Analysis
-
max time kernel
147s -
max time network
162s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 03:18
Static task
static1
Behavioral task
behavioral1
Sample
orden de compra.exe
Resource
win7-20220414-en
General
-
Target
orden de compra.exe
-
Size
519KB
-
MD5
f54815ffc4db44ce06b3012f9d014f31
-
SHA1
2f0939b658ef735025b0c76c20c0101003076529
-
SHA256
e3262e18e77da24473b5af2117f10a3121c8ed1a832c6e1b0f5a8f0d7e5fecda
-
SHA512
76c1152640c367b4cefae86ec8c2dabc434659e29c7bcddc3a2af37c39fcf445a746021204a695f6b739d89a145331a28348cda4060c9668e2224d795505b9c7
Malware Config
Extracted
formbook
4.1
kvsz
okashyns.com
sbsgamedaejeon-two.com
drb77.com
top5dating.com
websprings.online
voizers.com
zenith.site
lahistoriade.com
qv85.com
armandonieto.com
priestvedic.com
jessandjeff.net
magic-desktop.com
jitaji.com
ldmeili.com
yuwanqingmy.com
buzhouorg.com
chaiseloungereviews.com
m2g8way.com
freespin-support.com
bocapvang.net
315px.com
eugeniobarros.tech
sif.email
xn--oorv2aj6bj7cds0d6p4b.com
polychips.com
grouptulip.win
landbank.site
bet365c.win
inbonz.com
outofthepark.today
jeaniney.com
weeip.com
dmoneylife.com
rticlubs.com
reisedating.com
marijuanadogbone.com
funippon.com
banknotesync.com
alexandre-boissard.com
valorartetattoo.com
savetheverse.com
specificpcshop.online
h0jt1y.accountant
jiqing3.com
alfaranakle.com
saft-store.com
wanderingcollective.com
santandermobi.online
557023.top
loulancaster.com
vedattelekom.com
jatinangorcity.com
goldencanaries.com
edgaralanbro.com
levelretail.com
taylorsandbek.com
upbeatnewyork.com
motoreselectricoschihuahua.com
hotair.wales
getawomantodoit.com
xiaoxiong365.com
cloudboxsupport.com
vecteur-u-shop.com
fex-tracks.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1996-64-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1996-65-0x000000000041ECA0-mapping.dmp formbook behavioral1/memory/2020-73-0x0000000000100000-0x000000000012E000-memory.dmp formbook -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
NETSTAT.EXEdescription ioc process Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run NETSTAT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\GZVHTLWH = "C:\\Program Files (x86)\\O8pj81\\updateuxe.exe" NETSTAT.EXE -
Suspicious use of SetThreadContext 3 IoCs
Processes:
orden de compra.exeRegSvcs.exeNETSTAT.EXEdescription pid process target process PID 1528 set thread context of 1996 1528 orden de compra.exe RegSvcs.exe PID 1996 set thread context of 1256 1996 RegSvcs.exe Explorer.EXE PID 2020 set thread context of 1256 2020 NETSTAT.EXE Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
NETSTAT.EXEdescription ioc process File opened for modification C:\Program Files (x86)\O8pj81\updateuxe.exe NETSTAT.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 2020 NETSTAT.EXE -
Processes:
NETSTAT.EXEdescription ioc process Key created \Registry\User\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
orden de compra.exeRegSvcs.exeNETSTAT.EXEpid process 1528 orden de compra.exe 1528 orden de compra.exe 1528 orden de compra.exe 1996 RegSvcs.exe 1996 RegSvcs.exe 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
RegSvcs.exeNETSTAT.EXEpid process 1996 RegSvcs.exe 1996 RegSvcs.exe 1996 RegSvcs.exe 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
orden de compra.exeRegSvcs.exeNETSTAT.EXEExplorer.EXEdescription pid process Token: SeDebugPrivilege 1528 orden de compra.exe Token: SeDebugPrivilege 1996 RegSvcs.exe Token: SeDebugPrivilege 2020 NETSTAT.EXE Token: SeShutdownPrivilege 1256 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
