Analysis
-
max time kernel
152s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 02:25
Static task
static1
Behavioral task
behavioral1
Sample
PURCHASE ORDER NO7654567.exe
Resource
win7-20220414-en
General
-
Target
PURCHASE ORDER NO7654567.exe
-
Size
298KB
-
MD5
ab99d25b2996150cc085ab8eae483f2d
-
SHA1
84f5200e330d6d4be843564d3494056a90da8fad
-
SHA256
a46eb9ad512b0b9355c24ab2320a1cd25758bc5e90485a476596982d41f9fe56
-
SHA512
cb328d225b61ce7231579488d29f62e5cef2fb9944abe8b5915fd86a264b76f794cd7bf12e5536a218cfcfcd38fe76e7c7a3dbd1e6fe0300cf33979b84929a0b
Malware Config
Extracted
formbook
4.1
wdm
rutherfordwomansclub.net
theclassicapplique.com
7-zd.com
kmngeg.info
claudinelloriot.com
bitcoinpride.info
mfmhdev.com
eenhar.com
onlinesmartnews.com
utilitariostucuman.com
find-quality-rentalcar.com
bodyartdnvr.science
silverfoxtail.com
zbrunda.com
killosaurus.com
heatheratl.com
xn--xhq30huts43cgs2e.com
lipmat.com
gegdon.net
foxinsurancedmv.com
jaydendownes.info
realtalkpenn.com
kfjinke.com
xctinctco.com
mrcarew.media
suggestionapi.com
lightblueproject.net
lijhenlian.com
37876delta.com
dieklimaretter.com
east-capital.com
temkosh.com
meikemeilin.com
vh-biotechnology.com
laugh-now.com
saudebazz.com
kangauz.com
wholisticnutritionlab.com
barcheusate.biz
wwwbetclic.com
caixuwood.com
282opebet.com
filmbagusbaru.info
balmybutter.com
redeemcardpoint.com
karyamotornias.com
vipslotss.com
9cjdr2.info
balintinc.com
gm610.com
sz-jgs.com
leejbarclayart.com
thesociellestudio.com
antiquekitten.com
luxuriouscarnival.com
qjbdy.com
international-connector.com
libertiesplumbers.com
682zy.com
kexuetanmi.net
madebymekits.com
luxuryexperienceinparadise.com
theconnex.com
taylorexpresslnc.com
becouf.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/756-132-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral2/memory/756-134-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral2/memory/4324-140-0x0000000000450000-0x000000000047D000-memory.dmp formbook -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
systray.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run systray.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WPXHOR5H_BCL = "C:\\Program Files (x86)\\Hjnuhg\\3fr0rrnj.exe" systray.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
PURCHASE ORDER NO7654567.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion PURCHASE ORDER NO7654567.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion PURCHASE ORDER NO7654567.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
PURCHASE ORDER NO7654567.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 PURCHASE ORDER NO7654567.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum PURCHASE ORDER NO7654567.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
PURCHASE ORDER NO7654567.exePURCHASE ORDER NO7654567.exesystray.exedescription pid process target process PID 1256 set thread context of 756 1256 PURCHASE ORDER NO7654567.exe PURCHASE ORDER NO7654567.exe PID 756 set thread context of 1052 756 PURCHASE ORDER NO7654567.exe Explorer.EXE PID 4324 set thread context of 1052 4324 systray.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
systray.exedescription ioc process File opened for modification C:\Program Files (x86)\Hjnuhg\3fr0rrnj.exe systray.exe -
Processes:
systray.exedescription ioc process Key created \Registry\User\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 systray.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
PURCHASE ORDER NO7654567.exesystray.exepid process 756 PURCHASE ORDER NO7654567.exe 756 PURCHASE ORDER NO7654567.exe 756 PURCHASE ORDER NO7654567.exe 756 PURCHASE ORDER NO7654567.exe 4324 systray.exe 4324 systray.exe 4324 systray.exe 4324 systray.exe 4324 systray.exe 4324 systray.exe 4324 systray.exe 4324 systray.exe 4324 systray.exe 4324 systray.exe 4324 systray.exe 4324 systray.exe 4324 systray.exe 4324 systray.exe 4324 systray.exe 4324 systray.exe 4324 systray.exe 4324 systray.exe 4324 systray.exe 4324 systray.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1052 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
PURCHASE ORDER NO7654567.exesystray.exepid process 756 PURCHASE ORDER NO7654567.exe 756 PURCHASE ORDER NO7654567.exe 756 PURCHASE ORDER NO7654567.exe 4324 systray.exe 4324 systray.exe 4324 systray.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
PURCHASE ORDER NO7654567.exesystray.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 756 PURCHASE ORDER NO7654567.exe Token: SeDebugPrivilege 4324 systray.exe Token: SeShutdownPrivilege 1052 Explorer.EXE Token: SeCreatePagefilePrivilege 1052 Explorer.EXE Token: SeShutdownPrivilege 1052 Explorer.EXE Token: SeCreatePagefilePrivilege 1052 Explorer.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
PURCHASE ORDER NO7654567.exeExplorer.EXEsystray.exedescription pid process target process PID 1256 wrote to memory of 756 1256 PURCHASE ORDER NO7654567.exe PURCHASE ORDER NO7654567.exe PID 1256 wrote to memory of 756 1256 PURCHASE ORDER NO7654567.exe PURCHASE ORDER NO7654567.exe PID 1256 wrote to memory of 756 1256 PURCHASE ORDER NO7654567.exe PURCHASE ORDER NO7654567.exe PID 1256 wrote to memory of 756 1256 PURCHASE ORDER NO7654567.exe PURCHASE ORDER NO7654567.exe PID 1256 wrote to memory of 756 1256 PURCHASE ORDER NO7654567.exe PURCHASE ORDER NO7654567.exe PID 1256 wrote to memory of 756 1256 PURCHASE ORDER NO7654567.exe PURCHASE ORDER NO7654567.exe PID 1052 wrote to memory of 4324 1052 Explorer.EXE systray.exe PID 1052 wrote to memory of 4324 1052 Explorer.EXE systray.exe PID 1052 wrote to memory of 4324 1052 Explorer.EXE systray.exe PID 4324 wrote to memory of 3008 4324 systray.exe cmd.exe PID 4324 wrote to memory of 3008 4324 systray.exe cmd.exe PID 4324 wrote to memory of 3008 4324 systray.exe cmd.exe PID 4324 wrote to memory of 4668 4324 systray.exe cmd.exe PID 4324 wrote to memory of 4668 4324 systray.exe cmd.exe PID 4324 wrote to memory of 4668 4324 systray.exe cmd.exe PID 4324 wrote to memory of 2656 4324 systray.exe Firefox.exe PID 4324 wrote to memory of 2656 4324 systray.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER NO7654567.exe"C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER NO7654567.exe"2⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER NO7654567.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER NO7654567.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
memory/756-131-0x0000000000000000-mapping.dmp
-
memory/756-132-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/756-134-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/756-135-0x0000000001650000-0x000000000199A000-memory.dmpFilesize
3.3MB
-
memory/756-136-0x00000000015E0000-0x00000000015F4000-memory.dmpFilesize
80KB
-
memory/1052-137-0x0000000008900000-0x0000000008A5D000-memory.dmpFilesize
1.4MB
-
memory/1052-144-0x0000000002B10000-0x0000000002BE5000-memory.dmpFilesize
852KB
-
memory/1256-130-0x0000000075080000-0x0000000075631000-memory.dmpFilesize
5.7MB
-
memory/3008-141-0x0000000000000000-mapping.dmp
-
memory/4324-139-0x00000000001A0000-0x00000000001A6000-memory.dmpFilesize
24KB
-
memory/4324-142-0x00000000022E0000-0x000000000262A000-memory.dmpFilesize
3.3MB
-
memory/4324-143-0x0000000002150000-0x00000000021E3000-memory.dmpFilesize
588KB
-
memory/4324-140-0x0000000000450000-0x000000000047D000-memory.dmpFilesize
180KB
-
memory/4324-138-0x0000000000000000-mapping.dmp
-
memory/4668-145-0x0000000000000000-mapping.dmp