General
Target

Attached is list of our purchase order.exe

Filesize

1018KB

Completed

21-05-2022 18:49

Task

behavioral2

Score
10/10
MD5

51c0b8ed8fefbc54a2dee932441e60f5

SHA1

f1725101ee1c02864a3e829d08d9062d9f05a694

SHA256

ab654da16e2c42b2547b884c79f0829214b34e0d1db7ab0ad23271a66f3298c3

SHA256

1d596345a1e54f24de8e2b2d086eed00ec822caab7b985abae37df15d300419ef0e0dc81d7154b73c89a2fa74b9fecc4d42f7fb09f56cb0e33e415056baf8804

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

3nop

Decoy

bakecakesandmore.com

shenglisuoye.com

chinapopfactory.com

ynlrhd.com

liqourforyou.com

leonqamil.com

meccafon.com

online-marketing-strategie.biz

rbfxi.com

frseyb.info

leyu91.com

hotsmail.today

beepot.tech

dunaemmetmobility.com

sixpenceworkshop.com

incrediblefavorcoaching.com

pofo.info

yanshudaili.com

yellowbrickwedding.com

paintpartyblueprint.com

capricorn1967.com

meucarrapicho.com

41230793.net

yoghurtberry.com

wv0uoagz0yr.biz

yfjbupes.com

mindfulinthemadness.com

deloslifesciences.com

adokristal.com

vandergardetuinmeubelshop.com

janewagtus.com

cloudmorning.com

foresteryt01.com

accident-law-yer.info

divorcerefinance.guru

wenxiban.com

589man.com

rockerdwe.com

duftkerzen.info

igametalent.com

yoursafetraffictoupdates.review

jialingjiangpubu.com

maximscrapbooking.com

20sf.info

shadowlandswitchery.com

pmbnc.info

shoppingdrift.online

potashdragon.com

ubkswmpes.com

064ewj.info

Signatures 13

Filter: none

Collection
Credential Access
Defense Evasion
Persistence
  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/3416-131-0x0000000010410000-0x000000001043D000-memory.dmpformbook
    behavioral2/memory/2064-132-0x0000000000000000-mapping.dmpformbook
    behavioral2/memory/2064-134-0x0000000010410000-0x000000001043D000-memory.dmpformbook
    behavioral2/memory/2624-140-0x0000000000A20000-0x0000000000A4D000-memory.dmpformbook
  • Adds policy Run key to start application
    wscript.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\Registry\User\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Runwscript.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application
    wscript.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\Registry\User\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Runwscript.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3FG4CBIXJVE = "C:\\Program Files (x86)\\internet explorer\\ieinstal.exe"wscript.exe
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Suspicious use of SetThreadContext
    ieinstal.exewscript.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2064 set thread context of 31442064ieinstal.exeExplorer.EXE
    PID 2624 set thread context of 31442624wscript.exeExplorer.EXE
  • Modifies Internet Explorer settings
    wscript.exe

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\Registry\User\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2wscript.exe
  • Suspicious behavior: EnumeratesProcesses
    ieinstal.exewscript.exe

    Reported IOCs

    pidprocess
    2064ieinstal.exe
    2064ieinstal.exe
    2064ieinstal.exe
    2064ieinstal.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
  • Suspicious behavior: GetForegroundWindowSpam
    Explorer.EXE

    Reported IOCs

    pidprocess
    3144Explorer.EXE
  • Suspicious behavior: MapViewOfSection
    ieinstal.exewscript.exe

    Reported IOCs

    pidprocess
    2064ieinstal.exe
    2064ieinstal.exe
    2064ieinstal.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
    2624wscript.exe
  • Suspicious use of AdjustPrivilegeToken
    ieinstal.exewscript.exeExplorer.EXE

