Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
17/08/2022, 06:30
Static task
static1
Behavioral task
behavioral1
Sample
TRANSFERENCIA 112987.17.js
Resource
win7-20220812-en
General
-
Target
TRANSFERENCIA 112987.17.js
-
Size
50KB
-
MD5
dee4b4c202f66b29874dc3513c6b6763
-
SHA1
7ccb14c3747f40a03af2323a5ad4ced193ce898b
-
SHA256
f09aaecd8326e6cfe7eb413ff97f62a7537d38da9eb11e89ad5fa3fc3f256ad9
-
SHA512
3c7537e59d1f658482c8ef39ae8652b7cfd898556583d2890c2687f929d7837a440828ee366ef5710bb07cfac6f08d73fc6db86d5189f279b1e8623dd84489de
Malware Config
Extracted
formbook
4.1
la33
landscapingwithstyles.com
thepetpreneur.com
optimafame.sbs
ipymont.online
optimallyhealthy.com
ke88fu.top
aspieadventures.com
syjqgg.com
hkhightechindustry.com
used.systems
kumharicompany.com
2907crockerct.com
bluestarmuch.net
lostgirlhikes.com
thealtro.net
taart-maken.com
kriyativa.com
movemobilehome.com
desireedaniels.team
shumakova.site
specialthing.store
cristobalherreros.info
mygful.com
thendash.com
floorscreedslondon.website
decazafatas.com
naruse-bar.com
vendency.com
thecastlefordtigers.co.uk
blazersandmore.online
aikidokatshirt.com
pilem.net
dzfoilinsulation.com
spyware-help.com
yiwangnet.com
hhwdy.top
koura-autot.club
imiim.xyz
autonomous-navigation.com
e-journal.online
jinyunyx.com
ipfa.world
yunding008.com
angkringan-wawbppn.online
landsbankinn.co
libero.agency
bio299.net
lucky2022.xyz
syokunin-match.com
coreprism.com
lumieresmoderne.app
authentichobby.com
atailored.com
oulunmetallipalvelu.com
impofo.info
sekoschaircovers.com
thatgirlbeauty.com
jjaelectrical.co.uk
asbd.online
nursingdegreeprogram.life
amzrscxzcz.com
dim-ta-sad.space
data-wellness.life
integration.cfd
anpost.life
Signatures
-
Formbook payload 3 IoCs
resource yara_rule behavioral1/files/0x0024000000012346-60.dat formbook behavioral1/files/0x0024000000012346-65.dat formbook behavioral1/memory/1592-68-0x0000000000170000-0x000000000019F000-memory.dmp formbook -
Blocklisted process makes network request 34 IoCs
flow pid Process 6 828 wscript.exe 11 748 wscript.exe 12 912 wscript.exe 14 828 wscript.exe 15 828 wscript.exe 16 748 wscript.exe 18 912 wscript.exe 20 828 wscript.exe 22 748 wscript.exe 24 912 wscript.exe 28 748 wscript.exe 29 912 wscript.exe 33 748 wscript.exe 35 912 wscript.exe 37 748 wscript.exe 39 912 wscript.exe 42 748 wscript.exe 46 912 wscript.exe 50 748 wscript.exe 52 912 wscript.exe 53 748 wscript.exe 56 912 wscript.exe 61 748 wscript.exe 63 912 wscript.exe 66 748 wscript.exe 68 912 wscript.exe 72 748 wscript.exe 75 912 wscript.exe 79 748 wscript.exe 81 912 wscript.exe 83 748 wscript.exe 85 912 wscript.exe 88 748 wscript.exe 91 912 wscript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 1580 bin.exe -
Drops startup file 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPaotlcvgR.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bZQEUbJxNj.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bZQEUbJxNj.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPaotlcvgR.js wscript.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1580 set thread context of 1220 1580 bin.exe 16 PID 1592 set thread context of 1220 1592 wscript.exe 16 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \Registry\User\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 wscript.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 1580 bin.exe 1580 bin.exe 1592 wscript.exe 1592 wscript.exe 1592 wscript.exe 1592 wscript.exe 1592 wscript.exe 1592 wscript.exe 1592 wscript.exe 1592 wscript.exe 1592 wscript.exe 1592 wscript.exe 1592 wscript.exe 1592 wscript.exe 1592 wscript.exe 1592 wscript.exe 1592 wscript.exe 1592 wscript.exe 1592 wscript.exe 1592 wscript.exe 1592 wscript.exe 1592 wscript.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 1580 bin.exe 1580 bin.exe 1580 bin.exe 1592 wscript.exe 1592 wscript.exe 1592 wscript.exe 1592 wscript.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1580 bin.exe Token: SeDebugPrivilege 1592 wscript.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 828 wrote to memory of 748 828 wscript.exe 28 PID 828 wrote to memory of 748 828 wscript.exe 28 PID 828 wrote to memory of 748 828 wscript.exe 28 PID 748 wrote to memory of 912 748 wscript.exe 30 PID 748 wrote to memory of 912 748 wscript.exe 30 PID 748 wrote to memory of 912 748 wscript.exe 30 PID 828 wrote to memory of 1580 828 wscript.exe 35 PID 828 wrote to memory of 1580 828 wscript.exe 35 PID 828 wrote to memory of 1580 828 wscript.exe 35 PID 828 wrote to memory of 1580 828 wscript.exe 35 PID 1220 wrote to memory of 1592 1220 Explorer.EXE 36 PID 1220 wrote to memory of 1592 1220 Explorer.EXE 36 PID 1220 wrote to memory of 1592 1220 Explorer.EXE 36 PID 1220 wrote to memory of 1592 1220 Explorer.EXE 36 PID 1592 wrote to memory of 1992 1592 wscript.exe 38 PID 1592 wrote to memory of 1992 1592 wscript.exe 38 PID 1592 wrote to memory of 1992 1592 wscript.exe 38 PID 1592 wrote to memory of 1992 1592 wscript.exe 38 PID 1592 wrote to memory of 1992 1592 wscript.exe 38
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\TRANSFERENCIA 112987.17.js"2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\VPaotlcvgR.js"3⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bZQEUbJxNj.js"4⤵
- Blocklisted process makes network request
- Drops startup file
PID:912
-
-
-
C:\Users\Admin\AppData\Local\Temp\bin.exe"C:\Users\Admin\AppData\Local\Temp\bin.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1580
-
-
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1992
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
185KB
MD57578ec3deb440e8bffbc0eb52766fb3c
SHA18e33631cb47203bdae3fc2f2b0b0b3670de1335e
SHA256252ce128d1491da94eb7936517f807a53e0b93bb2b7caacd981e0d51a8febd36
SHA5129e3c04191330cf6a076bf5a82c8ae43afb7fe54bb136fe68ce9a412b3c02aa4e85dec89933d056ecf09f3e9a28d3cbdbe1912478e7bc0a7d68cd21806abc2276
-
Filesize
185KB
MD57578ec3deb440e8bffbc0eb52766fb3c
SHA18e33631cb47203bdae3fc2f2b0b0b3670de1335e
SHA256252ce128d1491da94eb7936517f807a53e0b93bb2b7caacd981e0d51a8febd36
SHA5129e3c04191330cf6a076bf5a82c8ae43afb7fe54bb136fe68ce9a412b3c02aa4e85dec89933d056ecf09f3e9a28d3cbdbe1912478e7bc0a7d68cd21806abc2276
-
Filesize
61KB
MD5586cfe5292bc68cbea4733842d690714
SHA1b69c82df750ad29620915f81c51ca2d2d26fca2b
SHA2568fa13955a82bd027e4e684047b8db4ff1857654dc436d748a2f593615d390ce8
SHA5125c77b84bf0641834f8247a3f2356c5f9dcc4f9e691e5eda5fa33d1583149efbcd54670c368f49c54db3b6c4c99fed0329a3bc1ecc87e056720e044b272c9ae74
-
Filesize
40B
MD52f245469795b865bdd1b956c23d7893d
SHA16ad80b974d3808f5a20ea1e766c7d2f88b9e5895
SHA2561662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361
SHA512909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f
-
Filesize
40B
MD5d63a82e5d81e02e399090af26db0b9cb
SHA191d0014c8f54743bba141fd60c9d963f869d76c9
SHA256eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA51238afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad
-
Filesize
40B
MD5ba3b6bc807d4f76794c4b81b09bb9ba5
SHA124cb89501f0212ff3095ecc0aba97dd563718fb1
SHA2566eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507
SHA512ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf
-
Filesize
26KB
MD58c05239516dbd3fd5501fa9a1eba063b
SHA1cd983650af2353da97dd908f7027339e622ce819
SHA25656226c2bbb8ba4586aea45ea618d7aa574280225036b22ac6e57aa907860c547
SHA5128affbe22f0bc64aa685a5c38fbba0f9f43df726aa40392ad1b39792ceb15616bf2f6371b192fb7e4b492a44b953a8068ff82003d2bc51acb99d1aaee51d257d7
-
Filesize
6KB
MD5a542a21ecaba36f6ba8c6457b8ab67f9
SHA13f05ddc6d6e59554cd9870b9e4b17919b81eaa6c
SHA256bc831f27e6da7b5e82be628a1564c8b6aee02ec9290c5d21f99733dd2d1db47b
SHA51278ca13a83bbd029470978b1e465ee6b0c2a9345a1fe8ee3e86d9f1d48bd52b7927a16e607f71084a91706213d8ddc0293ed06a1927e478b9bbc21ab0b47b9a2a