Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
17/08/2022, 06:30
Static task
static1
Behavioral task
behavioral1
Sample
TRANSFERENCIA 112987.17.js
Resource
win7-20220812-en
General
-
Target
TRANSFERENCIA 112987.17.js
-
Size
50KB
-
MD5
dee4b4c202f66b29874dc3513c6b6763
-
SHA1
7ccb14c3747f40a03af2323a5ad4ced193ce898b
-
SHA256
f09aaecd8326e6cfe7eb413ff97f62a7537d38da9eb11e89ad5fa3fc3f256ad9
-
SHA512
3c7537e59d1f658482c8ef39ae8652b7cfd898556583d2890c2687f929d7837a440828ee366ef5710bb07cfac6f08d73fc6db86d5189f279b1e8623dd84489de
Malware Config
Extracted
formbook
4.1
la33
landscapingwithstyles.com
thepetpreneur.com
optimafame.sbs
ipymont.online
optimallyhealthy.com
ke88fu.top
aspieadventures.com
syjqgg.com
hkhightechindustry.com
used.systems
kumharicompany.com
2907crockerct.com
bluestarmuch.net
lostgirlhikes.com
thealtro.net
taart-maken.com
kriyativa.com
movemobilehome.com
desireedaniels.team
shumakova.site
specialthing.store
cristobalherreros.info
mygful.com
thendash.com
floorscreedslondon.website
decazafatas.com
naruse-bar.com
vendency.com
thecastlefordtigers.co.uk
blazersandmore.online
aikidokatshirt.com
pilem.net
dzfoilinsulation.com
spyware-help.com
yiwangnet.com
hhwdy.top
koura-autot.club
imiim.xyz
autonomous-navigation.com
e-journal.online
jinyunyx.com
ipfa.world
yunding008.com
angkringan-wawbppn.online
landsbankinn.co
libero.agency
bio299.net
lucky2022.xyz
syokunin-match.com
coreprism.com
lumieresmoderne.app
authentichobby.com
atailored.com
oulunmetallipalvelu.com
impofo.info
sekoschaircovers.com
thatgirlbeauty.com
jjaelectrical.co.uk
asbd.online
nursingdegreeprogram.life
amzrscxzcz.com
dim-ta-sad.space
data-wellness.life
integration.cfd
anpost.life
Signatures
-
Formbook payload 3 IoCs
resource yara_rule behavioral2/files/0x0006000000022e47-137.dat formbook behavioral2/files/0x0006000000022e47-138.dat formbook behavioral2/memory/32-145-0x0000000000D70000-0x0000000000D9F000-memory.dmp formbook -
Blocklisted process makes network request 31 IoCs
flow pid Process 7 4988 wscript.exe 11 4988 wscript.exe 13 4872 wscript.exe 14 4404 wscript.exe 15 4872 wscript.exe 16 4404 wscript.exe 18 4988 wscript.exe 19 4872 wscript.exe 20 4404 wscript.exe 23 4872 wscript.exe 24 4404 wscript.exe 26 4872 wscript.exe 38 4872 wscript.exe 40 4404 wscript.exe 42 4872 wscript.exe 43 4404 wscript.exe 44 4872 wscript.exe 50 4404 wscript.exe 51 4872 wscript.exe 52 4404 wscript.exe 53 4872 wscript.exe 58 4404 wscript.exe 59 4872 wscript.exe 60 4404 wscript.exe 61 4872 wscript.exe 66 4404 wscript.exe 67 4872 wscript.exe 68 4404 wscript.exe 70 4872 wscript.exe 71 4404 wscript.exe 72 4872 wscript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 4156 bin.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPaotlcvgR.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPaotlcvgR.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bZQEUbJxNj.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bZQEUbJxNj.js wscript.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4156 set thread context of 740 4156 bin.exe 38 PID 32 set thread context of 740 32 help.exe 38 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \Registry\User\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 help.