Analysis
-
max time kernel
151s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 12:37
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order List.exe
Resource
win7-20220414-en
General
-
Target
Purchase Order List.exe
-
Size
368KB
-
MD5
962eef4cf460292ecc166f2b2fc98823
-
SHA1
c666349ef2d17b180d3121954e658d4df231d9e8
-
SHA256
61ce52bb7cf517275e2bea379104a392630ec8dc216790a910f4586efbdca4fb
-
SHA512
32bc1b69343e11308da5309370e9b97969e4b47bf9c942aae97233b60e2ec6380e0c34a094c3d2260a9d48b1d4d821c8bc89071b10f54eaf27000c0625e715ab
Malware Config
Extracted
formbook
4.1
3nop
bakecakesandmore.com
shenglisuoye.com
chinapopfactory.com
ynlrhd.com
liqourforyou.com
leonqamil.com
meccafon.com
online-marketing-strategie.biz
rbfxi.com
frseyb.info
leyu91.com
hotsmail.today
beepot.tech
dunaemmetmobility.com
sixpenceworkshop.com
incrediblefavorcoaching.com
pofo.info
yanshudaili.com
yellowbrickwedding.com
paintpartyblueprint.com
capricorn1967.com
meucarrapicho.com
41230793.net
yoghurtberry.com
wv0uoagz0yr.biz
yfjbupes.com
mindfulinthemadness.com
deloslifesciences.com
adokristal.com
vandergardetuinmeubelshop.com
janewagtus.com
cloudmorning.com
foresteryt01.com
accident-law-yer.info
divorcerefinance.guru
wenxiban.com
589man.com
rockerdwe.com
duftkerzen.info
igametalent.com
yoursafetraffictoupdates.review
jialingjiangpubu.com
maximscrapbooking.com
20sf.info
shadowlandswitchery.com
pmbnc.info
shoppingdrift.online
potashdragon.com
ubkswmpes.com
064ewj.info
rewsales.com
dealsforyou.tech
ziruixu.com
naehascloud.com
smokvape.faith
sunflowermoonstudio.com
stepgentertainment.com
tawbj.info
besthappybuds.net
koohshoping.com
ajikrentcarsurabaya.com
jkjohnsroofingfl.com
whatsnexttnd.com
yoyodvd.com
joomlas123.info
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1048-59-0x0000000004A00000-0x0000000004A2D000-memory.dmp formbook behavioral1/memory/1584-64-0x000000000041E360-mapping.dmp formbook behavioral1/memory/1584-66-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral1/memory/884-73-0x0000000000080000-0x00000000000AD000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1184 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
systray.exedescription ioc process Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run systray.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FLJPPREH = "C:\\Program Files (x86)\\V1b0x\\gdik6qliv8.exe" systray.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Purchase Order List.exePurchase Order List.exesystray.exedescription pid process target process PID 1048 set thread context of 1584 1048 Purchase Order List.exe Purchase Order List.exe PID 1584 set thread context of 1232 1584 Purchase Order List.exe Explorer.EXE PID 884 set thread context of 1232 884 systray.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
systray.exedescription ioc process File opened for modification C:\Program Files (x86)\V1b0x\gdik6qliv8.exe systray.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
systray.exedescription ioc process Key created \Registry\User\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 systray.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
Purchase Order List.exesystray.exepid process 1584 Purchase Order List.exe 1584 Purchase Order List.exe 884 systray.exe 884 systray.exe 884 systray.exe 884 systray.exe 884 systray.exe 884 systray.exe 884 systray.exe 884 systray.exe 884 systray.exe 884 systray.exe 884 systray.exe 884 systray.exe 884 systray.exe 884 systray.exe 884 systray.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
Purchase Order List.exesystray.exepid process 1584 Purchase Order List.exe 1584 Purchase Order List.exe 1584 Purchase Order List.exe 884 systray.exe 884 systray.exe 884 systray.exe 884 systray.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Purchase Order List.exesystray.exedescription pid process Token: SeDebugPrivilege 1584 Purchase Order List.exe Token: SeDebugPrivilege 884 systray.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1232 Explorer.EXE 1232 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1232 Explorer.EXE 1232 Explorer.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
