Analysis
-
max time kernel
148s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 18:56
Static task
static1
Behavioral task
behavioral1
Sample
Total GP Employment Offer.exe
Resource
win7-20220414-en
General
-
Target
Total GP Employment Offer.exe
-
Size
310KB
-
MD5
04c8a35797fa8d2e1e3ed5f65f128d04
-
SHA1
9736f277710815dafe27857805e0c7af97adfaeb
-
SHA256
adf4b8a00eec7af49d20ac1939ca9b5c078e8d119c7e6f1b708c5e39df3acf71
-
SHA512
1e0476cde888f0bec1da340809397a1582a35e2f569b9a4ba6b397b885c3ddd481deec840f245dbcb55b1d2650afcb5716779249c4d4d934afda0ace0088a47b
Malware Config
Extracted
formbook
4.0
lgm
somethingspecial.net
brickmachineequipment.com
asapprintingsales.com
wbmason.jobs
acu.ink
santandier.com
theboxofficemovies.com
tv16507.info
richardzacur.com
eurosevi.com
reformasydecoracionesrian.com
1x1zeroautumn.men
peipw.com
wurzburg.city
kidstoyscheap.com
star-pump.com
mimarsinanresidence.com
indoorgolfschool.com
livinitwithlou.net
cailiaowenda.com
bxjlb.net
copper.gallery
cqwcqj.com
rimrockassociation.com
vaporetahendaye.com
aftermarket-car-parts.site
vistaroadhouse.com
magicbyenigma.com
canadagoosesoldes.com
pvspineandsports.net
basecampwares.com
cindybelay.com
shawnshan.com
servaroo.net
uyjm9n.com
liuhe039.com
packlava.com
jshy0f.info
cdhbsrwj.com
nihonwookuru-entry.com
almaflowershop.com
slepret.com
victoriannescreation.com
ldzmq.loan
zenmolly.com
igftxe.com
szhlqjj.com
happily-ever-ansebo.com
alkos.link
kreationseventdesign.com
diezynueveinmobiliaria.com
goldmen-suites.com
evelynehairdresser.com
themoroccomarket.com
justinlee.solutions
getthelaugh.com
revestquartzo.com
intelligentinternet.info
itsfauxreal.com
reconditioninghumanity.com
islamkarimov.today
lelakiidaman.com
loubano.com
spargeorgia.com
vinoblay.com
Signatures
-
Formbook Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1984-61-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral1/memory/1984-62-0x000000000041E350-mapping.dmp formbook behavioral1/memory/1984-64-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral1/memory/1620-70-0x0000000000080000-0x00000000000AD000-memory.dmp formbook -
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/884-57-0x0000000004910000-0x000000000494A000-memory.dmp rezer0 -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1612 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Total GP Employment Offer.exeTotal GP Employment Offer.exenetsh.exedescription pid process target process PID 884 set thread context of 1984 884 Total GP Employment Offer.exe Total GP Employment Offer.exe PID 1984 set thread context of 1376 1984 Total GP Employment Offer.exe Explorer.EXE PID 1620 set thread context of 1376 1620 netsh.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
Total GP Employment Offer.exenetsh.exepid process 1984 Total GP Employment Offer.exe 1984 Total GP Employment Offer.exe 1620 netsh.exe 1620 netsh.exe 1620 netsh.exe 1620 netsh.exe 1620 netsh.exe 1620 netsh.exe 1620 netsh.exe 1620 netsh.exe 1620 netsh.exe 1620 netsh.exe 1620 netsh.exe 1620 netsh.exe 1620 netsh.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Total GP Employment Offer.exenetsh.exepid process 1984 Total GP Employment Offer.exe 1984 Total GP Employment Offer.exe 1984 Total GP Employment Offer.exe 1620 netsh.exe 1620 netsh.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Total GP Employment Offer.exenetsh.exedescription pid process Token: SeDebugPrivilege 1984 Total GP Employment Offer.exe Token: SeDebugPrivilege 1620 netsh.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1376 Explorer.EXE 1376 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1376 Explorer.EXE 1376 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Total GP Employment Offer.exeExplorer.EXEnetsh.exedescription pid process target process PID 884 wrote to memory of 1984 884 Total GP Employment Offer.exe Total GP Employment Offer.exe PID 884 wrote to memory of 1984 884 Total GP Employment Offer.exe Total GP Employment Offer.exe PID 884 wrote to memory of 1984 884 Total GP Employment Offer.exe Total GP Employment Offer.exe PID 884 wrote to memory of 1984 884 Total GP Employment Offer.exe Total GP Employment Offer.exe PID 884 wrote to memory of 1984 884 Total GP Employment Offer.exe Total GP Employment Offer.exe PID 884 wrote to memory of 1984 884 Total GP Employment Offer.exe Total GP Employment Offer.exe PID 884 wrote to memory of 1984 884 Total GP Employment Offer.exe Total GP Employment Offer.exe PID 1376 wrote to memory of 1620 1376 Explorer.EXE netsh.exe PID 1376 wrote to memory of 1620 1376 Explorer.EXE netsh.exe PID 1376 wrote to memory of 1620 1376 Explorer.EXE netsh.exe PID 1376 wrote to memory of 1620 1376 Explorer.EXE netsh.exe PID 1620 wrote to memory of 1612 1620 netsh.exe cmd.exe PID 1620 wrote to memory of 1612 1620 netsh.exe cmd.exe PID 1620 wrote to memory of 1612 1620 netsh.exe cmd.exe PID 1620 wrote to memory of 1612 1620 netsh.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Total GP Employment Offer.exe"C:\Users\Admin\AppData\Local\Temp\Total GP Employment Offer.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Total GP Employment Offer.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Total GP Employment Offer.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/884-55-0x0000000075741000-0x0000000075743000-memory.dmpFilesize
8KB
-
memory/884-56-0x00000000002F0000-0x0000000000300000-memory.dmpFilesize
64KB
-
memory/884-57-0x0000000004910000-0x000000000494A000-memory.dmpFilesize
232KB
-
memory/884-54-0x00000000013D0000-0x0000000001424000-memory.dmpFilesize
336KB
-
memory/1376-74-0x0000000004070000-0x0000000004118000-memory.dmpFilesize
672KB
-
memory/1376-67-0x00000000062F0000-0x000000000643C000-memory.dmpFilesize
1.3MB
-
memory/1612-72-0x0000000000000000-mapping.dmp
-
memory/1620-68-0x0000000000000000-mapping.dmp
-
memory/1620-73-0x0000000000A50000-0x0000000000AE3000-memory.dmpFilesize
588KB
-
memory/1620-71-0x0000000002200000-0x0000000002503000-memory.dmpFilesize
3.0MB
-
memory/1620-69-0x0000000000DE0000-0x0000000000DFB000-memory.dmpFilesize
108KB
-
memory/1620-70-0x0000000000080000-0x00000000000AD000-memory.dmpFilesize
180KB
-
memory/1984-58-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1984-66-0x00000000001D0000-0x00000000001E4000-memory.dmpFilesize
80KB
-
memory/1984-64-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1984-65-0x0000000000950000-0x0000000000C53000-memory.dmpFilesize
3.0MB
-
memory/1984-62-0x000000000041E350-mapping.dmp
-
memory/1984-61-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1984-59-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB