Analysis
-
max time kernel
148s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 23:53
Static task
static1
Behavioral task
behavioral1
Sample
shipping documents, INV+BL.exe
Resource
win7-20220414-en
General
-
Target
shipping documents, INV+BL.exe
-
Size
430KB
-
MD5
528803eb79a155fc433c390a194ae344
-
SHA1
3e85abf112dbe5d5cb3b36f82cb5e5aba4f54757
-
SHA256
5e1663a897c64460d68fdf6848b63f589680e75f4d935258a7862b9d1ff617b1
-
SHA512
b3a29219e6287103d6443ef39891d29b9f95cb72c6b39537c576d7f47fcb53a910fc6d9524a8f90fe26fc42674dedf59b3d39859f0636ed578f16f4fc5a3140d
Malware Config
Extracted
formbook
4.1
otn
thewoodwideweb.net
broadconnectionpm.com
tuzlametro.net
vjpqdk.info
vietnamtimetravel.com
notice-close-n217.online
verif22-mail999-pymts76.com
bestgreenhouseplan.com
brangain.top
cukaapelbragg.com
stileincucina.com
veloflambe.com
virtualsupportservicesllc.com
smpl.site
mezo.ltd
incidenciasarty.com
everglamp.com
theflowerfarmplanner.com
oasis-base.net
jnrhsh.com
hostux.info
aptivauto.com
xedinl.info
newfiveflags.com
ottleyco.com
my-debtrelief.com
frantac.com
new-auto-news.com
castironcravings.com
cplusc.studio
firsteditionbooks.net
atraedinero.com
fooddeza.com
mariancolmanart.com
ats-ortho.com
kabolobari.com
otcvollar.com
dliti.com
jidanyun.com
realestatewithdawn.com
idecorados.com
czgy1991.com
moneysavingmissy.com
oderviettrung.com
szzolon.com
candycrushsaga.cloud
jmsortho.com
carebookkeeping.com
milesdavidlee.com
generallasers.com
informaticahostednp.com
paintmywedding.net
opusdentalonline-beta.com
rickramgattie.com
nbgkl.com
pjhsea.info
accuratevinylinc.com
dissedin.com
findmyticket.info
greekobsession.com
trendlong.com
tumarcaesladiferencia.com
noragamst.com
shapupu.com
regulars7.info
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2016-64-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral1/memory/2016-65-0x000000000041E2D0-mapping.dmp formbook behavioral1/memory/2016-67-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral1/memory/1292-74-0x0000000000080000-0x00000000000AD000-memory.dmp formbook -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
wlanext.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wlanext.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\XXSDJX6XXZCL = "C:\\Program Files (x86)\\Ppdr\\helpolrx.exe" wlanext.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1892 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
shipping documents, INV+BL.exeshipping documents, INV+BL.exewlanext.exedescription pid process target process PID 852 set thread context of 2016 852 shipping documents, INV+BL.exe shipping documents, INV+BL.exe PID 2016 set thread context of 1428 2016 shipping documents, INV+BL.exe Explorer.EXE PID 1292 set thread context of 1428 1292 wlanext.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
wlanext.exedescription ioc process File opened for modification C:\Program Files (x86)\Ppdr\helpolrx.exe wlanext.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
wlanext.exedescription ioc process Key created \Registry\User\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 wlanext.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
shipping documents, INV+BL.exeshipping documents, INV+BL.exewlanext.exepid process 852 shipping documents, INV+BL.exe 852 shipping documents, INV+BL.exe 2016 shipping documents, INV+BL.exe 2016 shipping documents, INV+BL.exe 1292 wlanext.exe 1292 wlanext.exe 1292 wlanext.exe 1292 wlanext.exe 1292 wlanext.exe 1292 wlanext.exe 1292 wlanext.exe 1292 wlanext.exe 1292 wlanext.exe 1292 wlanext.exe 1292 wlanext.exe 1292 wlanext.exe 1292 wlanext.exe 1292 wlanext.exe 1292 wlanext.exe 1292 wlanext.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
shipping documents, INV+BL.exewlanext.exepid process 2016 shipping documents, INV+BL.exe 2016 shipping documents, INV+BL.exe 2016 shipping documents, INV+BL.exe 1292 wlanext.exe 1292 wlanext.exe 1292 wlanext.exe 1292 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
shipping documents, INV+BL.exeshipping documents, INV+BL.exewlanext.exedescription pid process Token: SeDebugPrivilege 852 shipping documents, INV+BL.exe Token: SeDebugPrivilege 2016 shipping documents, INV+BL.exe Token: SeDebugPrivilege 1292 wlanext.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1428 Explorer.EXE 1428 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1428 Explorer.EXE 1428 Explorer.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