Purchase Order List.exeExplorer.EXEsystray.exedescription pid process target process PID 1048 wrote to memory of 2028 1048 Purchase Order List.exe schtasks.exe PID 1048 wrote to memory of 2028 1048 Purchase Order List.exe schtasks.exe PID 1048 wrote to memory of 2028 1048 Purchase Order List.exe schtasks.exe PID 1048 wrote to memory of 2028 1048 Purchase Order List.exe schtasks.exe PID 1048 wrote to memory of 1584 1048 Purchase Order List.exe Purchase Order List.exe PID 1048 wrote to memory of 1584 1048 Purchase Order List.exe Purchase Order List.exe PID 1048 wrote to memory of 1584 1048 Purchase Order List.exe Purchase Order List.exe PID 1048 wrote to memory of 1584 1048 Purchase Order List.exe Purchase Order List.exe PID 1048 wrote to memory of 1584 1048 Purchase Order List.exe Purchase Order List.exe PID 1048 wrote to memory of 1584 1048 Purchase Order List.exe Purchase Order List.exe PID 1048 wrote to memory of 1584 1048 Purchase Order List.exe Purchase Order List.exe PID 1232 wrote to memory of 884 1232 Explorer.EXE systray.exe PID 1232 wrote to memory of 884 1232 Explorer.EXE systray.exe PID 1232 wrote to memory of 884 1232 Explorer.EXE systray.exe PID 1232 wrote to memory of 884 1232 Explorer.EXE systray.exe PID 884 wrote to memory of 1184 884 systray.exe cmd.exe PID 884 wrote to memory of 1184 884 systray.exe cmd.exe PID 884 wrote to memory of 1184 884 systray.exe cmd.exe PID 884 wrote to memory of 1184 884 systray.exe cmd.exe PID 884 wrote to memory of 1372 884 systray.exe Firefox.exe PID 884 wrote to memory of 1372 884 systray.exe Firefox.exe PID 884 wrote to memory of 1372 884 systray.exe Firefox.exe PID 884 wrote to memory of 1372 884 systray.exe Firefox.exe PID 884 wrote to memory of 1372 884 systray.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order List.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order List.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SZyEeet" /XML "C:\Users\Admin\AppData\Local\Temp\tmp730F.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order List.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Purchase Order List.exe"3⤵
- Deletes itself
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp730F.tmpFilesize
1KB
MD50f9a81a2d0635fce875cfb240ed96962
SHA1a37d36f08fdd445d0df2b5a00daf5829c97e36fa
SHA256d357e552bcba35ffd0abb2d598a061660f055002ab233adf4885225573dfbfbb
SHA51268ffd5d1319b1b64a7500008c64c76654076c62ed200fcd5f50c945566d8fa2014a0632deb48768e48b0c0e1968cb2e67ebc5dc97e8ca68b515dd603ea499a85
-
memory/884-70-0x0000000000000000-mapping.dmp
-
memory/884-77-0x0000000075DF1000-0x0000000075DF3000-memory.dmpFilesize
8KB
-
memory/884-75-0x0000000000540000-0x00000000005D3000-memory.dmpFilesize
588KB
-
memory/884-74-0x0000000001FF0000-0x00000000022F3000-memory.dmpFilesize
3.0MB
-
memory/884-73-0x0000000000080000-0x00000000000AD000-memory.dmpFilesize
180KB
-
memory/884-72-0x0000000000530000-0x0000000000535000-memory.dmpFilesize
20KB
-
memory/1048-59-0x0000000004A00000-0x0000000004A2D000-memory.dmpFilesize
180KB
-
memory/1048-55-0x00000000003D0000-0x00000000003D8000-memory.dmpFilesize
32KB
-
memory/1048-56-0x0000000004130000-0x000000000416A000-memory.dmpFilesize
232KB
-
memory/1048-54-0x0000000000C20000-0x0000000000C82000-memory.dmpFilesize
392KB
-
memory/1184-71-0x0000000000000000-mapping.dmp
-
memory/1232-76-0x0000000006620000-0x0000000006760000-memory.dmpFilesize
1.2MB
-
memory/1232-69-0x00000000071A0000-0x000000000734C000-memory.dmpFilesize
1.7MB
-
memory/1584-68-0x00000000002E0000-0x00000000002F4000-memory.dmpFilesize
80KB
-
memory/1584-60-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1584-61-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1584-64-0x000000000041E360-mapping.dmp
-
memory/1584-67-0x0000000000700000-0x0000000000A03000-memory.dmpFilesize
3.0MB
-
memory/1584-66-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/2028-57-0x0000000000000000-mapping.dmp