Analysis
-
max time kernel
149s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 02:25
Static task
static1
Behavioral task
behavioral1
Sample
PURCHASE ORDER NO7654567.exe
Resource
win7-20220414-en
General
-
Target
PURCHASE ORDER NO7654567.exe
-
Size
298KB
-
MD5
ab99d25b2996150cc085ab8eae483f2d
-
SHA1
84f5200e330d6d4be843564d3494056a90da8fad
-
SHA256
a46eb9ad512b0b9355c24ab2320a1cd25758bc5e90485a476596982d41f9fe56
-
SHA512
cb328d225b61ce7231579488d29f62e5cef2fb9944abe8b5915fd86a264b76f794cd7bf12e5536a218cfcfcd38fe76e7c7a3dbd1e6fe0300cf33979b84929a0b
Malware Config
Extracted
formbook
4.1
wdm
rutherfordwomansclub.net
theclassicapplique.com
7-zd.com
kmngeg.info
claudinelloriot.com
bitcoinpride.info
mfmhdev.com
eenhar.com
onlinesmartnews.com
utilitariostucuman.com
find-quality-rentalcar.com
bodyartdnvr.science
silverfoxtail.com
zbrunda.com
killosaurus.com
heatheratl.com
xn--xhq30huts43cgs2e.com
lipmat.com
gegdon.net
foxinsurancedmv.com
jaydendownes.info
realtalkpenn.com
kfjinke.com
xctinctco.com
mrcarew.media
suggestionapi.com
lightblueproject.net
lijhenlian.com
37876delta.com
dieklimaretter.com
east-capital.com
temkosh.com
meikemeilin.com
vh-biotechnology.com
laugh-now.com
saudebazz.com
kangauz.com
wholisticnutritionlab.com
barcheusate.biz
wwwbetclic.com
caixuwood.com
282opebet.com
filmbagusbaru.info
balmybutter.com
redeemcardpoint.com
karyamotornias.com
vipslotss.com
9cjdr2.info
balintinc.com
gm610.com
sz-jgs.com
leejbarclayart.com
thesociellestudio.com
antiquekitten.com
luxuriouscarnival.com
qjbdy.com
international-connector.com
libertiesplumbers.com
682zy.com
kexuetanmi.net
madebymekits.com
luxuryexperienceinparadise.com
theconnex.com
taylorexpresslnc.com
becouf.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1980-60-0x000000000041E2C0-mapping.dmp formbook behavioral1/memory/1980-59-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral1/memory/1980-65-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral1/memory/320-71-0x00000000000C0000-0x00000000000ED000-memory.dmp formbook -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
PURCHASE ORDER NO7654567.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion PURCHASE ORDER NO7654567.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion PURCHASE ORDER NO7654567.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1708 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
cmmon32.exedescription ioc process Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run cmmon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\XTZX3TBPDH = "C:\\Program Files (x86)\\Pmrtp8bmx\\configmre004n0.exe" cmmon32.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
PURCHASE ORDER NO7654567.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum PURCHASE ORDER NO7654567.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 PURCHASE ORDER NO7654567.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
PURCHASE ORDER NO7654567.exePURCHASE ORDER NO7654567.execmmon32.exedescription pid process target process PID 1704 set thread context of 1980 1704 PURCHASE ORDER NO7654567.exe PURCHASE ORDER NO7654567.exe PID 1980 set thread context of 1260 1980 PURCHASE ORDER NO7654567.exe Explorer.EXE PID 1980 set thread context of 1260 1980 PURCHASE ORDER NO7654567.exe Explorer.EXE PID 320 set thread context of 1260 320 cmmon32.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
cmmon32.exedescription ioc process File opened for modification C:\Program Files (x86)\Pmrtp8bmx\configmre004n0.exe cmmon32.exe -
Processes:
cmmon32.exedescription ioc process Key created \Registry\User\S-1-5-21-790309383-526510583-3802439154-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmmon32.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
PURCHASE ORDER NO7654567.execmmon32.exepid process 1980 PURCHASE ORDER NO7654567.exe 1980 PURCHASE ORDER NO7654567.exe 1980 PURCHASE ORDER NO7654567.exe 320 cmmon32.exe 320 cmmon32.exe 320 cmmon32.exe 320 cmmon32.exe 320 cmmon32.exe 320 cmmon32.exe 320 cmmon32.exe 320 cmmon32.exe 320 cmmon32.exe 320 cmmon32.exe 320 cmmon32.exe 320 cmmon32.exe 320 cmmon32.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