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\47BEABC922EAE80E78783462A79F45C254FDE68B\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b000000010000005200000047006f00200044006100640064007900200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790020001320200047003200000053000000010000002500000030233021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c062000000010000002000000045140b3247eb9cc8c5b4f0d7b53091f73292089e6e5a63e2749dd3aca9198eda1400000001000000140000003a9a8507106728b6eff6bd05416e20c194da0fde1d000000010000001000000070253fbcbde32a014d38c1993098ad9903000000010000001400000047beabc922eae80e78783462a79f45c254fde68b2000000001000000c9030000308203c5308202ada003020102020100300d06092a864886f70d01010b0500308183310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e3131302f06035504031328476f20446164647920526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a308183310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e3131302f06035504031328476f20446164647920526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bf716208f1fa5934f71bc918a3f7804958e9228313a6c52043013b84f1e685499f27eaf6841b4ea0b4db7098c73201b1053e074eeef4fa4f2f593022e7ab19566be28007fcf316758039517be5f935b6744ea98d8213e4b63fa90383faa2be8a156a7fde0bc3b6191405caeac3a804943b467c320df3006622c88d696d368c1118b7d3b21c60b438fa028cced3dd4607de0a3eeb5d7cc87cfbb02b53a4926269512505611a44818c2ca9439623dfac3a819a0e29c51ca9e95d1eb69e9e300a39cef18880fb4b5dcc32ec85624325340256270191b43b702a3f6eb1e89c88017d9fd4f9db536d609dbf2ce758abb85f46fccec41b033c09eb49315c6946b3e0470203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604143a9a8507106728b6eff6bd05416e20c194da0fde300d06092a864886f70d01010b0500038201010099db5d79d5f99759670361f17e3b0631752da1208e4f6587b4f7a69cbcd8e92fd0db5aeecf748c73b43842da057bf80275b8fda5b1d7aef6d7de13cb53107e8a46d197fab72e2b11ab90b02780f9e89f5ae9379fabe4df6cb385179d3dd9244f799135d65f04eb8083ab9a022db510f4d890c7047340ed7225a0a99fec9eab68129957c68f123a09a4bd44fd061537c19be432a3ed38e8d864f32c7e14fc02ea9fcdff076817db2290382d7a8dd154f169e35f33ca7a3d7b0ae3ca7f5f39e5e275bac5761833ce2cf02f4cadf7b1e7ce4fa8c49b4a5406c57f7dd5080fe21cfe7e17b8ac5ef6d416b243090c4df6a76bb4998465ca7a88e2e244be5cf7ea1cf5 wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\47BEABC922EAE80E78783462A79F45C254FDE68B wscript.exe -
Suspicious behavior: EnumeratesProcesses 52 IoCs
pid Process 4156 bin.exe 4156 bin.exe 4156 bin.exe 4156 bin.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 740 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 4156 bin.exe 4156 bin.exe 4156 bin.exe 32 help.exe 32 help.exe 32 help.exe 32 help.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 4156 bin.exe Token: SeDebugPrivilege 32 help.exe Token: SeShutdownPrivilege 740 Explorer.EXE Token: SeCreatePagefilePrivilege 740 Explorer.EXE Token: SeShutdownPrivilege 740 Explorer.EXE Token: SeCreatePagefilePrivilege 740 Explorer.EXE Token: SeShutdownPrivilege 740 Explorer.EXE Token: SeCreatePagefilePrivilege 740 Explorer.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4988 wrote to memory of 4872 4988 wscript.exe 84 PID 4988 wrote to memory of 4872 4988 wscript.exe 84 PID 4872 wrote to memory of 4404 4872 wscript.exe 85 PID 4872 wrote to memory of 4404 4872 wscript.exe 85 PID 4988 wrote to memory of 4156 4988 wscript.exe 86 PID 4988 wrote to memory of 4156 4988 wscript.exe 86 PID 4988 wrote to memory of 4156 4988 wscript.exe 86 PID 740 wrote to memory of 32 740 Explorer.EXE 96 PID 740 wrote to memory of 32 740 Explorer.EXE 96 PID 740 wrote to memory of 32 740 Explorer.EXE 96 PID 32 wrote to memory of 3552 32 help.exe 97 PID 32 wrote to memory of 3552 32 help.exe 97 PID 32 wrote to memory of 3552 32 help.exe 97 PID 32 wrote to memory of 2940 32 help.exe 100 PID 32 wrote to memory of 2940 32 help.exe 100 PID 32 wrote to memory of 2940 32 help.exe 100
