Analysis
-
max time kernel
146s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 13:34
Static task
static1
Behavioral task
behavioral1
Sample
order SEC.exe
Resource
win7-20220414-en
General
-
Target
order SEC.exe
-
Size
303KB
-
MD5
d0b89f322dfa77b6a13aabf7f7984f87
-
SHA1
81d40efb20f6dbfdb8e14a87c57d26b5dc9217d9
-
SHA256
228e2e5ff30fec5cdde918f48e98664d9bf1f77f550666baa21208ca9b047af4
-
SHA512
ee98f698267f78abe777276a6853f17499098f9de546ee87ccd4eafd1bc361a0340625a0a9defb11380396297f5fb3200fba14822571618574e127403a88930e
Malware Config
Extracted
formbook
4.0
g8u
stuition.com
mj-sculpture.com
cannatainmentevents.com
dianjintang.com
rmlusitania.info
effet-spiruline.com
flatheme.com
supergaminator-vip.com
craftyourmagic.com
lakai.ltd
electionshawaii.com
iqpdct.com
thebestfourstarhotels.com
satoshiceo.com
saintmartiner.com
brothersmarinetoronto.com
citicoin.online
scentsationalsniffers.com
hellonighbourgameees.com
displayonline-france.com
cait-compare.com
aprenderoratoria.com
stehtisch24.com
cocktailandcocktalk.com
hybridtablesaw.com
ynnkfs.com
capitolman.com
xccomm.com
dannyhustle.com
9jiuhao.com
ossigenopoliatomicoliquido.biz
casayards.com
hotelmesonreal.com
lffcfftl.com
raiserobo.com
ssav33.com
oceanicmarinerisks.com
star-fairtrading.com
universecoolest.com
www8557v.com
reparaciones-ordenadores.com
residenteyecarepa.com
x-hom.com
finestsalon.com
xn--n8jydrczh8g7f7a7lp527d.com
dallasfortworthseopro.com
talentsplanner.com
gdmen.com
life-insurer-zone.live
tunnelrobot.com
vietnamexport.net
inlishui.site
inaneufeld.com
sleepingsling.com
huaian.ltd
iluxol.com
mahavirjwellersnoida.com
fastaskme.men
rsinsur.com
datingevo.com
bringmesomething.online
banjiasanti.com
zhixinchain.net
medifloors.com
tromagy.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/552-54-0x0000000001310000-0x0000000001360000-memory.dmp formbook behavioral1/memory/552-55-0x0000000001310000-0x0000000001360000-memory.dmp formbook behavioral1/memory/1760-62-0x00000000000C0000-0x00000000000ED000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 908 cmd.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
order SEC.exechkdsk.exedescription pid process target process PID 552 set thread context of 1252 552 order SEC.exe Explorer.EXE PID 1760 set thread context of 1252 1760 chkdsk.exe Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
order SEC.exechkdsk.exepid process 552 order SEC.exe 552 order SEC.exe 1760 chkdsk.exe 1760 chkdsk.exe 1760 chkdsk.exe 1760 chkdsk.exe 1760 chkdsk.exe 1760 chkdsk.exe 1760 chkdsk.exe 1760 chkdsk.exe 1760 chkdsk.exe 1760 chkdsk.exe 1760 chkdsk.exe 1760 chkdsk.exe 1760 chkdsk.exe 1760 chkdsk.exe 1760 chkdsk.exe 1760 chkdsk.exe 1760 chkdsk.exe 1760 chkdsk.exe 1760 chkdsk.exe 1760 chkdsk.exe 1760 chkdsk.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
order SEC.exechkdsk.exepid process 552 order SEC.exe 552 order SEC.exe 552 order SEC.exe 1760 chkdsk.exe 1760 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
order SEC.exechkdsk.exedescription pid process Token: SeDebugPrivilege 552 order SEC.exe Token: SeDebugPrivilege 1760 chkdsk.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1252 Explorer.EXE 1252 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1252 Explorer.EXE 1252 Explorer.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Explorer.EXEchkdsk.exedescription pid process target process PID 1252 wrote to memory of 1760 1252 Explorer.EXE chkdsk.exe PID 1252 wrote to memory of 1760 1252 Explorer.EXE chkdsk.exe PID 1252 wrote to memory of 1760 1252 Explorer.EXE chkdsk.exe PID 1252 wrote to memory of 1760 1252 Explorer.EXE chkdsk.exe PID 1760 wrote to memory of 908 1760 chkdsk.exe cmd.exe PID 1760 wrote to memory of 908 1760 chkdsk.exe cmd.exe PID 1760 wrote to memory of 908 1760 chkdsk.exe cmd.exe PID 1760 wrote to memory of 908 1760 chkdsk.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\order SEC.exe"C:\Users\Admin\AppData\Local\Temp\order SEC.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\order SEC.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/552-54-0x0000000001310000-0x0000000001360000-memory.dmpFilesize
320KB
-
memory/552-55-0x0000000001310000-0x0000000001360000-memory.dmpFilesize
320KB
-
memory/552-56-0x0000000000DA0000-0x00000000010A3000-memory.dmpFilesize
3.0MB
-
memory/552-57-0x00000000001B0000-0x00000000001C4000-memory.dmpFilesize
80KB
-
memory/908-60-0x0000000000000000-mapping.dmp
-
memory/1252-58-0x0000000005F90000-0x00000000060B3000-memory.dmpFilesize
1.1MB
-
memory/1252-65-0x00000000061E0000-0x000000000635D000-memory.dmpFilesize
1.5MB
-
memory/1760-59-0x0000000000000000-mapping.dmp
-
memory/1760-61-0x0000000000430000-0x0000000000437000-memory.dmpFilesize
28KB
-
memory/1760-62-0x00000000000C0000-0x00000000000ED000-memory.dmpFilesize
180KB
-
memory/1760-63-0x0000000001FF0000-0x00000000022F3000-memory.dmpFilesize
3.0MB
-
memory/1760-64-0x0000000001E00000-0x0000000001E93000-memory.dmpFilesize
588KB