PURCHASE ORDER NO7654567.execmmon32.exepid process 1980 PURCHASE ORDER NO7654567.exe 1980 PURCHASE ORDER NO7654567.exe 1980 PURCHASE ORDER NO7654567.exe 1980 PURCHASE ORDER NO7654567.exe 320 cmmon32.exe 320 cmmon32.exe 320 cmmon32.exe 320 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PURCHASE ORDER NO7654567.execmmon32.exedescription pid process Token: SeDebugPrivilege 1980 PURCHASE ORDER NO7654567.exe Token: SeDebugPrivilege 320 cmmon32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1260 Explorer.EXE 1260 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1260 Explorer.EXE 1260 Explorer.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
PURCHASE ORDER NO7654567.exeExplorer.EXEcmmon32.exedescription pid process target process PID 1704 wrote to memory of 1980 1704 PURCHASE ORDER NO7654567.exe PURCHASE ORDER NO7654567.exe PID 1704 wrote to memory of 1980 1704 PURCHASE ORDER NO7654567.exe PURCHASE ORDER NO7654567.exe PID 1704 wrote to memory of 1980 1704 PURCHASE ORDER NO7654567.exe PURCHASE ORDER NO7654567.exe PID 1704 wrote to memory of 1980 1704 PURCHASE ORDER NO7654567.exe PURCHASE ORDER NO7654567.exe PID 1704 wrote to memory of 1980 1704 PURCHASE ORDER NO7654567.exe PURCHASE ORDER NO7654567.exe PID 1704 wrote to memory of 1980 1704 PURCHASE ORDER NO7654567.exe PURCHASE ORDER NO7654567.exe PID 1704 wrote to memory of 1980 1704 PURCHASE ORDER NO7654567.exe PURCHASE ORDER NO7654567.exe PID 1260 wrote to memory of 320 1260 Explorer.EXE cmmon32.exe PID 1260 wrote to memory of 320 1260 Explorer.EXE cmmon32.exe PID 1260 wrote to memory of 320 1260 Explorer.EXE cmmon32.exe PID 1260 wrote to memory of 320 1260 Explorer.EXE cmmon32.exe PID 320 wrote to memory of 1708 320 cmmon32.exe cmd.exe PID 320 wrote to memory of 1708 320 cmmon32.exe cmd.exe PID 320 wrote to memory of 1708 320 cmmon32.exe cmd.exe PID 320 wrote to memory of 1708 320 cmmon32.exe cmd.exe PID 320 wrote to memory of 1628 320 cmmon32.exe Firefox.exe PID 320 wrote to memory of 1628 320 cmmon32.exe Firefox.exe PID 320 wrote to memory of 1628 320 cmmon32.exe Firefox.exe PID 320 wrote to memory of 1628 320 cmmon32.exe Firefox.exe PID 320 wrote to memory of 1628 320 cmmon32.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER NO7654567.exe"C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER NO7654567.exe"2⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER NO7654567.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER NO7654567.exe"3⤵
- Deletes itself
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/320-68-0x0000000000000000-mapping.dmp
-
memory/320-73-0x0000000001D50000-0x0000000001DE3000-memory.dmpFilesize
588KB
-
memory/320-72-0x0000000001E80000-0x0000000002183000-memory.dmpFilesize
3.0MB
-
memory/320-71-0x00000000000C0000-0x00000000000ED000-memory.dmpFilesize
180KB
-
memory/320-70-0x00000000008E0000-0x00000000008ED000-memory.dmpFilesize
52KB
-
memory/1260-64-0x0000000004A30000-0x0000000004B37000-memory.dmpFilesize
1.0MB
-
memory/1260-67-0x00000000073E0000-0x0000000007551000-memory.dmpFilesize
1.4MB
-
memory/1260-74-0x0000000004B40000-0x0000000004C49000-memory.dmpFilesize
1.0MB
-
memory/1704-54-0x00000000755B1000-0x00000000755B3000-memory.dmpFilesize
8KB
-
memory/1704-55-0x0000000074520000-0x0000000074ACB000-memory.dmpFilesize
5.7MB
-
memory/1708-69-0x0000000000000000-mapping.dmp
-
memory/1980-59-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1980-62-0x0000000000AA0000-0x0000000000DA3000-memory.dmpFilesize
3.0MB
-
memory/1980-66-0x0000000000260000-0x0000000000274000-memory.dmpFilesize
80KB
-
memory/1980-60-0x000000000041E2C0-mapping.dmp
-
memory/1980-56-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1980-57-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1980-65-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1980-63-0x0000000000180000-0x0000000000194000-memory.dmpFilesize
80KB