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\TRANSFERENCIA 112987.17.js"2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\VPaotlcvgR.js"3⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bZQEUbJxNj.js"4⤵
- Blocklisted process makes network request
- Drops startup file
PID:4404
-
-
-
C:\Users\Admin\AppData\Local\Temp\bin.exe"C:\Users\Admin\AppData\Local\Temp\bin.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4156
-
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2992
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:3824
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:4884
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2484
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:340
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:3492
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:1472
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:4512
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2016
-
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:32 -
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵PID:3552
-
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:2940
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
Filesize
185KB
MD57578ec3deb440e8bffbc0eb52766fb3c
SHA18e33631cb47203bdae3fc2f2b0b0b3670de1335e
SHA256252ce128d1491da94eb7936517f807a53e0b93bb2b7caacd981e0d51a8febd36
SHA5129e3c04191330cf6a076bf5a82c8ae43afb7fe54bb136fe68ce9a412b3c02aa4e85dec89933d056ecf09f3e9a28d3cbdbe1912478e7bc0a7d68cd21806abc2276
-
Filesize
185KB
MD57578ec3deb440e8bffbc0eb52766fb3c
SHA18e33631cb47203bdae3fc2f2b0b0b3670de1335e
SHA256252ce128d1491da94eb7936517f807a53e0b93bb2b7caacd981e0d51a8febd36
SHA5129e3c04191330cf6a076bf5a82c8ae43afb7fe54bb136fe68ce9a412b3c02aa4e85dec89933d056ecf09f3e9a28d3cbdbe1912478e7bc0a7d68cd21806abc2276
-
Filesize
73KB
MD5fb0ab1cf6a8dc40d8cfa54f9d16542e3
SHA1cd889a091d69352a30b79eb47f62cd9ad0b8982d
SHA256d3704ed9be145f48811b12d645bd5489508644163f6b870ff610bc243c5c0e84
SHA5127ce8e957e73e1f725cf7168ce443e5387fa1e56475da0b6d6a4119e6b388ae0955c81719b874c6273475df661af699f552aac0dc6a530592abbb7567c79b1217
-
Filesize
40B
MD52f245469795b865bdd1b956c23d7893d
SHA16ad80b974d3808f5a20ea1e766c7d2f88b9e5895
SHA2561662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361
SHA512909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f
-
Filesize
38B
MD54aadf49fed30e4c9b3fe4a3dd6445ebe
SHA11e332822167c6f351b99615eada2c30a538ff037
SHA25675034beb7bded9aeab5748f4592b9e1419256caec474065d43e531ec5cc21c56
SHA512eb5b3908d5e7b43ba02165e092f05578f45f15a148b4c3769036aa542c23a0f7cd2bc2770cf4119a7e437de3f681d9e398511f69f66824c516d9b451bb95f945
-
Filesize
40B
MD5d63a82e5d81e02e399090af26db0b9cb
SHA191d0014c8f54743bba141fd60c9d963f869d76c9
SHA256eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA51238afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad
-
Filesize
872B
MD5bbc41c78bae6c71e63cb544a6a284d94
SHA133f2c1d9fa0e9c99b80bc2500621e95af38b1f9a
SHA256ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb
SHA5120aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4
-
Filesize
26KB
MD58c05239516dbd3fd5501fa9a1eba063b
SHA1cd983650af2353da97dd908f7027339e622ce819
SHA25656226c2bbb8ba4586aea45ea618d7aa574280225036b22ac6e57aa907860c547
SHA5128affbe22f0bc64aa685a5c38fbba0f9f43df726aa40392ad1b39792ceb15616bf2f6371b192fb7e4b492a44b953a8068ff82003d2bc51acb99d1aaee51d257d7
-
Filesize
6KB
MD5a542a21ecaba36f6ba8c6457b8ab67f9
SHA13f05ddc6d6e59554cd9870b9e4b17919b81eaa6c
SHA256bc831f27e6da7b5e82be628a1564c8b6aee02ec9290c5d21f99733dd2d1db47b
SHA51278ca13a83bbd029470978b1e465ee6b0c2a9345a1fe8ee3e86d9f1d48bd52b7927a16e607f71084a91706213d8ddc0293ed06a1927e478b9bbc21ab0b47b9a2a