Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 18:54
Static task
static1
Behavioral task
behavioral1
Sample
New order.exe
Resource
win7-20220414-en
General
-
Target
New order.exe
-
Size
268KB
-
MD5
77fbec0f83df3e347cd28c4c3c18a926
-
SHA1
908709218882a96882ced2a71556740017d37b77
-
SHA256
0f028665a6f71c72b5dded557cf9e0b33f44133134a695b867bc66df9f5202bf
-
SHA512
26a5623e420067a3e2b5580c4fd9e379bc8790fab8b8b99d7afe63b7ebe46c6fafdb0510e4ff34c1f9e46b1a9cd022eb4ba1d2ca5b30f7741957f26b5dc06036
Malware Config
Extracted
formbook
3.9
m6x
990939.top
dhluxuryconsulting.com
muapnvnsfr.com
homder.com
valveiran.com
alkhaleejtrading.net
jekweiss.com
kevinklasmanmusic.com
buyilovebacon.com
nq227.com
cryptrproject.com
medicine.mba
nufilter.info
highway99restorations.com
phytohealthkits.com
accentuatephotography.com
tradeclimber.com
yasseralm.com
ito-agri.com
divandaman.com
raihtn.site
solyetrfademven.com
tepire.net
cointicket.online
johnhevank.com
pxskin.com
528jr.net
kovachnation.com
marstroy.info
1xsort.com
ugrowvancouverisland.com
sprintstats.com
furkankarakus.com
seo-caen.net
yclm1051.com
floydcountybaseball.com
privewin5.com
donaldjtrumpjr.chat
coloral.biz
xj9x.com
stichtingkind.com
tv16429.info
forgatheredhealth.com
waldheim-heslach.com
huimin26.com
mxfbyym.com
goveritas.com
newexpertise.biz
qqfyt.com
invictussociety.com
mmgan19.com
meileefu.com
profitpk.com
koolkitchendezigns.com
tubesluitmachine.com
mypussy.online
land8531.com
zhekou115.com
greenlandeventsntours.com
sydneycohn.net
bibs-bobs.com
zghz6688.com
wujing.group
motoucai.com
hearxy.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2300-132-0x0000000005B20000-0x0000000005B4A000-memory.dmp formbook behavioral2/memory/64-140-0x0000000000990000-0x00000000009BA000-memory.dmp formbook -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
help.exedescription ioc process Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run help.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\9RD0KXKHQ6 = "C:\\Program Files (x86)\\Evbfd\\3fkvvzh0tbp.exe" help.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
New order.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum New order.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 New order.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
New order.exehelp.exedescription pid process target process PID 2300 set thread context of 3144 2300 New order.exe Explorer.EXE PID 64 set thread context of 3144 64 help.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
help.exedescription ioc process File opened for modification C:\Program Files (x86)\Evbfd\3fkvvzh0tbp.exe help.exe -
Processes:
help.exedescription ioc process Key created \Registry\User\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 help.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
Processes:
New order.exehelp.exepid process 2300 New order.exe 2300 New order.exe 2300 New order.exe 2300 New order.exe 64 help.exe 64 help.exe 64 help.exe 64 help.exe 64 help.exe 64 help.exe 64 help.exe 64 help.exe 64 help.exe 64 help.exe 64 help.exe 64 help.exe 64 help.exe 64 help.exe 64 help.exe 64 help.exe 64 help.exe 64 help.exe 64 help.exe 64 help.exe 64 help.exe 64 help.exe 64 help.exe 64 help.exe 64 help.exe 64 help.exe 64 help.exe 64 help.exe 64 help.exe 64 help.exe 64 help.exe 64 help.exe 64 help.exe 64 help.exe 64 help.exe 64 help.exe 64 help.exe 64 help.exe 64 help.exe 64 help.exe 64 help.exe 64 help.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3144 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
New order.exehelp.exepid process 2300 New order.exe 2300 New order.exe 2300 New order.exe 64 help.exe 64 help.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
New order.exehelp.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 2300 New order.exe Token: SeDebugPrivilege 64 help.exe Token: SeShutdownPrivilege 3144 Explorer.EXE Token: SeCreatePagefilePrivilege 3144 Explorer.EXE Token: SeShutdownPrivilege 3144 Explorer.EXE Token: SeCreatePagefilePrivilege 3144 Explorer.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Explorer.EXEhelp.exedescription pid process target process PID 3144 wrote to memory of 64 3144 Explorer.EXE help.exe PID 3144 wrote to memory of 64 3144 Explorer.EXE help.exe PID 3144 wrote to memory of 64 3144 Explorer.EXE help.exe PID 64 wrote to memory of 1968 64 help.exe cmd.exe PID 64 wrote to memory of 1968 64 help.exe cmd.exe PID 64 wrote to memory of 1968 64 help.exe cmd.exe PID 64 wrote to memory of 1852 64 help.exe cmd.exe PID 64 wrote to memory of 1852 64 help.exe cmd.exe PID 64 wrote to memory of 1852 64 help.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\New order.exe"C:\Users\Admin\AppData\Local\Temp\New order.exe"2⤵
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\New order.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
memory/64-137-0x0000000000000000-mapping.dmp
-
memory/64-142-0x00000000010C0000-0x0000000001153000-memory.dmpFilesize
588KB
-
memory/64-141-0x0000000001280000-0x00000000015CA000-memory.dmpFilesize
3.3MB
-
memory/64-139-0x0000000000120000-0x0000000000127000-memory.dmpFilesize
28KB
-
memory/64-140-0x0000000000990000-0x00000000009BA000-memory.dmpFilesize
168KB
-
memory/1852-144-0x0000000000000000-mapping.dmp
-
memory/1968-138-0x0000000000000000-mapping.dmp
-
memory/2300-130-0x0000000000E40000-0x0000000000E88000-memory.dmpFilesize
288KB
-
memory/2300-135-0x00000000058A0000-0x0000000005E44000-memory.dmpFilesize
5.6MB
-
memory/2300-134-0x00000000065B0000-0x00000000068FA000-memory.dmpFilesize
3.3MB
-
memory/2300-133-0x00000000058A0000-0x0000000005E44000-memory.dmpFilesize
5.6MB
-
memory/2300-132-0x0000000005B20000-0x0000000005B4A000-memory.dmpFilesize
168KB
-
memory/2300-131-0x0000000005E50000-0x00000000063F4000-memory.dmpFilesize
5.6MB
-
memory/3144-136-0x0000000002600000-0x0000000002713000-memory.dmpFilesize
1.1MB
-
memory/3144-143-0x0000000002720000-0x00000000027D8000-memory.dmpFilesize
736KB