shipping documents, INV+BL.exeExplorer.EXEwlanext.exedescription pid process target process PID 852 wrote to memory of 1076 852 shipping documents, INV+BL.exe schtasks.exe PID 852 wrote to memory of 1076 852 shipping documents, INV+BL.exe schtasks.exe PID 852 wrote to memory of 1076 852 shipping documents, INV+BL.exe schtasks.exe PID 852 wrote to memory of 1076 852 shipping documents, INV+BL.exe schtasks.exe PID 852 wrote to memory of 2016 852 shipping documents, INV+BL.exe shipping documents, INV+BL.exe PID 852 wrote to memory of 2016 852 shipping documents, INV+BL.exe shipping documents, INV+BL.exe PID 852 wrote to memory of 2016 852 shipping documents, INV+BL.exe shipping documents, INV+BL.exe PID 852 wrote to memory of 2016 852 shipping documents, INV+BL.exe shipping documents, INV+BL.exe PID 852 wrote to memory of 2016 852 shipping documents, INV+BL.exe shipping documents, INV+BL.exe PID 852 wrote to memory of 2016 852 shipping documents, INV+BL.exe shipping documents, INV+BL.exe PID 852 wrote to memory of 2016 852 shipping documents, INV+BL.exe shipping documents, INV+BL.exe PID 1428 wrote to memory of 1292 1428 Explorer.EXE wlanext.exe PID 1428 wrote to memory of 1292 1428 Explorer.EXE wlanext.exe PID 1428 wrote to memory of 1292 1428 Explorer.EXE wlanext.exe PID 1428 wrote to memory of 1292 1428 Explorer.EXE wlanext.exe PID 1292 wrote to memory of 1892 1292 wlanext.exe cmd.exe PID 1292 wrote to memory of 1892 1292 wlanext.exe cmd.exe PID 1292 wrote to memory of 1892 1292 wlanext.exe cmd.exe PID 1292 wrote to memory of 1892 1292 wlanext.exe cmd.exe PID 1292 wrote to memory of 1500 1292 wlanext.exe Firefox.exe PID 1292 wrote to memory of 1500 1292 wlanext.exe Firefox.exe PID 1292 wrote to memory of 1500 1292 wlanext.exe Firefox.exe PID 1292 wrote to memory of 1500 1292 wlanext.exe Firefox.exe PID 1292 wrote to memory of 1500 1292 wlanext.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Users\Admin\AppData\Local\Temp\shipping documents, INV+BL.exe"C:\Users\Admin\AppData\Local\Temp\shipping documents, INV+BL.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB2BD.tmp"3⤵
- Creates scheduled task(s)
PID:1076 -
C:\Users\Admin\AppData\Local\Temp\shipping documents, INV+BL.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2016 -
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\shipping documents, INV+BL.exe"3⤵
- Deletes itself
PID:1892 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1500
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpB2BD.tmpFilesize
1KB
MD5d2aa72e1e0a9b7dcb81af5082540153a
SHA169f84c985fea812daa2fcfd1941a7d60facb4a7e
SHA256c7a368be198491672c06e17b5626878b39a06de3bb28c0f028cc3aff46e43d3d
SHA512541bbb3c838c14bfc2c91d1394a99a72f76ad8c3534da1215336ffdc3d63922d456af573ced60d5dff7f9e70fc1f7c8f3cd8ad997374356ecb784695ea312692
-
C:\Users\Admin\AppData\Roaming\-Q60BA05\-Q6logim.jpegFilesize
66KB
MD5f8ae50510bfc62ce3154f53d4befd195
SHA1e150b1d481591d91991174bdb03576b80e8328fc
SHA256557dc42941c3d3b53acb5db7327f17dd6dcbd9358be66c1faf7f680846144ac3
SHA51271279a037f9234044cde6ec8a330f719da31f57bf8c59511d09dd73644d86247348c663ae0368091e3ece2adb058e32f73c193c8f46d4667db95d0e05bc54d16
-
C:\Users\Admin\AppData\Roaming\-Q60BA05\-Q6logrf.iniFilesize
40B
MD52f245469795b865bdd1b956c23d7893d
SHA16ad80b974d3808f5a20ea1e766c7d2f88b9e5895
SHA2561662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361
SHA512909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f
-
C:\Users\Admin\AppData\Roaming\-Q60BA05\-Q6logri.iniFilesize
40B
MD5d63a82e5d81e02e399090af26db0b9cb
SHA191d0014c8f54743bba141fd60c9d963f869d76c9
SHA256eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA51238afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad
-
C:\Users\Admin\AppData\Roaming\-Q60BA05\-Q6logrv.iniFilesize
40B
MD5ba3b6bc807d4f76794c4b81b09bb9ba5
SHA124cb89501f0212ff3095ecc0aba97dd563718fb1
SHA2566eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507
SHA512ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf
-
memory/852-54-0x0000000000960000-0x00000000009D2000-memory.dmpFilesize
456KB
-
memory/852-55-0x0000000076781000-0x0000000076783000-memory.dmpFilesize
8KB
-
memory/852-56-0x0000000000430000-0x000000000043A000-memory.dmpFilesize
40KB
-
memory/852-57-0x0000000004280000-0x00000000042E4000-memory.dmpFilesize
400KB
-
memory/852-58-0x00000000002C0000-0x00000000002FE000-memory.dmpFilesize
248KB
-
memory/1076-59-0x0000000000000000-mapping.dmp
-
memory/1292-73-0x0000000000440000-0x0000000000456000-memory.dmpFilesize
88KB
-
memory/1292-74-0x0000000000080000-0x00000000000AD000-memory.dmpFilesize
180KB
-
memory/1292-76-0x00000000006F0000-0x0000000000783000-memory.dmpFilesize
588KB
-
memory/1292-75-0x0000000001FE0000-0x00000000022E3000-memory.dmpFilesize
3.0MB
-
memory/1292-71-0x0000000000000000-mapping.dmp
-
memory/1428-77-0x0000000007CD0000-0x0000000007E4A000-memory.dmpFilesize
1.5MB
-
memory/1428-68-0x00000000068C0000-0x0000000006A07000-memory.dmpFilesize
1.3MB
-
memory/1892-72-0x0000000000000000-mapping.dmp
-
memory/2016-67-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/2016-70-0x0000000000190000-0x00000000001A4000-memory.dmpFilesize
80KB
-
memory/2016-69-0x00000000009E0000-0x0000000000CE3000-memory.dmpFilesize
3.0MB
-
memory/2016-65-0x000000000041E2D0-mapping.dmp
-
memory/2016-64-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/2016-62-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/2016-61-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB