Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 18:56
Static task
static1
Behavioral task
behavioral1
Sample
Total GP Employment Offer.exe
Resource
win7-20220414-en
General
-
Target
Total GP Employment Offer.exe
-
Size
310KB
-
MD5
04c8a35797fa8d2e1e3ed5f65f128d04
-
SHA1
9736f277710815dafe27857805e0c7af97adfaeb
-
SHA256
adf4b8a00eec7af49d20ac1939ca9b5c078e8d119c7e6f1b708c5e39df3acf71
-
SHA512
1e0476cde888f0bec1da340809397a1582a35e2f569b9a4ba6b397b885c3ddd481deec840f245dbcb55b1d2650afcb5716779249c4d4d934afda0ace0088a47b
Malware Config
Extracted
formbook
4.0
lgm
somethingspecial.net
brickmachineequipment.com
asapprintingsales.com
wbmason.jobs
acu.ink
santandier.com
theboxofficemovies.com
tv16507.info
richardzacur.com
eurosevi.com
reformasydecoracionesrian.com
1x1zeroautumn.men
peipw.com
wurzburg.city
kidstoyscheap.com
star-pump.com
mimarsinanresidence.com
indoorgolfschool.com
livinitwithlou.net
cailiaowenda.com
bxjlb.net
copper.gallery
cqwcqj.com
rimrockassociation.com
vaporetahendaye.com
aftermarket-car-parts.site
vistaroadhouse.com
magicbyenigma.com
canadagoosesoldes.com
pvspineandsports.net
basecampwares.com
cindybelay.com
shawnshan.com
servaroo.net
uyjm9n.com
liuhe039.com
packlava.com
jshy0f.info
cdhbsrwj.com
nihonwookuru-entry.com
almaflowershop.com
slepret.com
victoriannescreation.com
ldzmq.loan
zenmolly.com
igftxe.com
szhlqjj.com
happily-ever-ansebo.com
alkos.link
kreationseventdesign.com
diezynueveinmobiliaria.com
goldmen-suites.com
evelynehairdresser.com
themoroccomarket.com
justinlee.solutions
getthelaugh.com
revestquartzo.com
intelligentinternet.info
itsfauxreal.com
reconditioninghumanity.com
islamkarimov.today
lelakiidaman.com
loubano.com
spargeorgia.com
vinoblay.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3176-136-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral2/memory/3176-141-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral2/memory/4120-146-0x00000000010D0000-0x00000000010FD000-memory.dmp formbook -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
mstsc.exedescription ioc process Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run mstsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ODWTTT2XGV = "C:\\Program Files (x86)\\Nctkt8\\zhg49jdb9.exe" mstsc.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
Total GP Employment Offer.exeTotal GP Employment Offer.exemstsc.exedescription pid process target process PID 2416 set thread context of 3176 2416 Total GP Employment Offer.exe Total GP Employment Offer.exe PID 3176 set thread context of 2628 3176 Total GP Employment Offer.exe Explorer.EXE PID 3176 set thread context of 2628 3176 Total GP Employment Offer.exe Explorer.EXE PID 4120 set thread context of 2628 4120 mstsc.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
mstsc.exedescription ioc process File opened for modification C:\Program Files (x86)\Nctkt8\zhg49jdb9.exe mstsc.exe -
Processes:
mstsc.exedescription ioc process Key created \Registry\User\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 mstsc.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
Total GP Employment Offer.exemstsc.exepid process 3176 Total GP Employment Offer.exe 3176 Total GP Employment Offer.exe 3176 Total GP Employment Offer.exe 3176 Total GP Employment Offer.exe 3176 Total GP Employment Offer.exe 3176 Total GP Employment Offer.exe 4120 mstsc.exe 4120 mstsc.exe 4120 mstsc.exe 4120 mstsc.exe 4120 mstsc.exe 4120 mstsc.exe 4120 mstsc.exe 4120 mstsc.exe 4120 mstsc.exe 4120 mstsc.exe 4120 mstsc.exe 4120 mstsc.exe 4120 mstsc.exe 4120 mstsc.exe 4120 mstsc.exe 4120 mstsc.exe 4120 mstsc.exe 4120 mstsc.exe 4120 mstsc.exe 4120 mstsc.exe 4120 mstsc.exe 4120 mstsc.exe 4120 mstsc.exe 4120 mstsc.exe 4120 mstsc.exe 4120 mstsc.exe 4120 mstsc.exe 4120 mstsc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2628 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Total GP Employment Offer.exemstsc.exepid process 3176 Total GP Employment Offer.exe 3176 Total GP Employment Offer.exe 3176 Total GP Employment Offer.exe 3176 Total GP Employment Offer.exe 4120 mstsc.exe 4120 mstsc.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Total GP Employment Offer.exemstsc.