orden de compra.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 1528 wrote to memory of 1176 1528 orden de compra.exe schtasks.exe PID 1528 wrote to memory of 1176 1528 orden de compra.exe schtasks.exe PID 1528 wrote to memory of 1176 1528 orden de compra.exe schtasks.exe PID 1528 wrote to memory of 1176 1528 orden de compra.exe schtasks.exe PID 1528 wrote to memory of 1996 1528 orden de compra.exe RegSvcs.exe PID 1528 wrote to memory of 1996 1528 orden de compra.exe RegSvcs.exe PID 1528 wrote to memory of 1996 1528 orden de compra.exe RegSvcs.exe PID 1528 wrote to memory of 1996 1528 orden de compra.exe RegSvcs.exe PID 1528 wrote to memory of 1996 1528 orden de compra.exe RegSvcs.exe PID 1528 wrote to memory of 1996 1528 orden de compra.exe RegSvcs.exe PID 1528 wrote to memory of 1996 1528 orden de compra.exe RegSvcs.exe PID 1528 wrote to memory of 1996 1528 orden de compra.exe RegSvcs.exe PID 1528 wrote to memory of 1996 1528 orden de compra.exe RegSvcs.exe PID 1528 wrote to memory of 1996 1528 orden de compra.exe RegSvcs.exe PID 1256 wrote to memory of 2020 1256 Explorer.EXE NETSTAT.EXE PID 1256 wrote to memory of 2020 1256 Explorer.EXE NETSTAT.EXE PID 1256 wrote to memory of 2020 1256 Explorer.EXE NETSTAT.EXE PID 1256 wrote to memory of 2020 1256 Explorer.EXE NETSTAT.EXE PID 2020 wrote to memory of 1472 2020 NETSTAT.EXE cmd.exe PID 2020 wrote to memory of 1472 2020 NETSTAT.EXE cmd.exe PID 2020 wrote to memory of 1472 2020 NETSTAT.EXE cmd.exe PID 2020 wrote to memory of 1472 2020 NETSTAT.EXE cmd.exe PID 2020 wrote to memory of 1072 2020 NETSTAT.EXE Firefox.exe PID 2020 wrote to memory of 1072 2020 NETSTAT.EXE Firefox.exe PID 2020 wrote to memory of 1072 2020 NETSTAT.EXE Firefox.exe PID 2020 wrote to memory of 1072 2020 NETSTAT.EXE Firefox.exe PID 2020 wrote to memory of 1072 2020 NETSTAT.EXE Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\orden de compra.exe"C:\Users\Admin\AppData\Local\Temp\orden de compra.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mAPeycREvI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp427D.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp427D.tmpFilesize
1KB
MD5c3e5c8da46870973b5e31a2b41f9db4d
SHA17687c5e52541824beeeac81aceb25359016d9340
SHA256f452c71f6342efaad0f2ff8635ebac65aff7e8641602d6dd2007ff082e41c71c
SHA512930e5c594cff03effec5e6709860e088c7458129c03c35dee8e5af79081bd90eee7fe169876ce59ee0f52bf7e71ab6cd7ae5301ea8c7de0bec9237c00ee3cc19
-
memory/1176-59-0x0000000000000000-mapping.dmp
-
memory/1256-76-0x0000000006600000-0x00000000066CA000-memory.dmpFilesize
808KB
-
memory/1256-69-0x0000000004200000-0x00000000042E7000-memory.dmpFilesize
924KB
-
memory/1472-71-0x0000000000000000-mapping.dmp
-
memory/1528-56-0x00000000003D0000-0x00000000003E0000-memory.dmpFilesize
64KB
-
memory/1528-57-0x0000000004C90000-0x0000000004CE4000-memory.dmpFilesize
336KB
-
memory/1528-55-0x0000000075DF1000-0x0000000075DF3000-memory.dmpFilesize
8KB
-
memory/1528-54-0x00000000009E0000-0x0000000000A68000-memory.dmpFilesize
544KB
-
memory/1528-58-0x0000000002000000-0x0000000002034000-memory.dmpFilesize
208KB
-
memory/1996-64-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1996-67-0x00000000008D0000-0x0000000000BD3000-memory.dmpFilesize
3.0MB
-
memory/1996-68-0x00000000001E0000-0x00000000001F4000-memory.dmpFilesize
80KB
-
memory/1996-65-0x000000000041ECA0-mapping.dmp
-
memory/1996-62-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1996-61-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/2020-70-0x0000000000000000-mapping.dmp
-
memory/2020-72-0x0000000000CA0000-0x0000000000CA9000-memory.dmpFilesize
36KB
-
memory/2020-73-0x0000000000100000-0x000000000012E000-memory.dmpFilesize
184KB
-
memory/2020-74-0x00000000020B0000-0x00000000023B3000-memory.dmpFilesize
3.0MB
-
memory/2020-75-0x0000000000B00000-0x0000000000B93000-memory.dmpFilesize
588KB