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege2064ieinstal.exe
    Token: SeDebugPrivilege2624wscript.exe
    Token: SeShutdownPrivilege3144Explorer.EXE
    Token: SeCreatePagefilePrivilege3144Explorer.EXE
    Token: SeShutdownPrivilege3144Explorer.EXE
    Token: SeCreatePagefilePrivilege3144Explorer.EXE
  • Suspicious use of WriteProcessMemory
    Attached is list of our purchase order.exeExplorer.EXEwscript.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3416 wrote to memory of 20643416Attached is list of our purchase order.exeieinstal.exe
    PID 3416 wrote to memory of 20643416Attached is list of our purchase order.exeieinstal.exe
    PID 3416 wrote to memory of 20643416Attached is list of our purchase order.exeieinstal.exe
    PID 3416 wrote to memory of 20643416Attached is list of our purchase order.exeieinstal.exe
    PID 3416 wrote to memory of 20643416Attached is list of our purchase order.exeieinstal.exe
    PID 3416 wrote to memory of 20643416Attached is list of our purchase order.exeieinstal.exe
    PID 3144 wrote to memory of 26243144Explorer.EXEwscript.exe
    PID 3144 wrote to memory of 26243144Explorer.EXEwscript.exe
    PID 3144 wrote to memory of 26243144Explorer.EXEwscript.exe
    PID 2624 wrote to memory of 26642624wscript.execmd.exe
    PID 2624 wrote to memory of 26642624wscript.execmd.exe
    PID 2624 wrote to memory of 26642624wscript.execmd.exe
    PID 2624 wrote to memory of 21762624wscript.exeFirefox.exe
    PID 2624 wrote to memory of 21762624wscript.exeFirefox.exe
    PID 2624 wrote to memory of 21762624wscript.exeFirefox.exe
Processes 6
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    Suspicious behavior: GetForegroundWindowSpam
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:3144
    • C:\Users\Admin\AppData\Local\Temp\Attached is list of our purchase order.exe
      "C:\Users\Admin\AppData\Local\Temp\Attached is list of our purchase order.exe"
      Suspicious use of WriteProcessMemory
      PID:3416
      • C:\Program Files (x86)\internet explorer\ieinstal.exe
        "C:\Program Files (x86)\internet explorer\ieinstal.exe"
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        PID:2064
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\SysWOW64\wscript.exe"
      Adds policy Run key to start application
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2624
      • C:\Windows\SysWOW64\cmd.exe
        /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
        PID:2664
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        PID:2176
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Discovery
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Privilege Escalation
                  Replay Monitor
                  00:00 00:00
                  Downloads
                  • C:\Users\Admin\AppData\Local\Temp\DB1

                    MD5

                    b608d407fc15adea97c26936bc6f03f6

                    SHA1

                    953e7420801c76393902c0d6bb56148947e41571

                    SHA256

                    b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

                    SHA512

                    cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

                  • C:\Users\Admin\AppData\Roaming\-65A6372\-65logim.jpeg

                    MD5

                    beadd0950c635721856920080223178d

                    SHA1

                    baa567a755144b942f86850165c7b5f825dc33ac

                    SHA256

                    43b6ab4db966632ad8b3fd36162f9d5f7bcaadd12af2aabd8d6d7878ba5da2a6

                    SHA512

                    ddd50d2b54e34658662cf181a31d62424a3ee7ef30db09d09b94d803482d48236aa969053b18950f61a654ebf1a074a2fb2f7704678affd8cc856d4625c7da79

                  • C:\Users\Admin\AppData\Roaming\-65A6372\-65logrf.ini

                    MD5

                    2f245469795b865bdd1b956c23d7893d

                    SHA1

                    6ad80b974d3808f5a20ea1e766c7d2f88b9e5895

                    SHA256

                    1662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361

                    SHA512

                    909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f

                  • C:\Users\Admin\AppData\Roaming\-65A6372\-65logrg.ini

                    MD5

                    4aadf49fed30e4c9b3fe4a3dd6445ebe

                    SHA1

                    1e332822167c6f351b99615eada2c30a538ff037

                    SHA256

                    75034beb7bded9aeab5748f4592b9e1419256caec474065d43e531ec5cc21c56

                    SHA512

                    eb5b3908d5e7b43ba02165e092f05578f45f15a148b4c3769036aa542c23a0f7cd2bc2770cf4119a7e437de3f681d9e398511f69f66824c516d9b451bb95f945

                  • C:\Users\Admin\AppData\Roaming\-65A6372\-65logri.ini

                    MD5

                    d63a82e5d81e02e399090af26db0b9cb

                    SHA1

                    91d0014c8f54743bba141fd60c9d963f869d76c9

                    SHA256

                    eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

                    SHA512

                    38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

                  • C:\Users\Admin\AppData\Roaming\-65A6372\-65logrv.ini

                    MD5

                    bbc41c78bae6c71e63cb544a6a284d94

                    SHA1

                    33f2c1d9fa0e9c99b80bc2500621e95af38b1f9a

                    SHA256

                    ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb

                    SHA512

                    0aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4

                  • memory/2064-136-0x0000000002C90000-0x0000000002CA4000-memory.dmp

                  • memory/2064-132-0x0000000000000000-mapping.dmp

                  • memory/2064-134-0x0000000010410000-0x000000001043D000-memory.dmp

                  • memory/2064-135-0x0000000002F30000-0x000000000327A000-memory.dmp

                  • memory/2624-141-0x0000000002A60000-0x0000000002DAA000-memory.dmp

                  • memory/2624-139-0x0000000000060000-0x0000000000087000-memory.dmp

                  • memory/2624-140-0x0000000000A20000-0x0000000000A4D000-memory.dmp

                  • memory/2624-144-0x00000000028D0000-0x0000000002963000-memory.dmp

                  • memory/2624-138-0x0000000000000000-mapping.dmp

                  • memory/2664-142-0x0000000000000000-mapping.dmp

                  • memory/3144-145-0x0000000007F70000-0x00000000080BC000-memory.dmp

                  • memory/3144-137-0x0000000002760000-0x000000000281E000-memory.dmp

                  • memory/3416-131-0x0000000010410000-0x000000001043D000-memory.dmp