
SHA2568705a86e017ba79fb861cccfb6326f1e1d03652863bedf935d7f5178725e7d1b
SHA51238692fa9f000c980bcd736ac6324a62117a97141c8cc67500f0546c3d864ead104341ef935a0ffb5c17628ee5b3c14e8b47ec4c510861c3e5c4d9b70df36d886
-
C:\Users\Admin\AppData\Local\Temp\bndphzFilesize
5KB
MD591fad66d3669b29e96d4212b1742266b
SHA1d6e91d14bfc279a05665df9c3dd54345ca1b03f2
SHA256f013968269e40e178e31ee48b339fb69b71dae0ea6f9dcf4036f822483b45c2f
SHA5122ac0d59f48d55bb05eb88afd079e849821d4c6ac7a671210d0b3aecd0d73c6bcc9964f14a498a54ce429173b74e41859ce265b1ddbf459e98c49d91f457c95fc
-
C:\Users\Admin\AppData\Local\Temp\gvttgvwc.exeFilesize
74KB
MD5edfb926367eb32980768270b264fbfc7
SHA1e51e7deb61ebc6bc8a9f74c9b954ef1b01236f81
SHA256234746ef5cb7e35013efdb2935837ccd94cb9d03fdc2d05498efe632c854714f
SHA5120ccaa54ee8e3f875900422783e3f92b02c2b81e293765d026b423fe5e6f9aa6fd46796c697ca2001785f1b36348a5c6c1330c86dc59d75867b05db0399a03162
-
C:\Users\Admin\AppData\Local\Temp\gvttgvwc.exeFilesize
74KB
MD5edfb926367eb32980768270b264fbfc7
SHA1e51e7deb61ebc6bc8a9f74c9b954ef1b01236f81
SHA256234746ef5cb7e35013efdb2935837ccd94cb9d03fdc2d05498efe632c854714f
SHA5120ccaa54ee8e3f875900422783e3f92b02c2b81e293765d026b423fe5e6f9aa6fd46796c697ca2001785f1b36348a5c6c1330c86dc59d75867b05db0399a03162
-
C:\Users\Admin\AppData\Local\Temp\gvttgvwc.exeFilesize
74KB
MD5edfb926367eb32980768270b264fbfc7
SHA1e51e7deb61ebc6bc8a9f74c9b954ef1b01236f81
SHA256234746ef5cb7e35013efdb2935837ccd94cb9d03fdc2d05498efe632c854714f
SHA5120ccaa54ee8e3f875900422783e3f92b02c2b81e293765d026b423fe5e6f9aa6fd46796c697ca2001785f1b36348a5c6c1330c86dc59d75867b05db0399a03162
-
memory/1432-139-0x0000000000A20000-0x0000000000D6A000-memory.dmpFilesize
3.3MB
-
memory/1432-136-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1432-135-0x0000000000000000-mapping.dmp
-
memory/1432-140-0x00000000009F0000-0x0000000000A04000-memory.dmpFilesize
80KB
-
memory/1724-142-0x0000000000000000-mapping.dmp
-
memory/1724-144-0x0000000000870000-0x0000000000884000-memory.dmpFilesize
80KB
-
memory/1724-145-0x0000000000C00000-0x0000000000C2F000-memory.dmpFilesize
188KB
-
memory/1724-146-0x0000000002A50000-0x0000000002D9A000-memory.dmpFilesize
3.3MB
-
memory/1724-147-0x00000000028C0000-0x0000000002953000-memory.dmpFilesize
588KB
-
memory/1920-130-0x0000000000000000-mapping.dmp
-
memory/2284-141-0x0000000007DC0000-0x0000000007EF1000-memory.dmpFilesize
1.2MB
-
memory/2284-148-0x0000000008310000-0x0000000008472000-memory.dmpFilesize
1.4MB
-
memory/3584-143-0x0000000000000000-mapping.dmp