c47f67b3b696c414c6877e088c13cd6b569586f41fb8c0b4341276d6130546ce

General

Target

Purchase Order Frank Manufactures.exe
Size

1.3MB
MD5

32434444d1b2d9901449af917cf18c45
SHA1

f673c3a29258d7b0d540e6fb83c3d22059ad760b
SHA256

c47f67b3b696c414c6877e088c13cd6b569586f41fb8c0b4341276d6130546ce
SHA512

b994784d3228704f2ace28b7f0f2081cd83c4c8af1cbd4e6ee7fe4eea11b80cb7cd69ad451a04a37130eb7c79b55f6ee02c32e0cda249a5d9769ea13bbd0d7ee

Score

10^/10

suricata

Malware Config

Signatures

suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata
Downloads MZ/PE file

Suspicious use of SetThreadContext 3 IoCs

Processes:

Purchase Order Frank Manufactures.exeRegSvcs.exemstsc.exe

description	pid	process	target process
PID 2328 set thread context of 4304	2328	Purchase Order Frank Manufactures.exe	RegSvcs.exe
PID 4304 set thread context of 2464	4304	RegSvcs.exe	Explorer.EXE
PID 4776 set thread context of 2464	4776	mstsc.exe	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

mstsc.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	mstsc.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

RegSvcs.exemstsc.exe

pid	process
4304	RegSvcs.exe
4304	RegSvcs.exe
4304	RegSvcs.exe
4304	RegSvcs.exe
4304	RegSvcs.exe
4304	RegSvcs.exe
4304	RegSvcs.exe
4304	RegSvcs.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe
4776	mstsc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2464 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

RegSvcs.exemstsc.exe

pid process

4304 RegSvcs.exe
4304 RegSvcs.exe
4304 RegSvcs.exe
4776 mstsc.exe
4776 mstsc.exe
4776 mstsc.exe
4776 mstsc.exe

pid	process
2464	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Purchase Order Frank Manufactures.exeRegSvcs.exemstsc.exe

description	pid	process
Token: SeDebugPrivilege	2328	Purchase Order Frank Manufactures.exe
Token: SeDebugPrivilege	4304	RegSvcs.exe
Token: SeDebugPrivilege	4776	mstsc.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Purchase Order Frank Manufactures.exeExplorer.EXEmstsc.exe

description	pid	process	target process
PID 2328 wrote to memory of 4304	2328	Purchase Order Frank Manufactures.exe	RegSvcs.exe
PID 2328 wrote to memory of 4304	2328	Purchase Order Frank Manufactures.exe	RegSvcs.exe
PID 2328 wrote to memory of 4304	2328	Purchase Order Frank Manufactures.exe	RegSvcs.exe
PID 2328 wrote to memory of 4304	2328	Purchase Order Frank Manufactures.exe	RegSvcs.exe
PID 2328 wrote to memory of 4304	2328	Purchase Order Frank Manufactures.exe	RegSvcs.exe
PID 2328 wrote to memory of 4304	2328	Purchase Order Frank Manufactures.exe	RegSvcs.exe
PID 2464 wrote to memory of 4776	2464	Explorer.EXE	mstsc.exe
PID 2464 wrote to memory of 4776	2464	Explorer.EXE	mstsc.exe
PID 2464 wrote to memory of 4776	2464	Explorer.EXE	mstsc.exe
PID 4776 wrote to memory of 2812	4776	mstsc.exe	Firefox.exe
PID 4776 wrote to memory of 2812	4776	mstsc.exe	Firefox.exe
PID 4776 wrote to memory of 2812	4776	mstsc.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2464

C:\Users\Admin\AppData\Local\Temp\Purchase Order Frank Manufactures.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order Frank Manufactures.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4304

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4776

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:2812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2328-131-0x0000000004F30000-0x0000000004FCC000-memory.dmp

Filesize
624KB

Download
memory/2328-130-0x0000000000470000-0x00000000005B6000-memory.dmp

Filesize
1.3MB

Download
memory/2464-137-0x00000000080F0000-0x0000000008275000-memory.dmp

Filesize
1.5MB

Download
memory/2464-146-0x0000000002EE0000-0x0000000002FBB000-memory.dmp

Filesize
876KB

Download
memory/2464-144-0x0000000002EE0000-0x0000000002FBB000-memory.dmp

Filesize
876KB

Download
memory/4304-139-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4304-136-0x0000000001460000-0x0000000001471000-memory.dmp

Filesize
68KB

Download
memory/4304-134-0x0000000001580000-0x00000000018CA000-memory.dmp

Filesize
3.3MB

Download
memory/4304-133-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4304-132-0x0000000000000000-mapping.dmp

Download
memory/4776-138-0x0000000000000000-mapping.dmp

Download
memory/4776-140-0x00000000002D0000-0x000000000040A000-memory.dmp

Filesize
1.2MB

Download
memory/4776-141-0x0000000001200000-0x000000000122D000-memory.dmp

Filesize
180KB

Download
memory/4776-142-0x0000000003150000-0x000000000349A000-memory.dmp

Filesize
3.3MB

Download
memory/4776-143-0x0000000002F80000-0x0000000003010000-memory.dmp

Filesize
576KB

Download
memory/4776-145-0x0000000001200000-0x000000000122D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads