Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    26/09/2022, 09:26

General

  • Target

    Order_PO62525112155.js

  • Size

    348KB

  • MD5

    baa9ab709a99c55195c2fe2d337ea9e6

  • SHA1

    42959e7df94322d5aae1218db8dd24448ee8b3e6

  • SHA256

    b5fe0b324c6401f3b25e3dc121d159b663cfd2e58dfe161fddfdef7e107f4f80

  • SHA512

    b0195c452dc4112e037f6737f57f04df6a6dad553932b7241300115a11a732438d8de6158673ea06d7e8b7bb81394018f90119494eb6750c7a1e6a1c68eed390

  • SSDEEP

    6144:amMlxZnzblW5d1qLE/yNo3YuKsYN7NssdJm2JZ7k29RypsQo1o0t+f:amM3Jz3VeYuKPHs+Jzi29RWsQo8f

Malware Config

Extracted

Family

formbook

Campaign

douy

Decoy

q/gE5cI3rDQ=

mWCSTU/0Qg0y2LI=

Ozoj90916XZyH/FO1eCN0FbH3B8AxgG7Ew==

g5GYftfE/MwWgYzxjKuH

vYfWrnDlWBLBYqeE

Ovww28VyrH1wHcha2A==

lqgaxrprk2qvYslb2g==

oELEK3LYUxWCa7iY1pVWxhBaQQ==

8Qp7H/31ZmEJzbA=

v1ZJvbrbN8Csuid/4vRrXKLjDoB3PQa5

ZCbNYcXjHpvlbrKO

9LL1wbJRw4QPGFwyQxePqS2ZaO3T1Q==

H9oCe3eR/b6yh8lO07snFpmfgI0=

+9aXS875O7eqViZPlo47yhxnSw==

eTqN+HUSjk3lbrKO

xDCvt/BcVjCQ

+5yHTtcBR9bcr/Ok2xfBCw==

up7eiFXqd0blbrKO

tIDEiHde4YZeHcha2A==

CNDqbko6tnpqHcha2A==

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • Blocklisted process makes network request 6 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1432
    • C:\Windows\system32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Local\Temp\Order_PO62525112155.js
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:240
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\spFEowQViP.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        PID:1908
      • C:\Users\Admin\AppData\Local\Temp\binx.exe
        "C:\Users\Admin\AppData\Local\Temp\binx.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1280
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1592
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:1648

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\binx.exe

            Filesize

            185KB

            MD5

            21718633ba6c7c6e83147a334dd6266c

            SHA1

            5459c562ed6c407ce38b860ce4e594e9c3744235

            SHA256

            43917a72ddc8088875ae0d248876d31f6dffd5ad4bb18a25ae5cadf2a7010bf6

            SHA512

            8c37c1eda02435ad02a411a57efc035cdd69cb43a0b5da6f21b470ac56e9ea2eba041587b8c41bd6539a0905603990d2939104dafc029af6fe35bbd6a22d836a

          • C:\Users\Admin\AppData\Local\Temp\binx.exe

            Filesize

            185KB

            MD5

            21718633ba6c7c6e83147a334dd6266c

            SHA1

            5459c562ed6c407ce38b860ce4e594e9c3744235

            SHA256

            43917a72ddc8088875ae0d248876d31f6dffd5ad4bb18a25ae5cadf2a7010bf6

            SHA512

            8c37c1eda02435ad02a411a57efc035cdd69cb43a0b5da6f21b470ac56e9ea2eba041587b8c41bd6539a0905603990d2939104dafc029af6fe35bbd6a22d836a

          • C:\Users\Admin\AppData\Roaming\spFEowQViP.js

            Filesize

            7KB

            MD5

            4326214270abe9617a275433b8c6e10b

            SHA1

            f7f175d352a1b08c702101ef47d46cf5f79e1bf3

            SHA256

            b06c913e4c3d3e5476ff270359cfd431ae6cedb6088e7ce6dd78eb01f5e2603f

            SHA512

            b576ada7cfb97f367f1e3480a9fb02b630584ac7f5826c6a21f75046961cb724e6733a53b96cd24843bc06edbb25fbc5585e1164f1cf34ec5533a1c8e0490ac8

          • \Users\Admin\AppData\Local\Temp\sqlite3.dll

            Filesize

            1.0MB

            MD5

            f1e5f58f9eb43ecec773acbdb410b888

            SHA1

            f1b8076b0bbde696694bbc0ab259a77893839464

            SHA256

            a15fd84ee61b54c92bb099dfb78226548f43d550c67fb6adf4cce3d064ab1c14

            SHA512

            0aff96430dd99bb227285fefc258014c301f85216c84e40f45702d26cdd7e77261a41fd3811d686f5fb2ee363cc651a014e8ffa339384004cece645a36486456

          • memory/240-54-0x000007FEFB741000-0x000007FEFB743000-memory.dmp

            Filesize

            8KB

          • memory/1280-60-0x0000000000A40000-0x0000000000A6F000-memory.dmp

            Filesize

            188KB

          • memory/1280-61-0x0000000000A70000-0x0000000000D73000-memory.dmp

            Filesize

            3.0MB

          • memory/1280-62-0x0000000000110000-0x0000000000120000-memory.dmp

            Filesize

            64KB

          • memory/1432-71-0x0000000007050000-0x0000000007155000-memory.dmp

            Filesize

            1.0MB

          • memory/1432-74-0x0000000007050000-0x0000000007155000-memory.dmp

            Filesize

            1.0MB

          • memory/1432-63-0x0000000006920000-0x0000000006AC6000-memory.dmp

            Filesize

            1.6MB

          • memory/1592-65-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

            Filesize

            8KB

          • memory/1592-68-0x00000000000E0000-0x000000000010D000-memory.dmp

            Filesize

            180KB

          • memory/1592-69-0x0000000002170000-0x0000000002473000-memory.dmp

            Filesize

            3.0MB

          • memory/1592-70-0x0000000000420000-0x00000000004AF000-memory.dmp

            Filesize

            572KB

          • memory/1592-67-0x0000000000540000-0x0000000000554000-memory.dmp

            Filesize

            80KB

          • memory/1592-72-0x00000000000E0000-0x000000000010D000-memory.dmp

            Filesize

            180KB