Analysis
-
max time kernel
153s -
max time network
176s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 14:08
Static task
static1
Behavioral task
behavioral1
Sample
order.exe
Resource
win7-20220414-en
General
-
Target
order.exe
-
Size
684KB
-
MD5
3b946d9c1c8d6586540fd217f44201dd
-
SHA1
63c11f8a26e69e5a0f1a19c2115eb8be8f57cb2a
-
SHA256
0a06767c6ec2249902ef118e04b2044b9784b544b81a7f5e253ae373fd706ceb
-
SHA512
30373763bef2d7eee0c8d8c901a82bb7eaf97bc7bd44c714e06e31fad03dd01b051c3913030b6587e68b960fdd31d4280285002ab53fb54df3806c8c54281184
Malware Config
Extracted
formbook
4.0
w9z
crazzysex.com
hanferd.com
gteesrd.com
bayfrontbabyplace.com
jicuiquan.net
relationshiplink.net
ohchacyberphoto.com
kauegimenes.com
powerful-seldom.com
ketotoken.com
make-money-online-success.com
redgoldcollection.com
hannan-football.com
hamptondc.com
vllii.com
aa8520.com
platform35markethall.com
larozeimmo.com
oligopoly.net
llhak.info
fisioservice.com
tesla-magnumopus.com
cocodrilodigital.com
pinegrovesg.com
traveladventureswithme.com
hebitaixin.com
golphysi.com
gayjeans.com
quickhire.expert
randomviews1.com
eatatnobu.com
topmabati.com
mediaupside.com
spillerakademi.com
thebowtie.store
sensomaticloadcell.com
turismodemadrid.net
yuhe89.com
wernerkrug.com
cdpogo.net
dannynhois.com
realestatestructureddata.com
matewhereareyou.net
laimeibei.ltd
sw328.com
lmwworks.net
xtremefish.com
tonerias.com
dsooneclinicianexpert.com
281clara.com
smmcommunity.net
dreamneeds.info
twocraft.com
yasasiite.salon
advk8qi.top
drabist.com
europartnersplus.com
saltbgone.com
teslaoceanic.info
bestmedicationstore.com
buynewcartab.live
prospect.money
viebrocks.com
transportationhappy.com
worstig.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1172-63-0x0000000000080000-0x00000000000AD000-memory.dmp formbook -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\YNE8IXJ0ANY = "C:\\Program Files (x86)\\Cgr5xfr\\taskhostqdfh.exe" cmd.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1980 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
order.exeorder.execmd.exedescription pid process target process PID 900 set thread context of 2020 900 order.exe order.exe PID 2020 set thread context of 1300 2020 order.exe Explorer.EXE PID 1172 set thread context of 1300 1172 cmd.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Program Files (x86)\Cgr5xfr\taskhostqdfh.exe cmd.exe -
Processes:
cmd.exedescription ioc process Key created \Registry\User\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmd.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
order.exeorder.execmd.exepid process 900 order.exe 2020 order.exe 2020 order.exe 1172 cmd.exe 1172 cmd.exe 1172 cmd.exe 1172 cmd.exe 1172 cmd.exe 1172 cmd.exe 1172 cmd.exe 1172 cmd.exe 1172 cmd.exe 1172 cmd.exe 1172 cmd.exe 1172 cmd.exe 1172 cmd.exe 1172 cmd.exe 1172 cmd.exe 1172 cmd.exe 1172 cmd.exe 1172 cmd.exe 1172 cmd.exe 1172 cmd.exe 1172 cmd.exe 1172 cmd.exe 1172 cmd.exe 1172 cmd.exe 1172 cmd.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
order.exeorder.execmd.exepid process 900 order.exe 2020 order.exe 2020 order.exe 2020 order.exe 1172 cmd.exe 1172 cmd.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
order.execmd.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 2020 order.exe Token: SeDebugPrivilege 1172 cmd.exe Token: SeShutdownPrivilege 1300 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1300 Explorer.EXE 1300 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1300 Explorer.EXE 1300 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
order.exeExplorer.EXEcmd.exedescription pid process target process PID 900 wrote to memory of 2020 900 order.exe order.exe PID 900 wrote to memory of 2020 900 order.exe order.exe PID 900 wrote to memory of 2020 900 order.exe order.exe PID 900 wrote to memory of 2020 900 order.exe order.exe PID 1300 wrote to memory of 1172 1300 Explorer.EXE cmd.exe PID 1300 wrote to memory of 1172 1300 Explorer.EXE cmd.exe PID 1300 wrote to memory of 1172 1300 Explorer.EXE cmd.exe PID 1300 wrote to memory of 1172 1300 Explorer.EXE cmd.exe PID 1172 wrote to memory of 1980 1172 cmd.exe cmd.exe PID 1172 wrote to memory of 1980 1172 cmd.exe cmd.exe PID 1172 wrote to memory of 1980 1172 cmd.exe cmd.exe PID 1172 wrote to memory of 1980 1172 cmd.exe cmd.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\order.exe"C:\Users\Admin\AppData\Local\Temp\order.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\order.exe"C:\Users\Admin\AppData\Local\Temp\order.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\order.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\O5N16ST5\O5Nlogim.jpegFilesize
71KB
MD5ea07295b37f07760da5dfcdbaca16c4d
SHA10398800d74eb445c35e7749caeb228816fb528d7
SHA256227362957bf064ed9e7b588836f141f151714c981a71145b823f5888086fbeab
SHA51261bb714325b87fee69b6a6e99262062cd0816764137542175842d7f910bc8125c565e80e422e00ce5dab62ec84cdd2f5ad7fbb9a86186e61e00f508573c8e78b
-
C:\Users\Admin\AppData\Roaming\O5N16ST5\O5Nlogri.iniFilesize
40B
MD5d63a82e5d81e02e399090af26db0b9cb
SHA191d0014c8f54743bba141fd60c9d963f869d76c9
SHA256eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA51238afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad
-
C:\Users\Admin\AppData\Roaming\O5N16ST5\O5Nlogrv.iniFilesize
40B
MD5ba3b6bc807d4f76794c4b81b09bb9ba5
SHA124cb89501f0212ff3095ecc0aba97dd563718fb1
SHA2566eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507
SHA512ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf
-
memory/900-56-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/900-54-0x00000000763E1000-0x00000000763E3000-memory.dmpFilesize
8KB
-
memory/1172-64-0x0000000002020000-0x0000000002323000-memory.dmpFilesize
3.0MB
-
memory/1172-60-0x0000000000000000-mapping.dmp
-
memory/1172-65-0x00000000006B0000-0x0000000000743000-memory.dmpFilesize
588KB
-
memory/1172-62-0x000000004A280000-0x000000004A2CC000-memory.dmpFilesize
304KB
-
memory/1172-63-0x0000000000080000-0x00000000000AD000-memory.dmpFilesize
180KB
-
memory/1300-66-0x0000000004320000-0x00000000043D3000-memory.dmpFilesize
716KB
-
memory/1300-59-0x0000000006EE0000-0x000000000705F000-memory.dmpFilesize
1.5MB
-
memory/1980-61-0x0000000000000000-mapping.dmp
-
memory/2020-58-0x0000000000340000-0x0000000000354000-memory.dmpFilesize
80KB
-
memory/2020-57-0x0000000000910000-0x0000000000C13000-memory.dmpFilesize
3.0MB
-
memory/2020-55-0x000000000041E2D0-mapping.dmp