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 3176 Total GP Employment Offer.exe Token: SeDebugPrivilege 4120 mstsc.exe Token: SeShutdownPrivilege 2628 Explorer.EXE Token: SeCreatePagefilePrivilege 2628 Explorer.EXE Token: SeShutdownPrivilege 2628 Explorer.EXE Token: SeCreatePagefilePrivilege 2628 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Total GP Employment Offer.exeExplorer.EXEmstsc.exedescription pid process target process PID 2416 wrote to memory of 3176 2416 Total GP Employment Offer.exe Total GP Employment Offer.exe PID 2416 wrote to memory of 3176 2416 Total GP Employment Offer.exe Total GP Employment Offer.exe PID 2416 wrote to memory of 3176 2416 Total GP Employment Offer.exe Total GP Employment Offer.exe PID 2416 wrote to memory of 3176 2416 Total GP Employment Offer.exe Total GP Employment Offer.exe PID 2416 wrote to memory of 3176 2416 Total GP Employment Offer.exe Total GP Employment Offer.exe PID 2416 wrote to memory of 3176 2416 Total GP Employment Offer.exe Total GP Employment Offer.exe PID 2628 wrote to memory of 4120 2628 Explorer.EXE mstsc.exe PID 2628 wrote to memory of 4120 2628 Explorer.EXE mstsc.exe PID 2628 wrote to memory of 4120 2628 Explorer.EXE mstsc.exe PID 4120 wrote to memory of 3112 4120 mstsc.exe cmd.exe PID 4120 wrote to memory of 3112 4120 mstsc.exe cmd.exe PID 4120 wrote to memory of 3112 4120 mstsc.exe cmd.exe PID 4120 wrote to memory of 1720 4120 mstsc.exe cmd.exe PID 4120 wrote to memory of 1720 4120 mstsc.exe cmd.exe PID 4120 wrote to memory of 1720 4120 mstsc.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Total GP Employment Offer.exe"C:\Users\Admin\AppData\Local\Temp\Total GP Employment Offer.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Total GP Employment Offer.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Total GP Employment Offer.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Roaming\9PR946AV\9PRlogim.jpegFilesize
79KB
MD50120f7475c261263c8acda7103414971
SHA138fa930a912682dacbd26fe2ae4afd191ee37b3b
SHA25674f66a4a1be68fe8fa48a2064e96a34931c3e905415442edbcd9db9137bc3394
SHA5122ca37e6a07b6098e513c6f22a8199a66fc7b4b11106e9aeff462febe328a5bfcffa3c8da3be7a0a10f15dd91a9b7e1799c8eb7ef4ae87c03c5193d7dd6cd6f55
-
C:\Users\Admin\AppData\Roaming\9PR946AV\9PRlogrg.iniFilesize
38B
MD54aadf49fed30e4c9b3fe4a3dd6445ebe
SHA11e332822167c6f351b99615eada2c30a538ff037
SHA25675034beb7bded9aeab5748f4592b9e1419256caec474065d43e531ec5cc21c56
SHA512eb5b3908d5e7b43ba02165e092f05578f45f15a148b4c3769036aa542c23a0f7cd2bc2770cf4119a7e437de3f681d9e398511f69f66824c516d9b451bb95f945
-
C:\Users\Admin\AppData\Roaming\9PR946AV\9PRlogri.iniFilesize
40B
MD5d63a82e5d81e02e399090af26db0b9cb
SHA191d0014c8f54743bba141fd60c9d963f869d76c9
SHA256eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA51238afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad
-
C:\Users\Admin\AppData\Roaming\9PR946AV\9PRlogrv.iniFilesize
872B
MD5bbc41c78bae6c71e63cb544a6a284d94
SHA133f2c1d9fa0e9c99b80bc2500621e95af38b1f9a
SHA256ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb
SHA5120aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4
-
memory/1720-151-0x0000000000000000-mapping.dmp
-
memory/2416-130-0x0000000000410000-0x0000000000464000-memory.dmpFilesize
336KB
-
memory/2416-134-0x0000000008AD0000-0x0000000008B6C000-memory.dmpFilesize
624KB
-
memory/2416-133-0x0000000004FB0000-0x0000000004FBA000-memory.dmpFilesize
40KB
-
memory/2416-132-0x0000000004E00000-0x0000000004E92000-memory.dmpFilesize
584KB
-
memory/2416-131-0x0000000005470000-0x0000000005A14000-memory.dmpFilesize
5.6MB
-
memory/2628-140-0x0000000008810000-0x00000000089A0000-memory.dmpFilesize
1.6MB
-
memory/2628-143-0x00000000089A0000-0x0000000008B4D000-memory.dmpFilesize
1.7MB
-
memory/2628-150-0x0000000002FD0000-0x0000000003066000-memory.dmpFilesize
600KB
-
memory/3112-148-0x0000000000000000-mapping.dmp
-
memory/3176-136-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/3176-142-0x0000000002DD0000-0x0000000002DE4000-memory.dmpFilesize
80KB
-
memory/3176-141-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/3176-139-0x0000000001410000-0x0000000001424000-memory.dmpFilesize
80KB
-
memory/3176-138-0x0000000000EE0000-0x000000000122A000-memory.dmpFilesize
3.3MB
-
memory/3176-135-0x0000000000000000-mapping.dmp
-
memory/4120-147-0x0000000003090000-0x00000000033DA000-memory.dmpFilesize
3.3MB
-
memory/4120-146-0x00000000010D0000-0x00000000010FD000-memory.dmpFilesize
180KB
-
memory/4120-149-0x0000000002ED0000-0x0000000002F63000-memory.dmpFilesize
588KB
-
memory/4120-145-0x0000000000580000-0x00000000006BA000-memory.dmpFilesize
1.2MB
-
memory/4120-144-0x0000000000000000-mapping.dmp