Analysis
-
max time kernel
147s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-09-2022 07:33
Static task
static1
Behavioral task
behavioral1
Sample
Purchase order _SIP008.exe
Resource
win7-20220812-en
General
-
Target
Purchase order _SIP008.exe
-
Size
1.2MB
-
MD5
0f23b3dede5773a4da6e3f6869da28ad
-
SHA1
16b4fc729dc5b66381e710717acd7a226f0c631f
-
SHA256
3f4e8eda03283329f391e111c756f7b6ece4a9bc0d41672af8c1f09baf2b1cec
-
SHA512
5acc67f5cf49dcd7b50c5ef14cffa2990edc146f41ec5507f6d79476fa21026f3a5082b0f8d412153b4951e7f3f1172858705e0d7c582da79cffe88b37402f52
-
SSDEEP
24576:iAOcZXp03RQgAgCkLOMhc2e+Q+3mG2k1ny76RPGQFV0aBTjWFqwA5:ojRAgCk3clDmtGQFV9jWG
Malware Config
Extracted
formbook
4.1
mh76
healthgovcalottery.net
wenxinliao.com
rooterphd.com
bbobbo.one
american-mes-de-dezembro.xyz
mintager.com
thespecialtstore.com
wemakegreenhomes.com
occurandmental.xyz
fidelityrealtytitle.com
numerisat.asia
wearestallions.com
supxl.com
rajacumi.com
renaziv.online
blixtindustries.com
fjljq.com
exploretrivenicamping.com
authenticusspa.com
uucloud.press
conclaveraleighapts.com
moqaq.com
graphicressie.com
homebest.online
yisaco.com
thedrybonesareawakening.com
browardhomeappraisal.com
xn--agroisleos-09a.com
clinchrecovery.com
rekoladev.com
mlbl1.xyz
tunecaring.com
avconstant.com
chelseavictorioustravels.com
esrfy.xyz
frijolitoswey.com
zsfsidltd.com
natashasadler.com
kice1.xyz
drivemytrains.xyz
shopalthosa.xyz
merendri.com
yetkiliveznem7.xyz
milestonesconstruction.com
apparodeoexpos.com
momotou.xyz
chatkhoneh.com
cacconsults.com
kigif-indonesia.com
segurambiental.com
verynicegirls.com
curearrow.com
fdupcoffee.com
theclevergolfers.com
moushimonster.com
qdchuangyedaikuan.com
hopefortodayrecovery.com
wk6agoboyxg6.xyz
giybetfm.com
completedn.xyz
eluawastudio.com
legacysportsusatexas.com
comgmaik.com
intelsearchtech.com
northpierangling.info
Signatures
-
Formbook payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/4996-138-0x0000000000000000-mapping.dmp formbook behavioral2/memory/4996-139-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4996-145-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/1744-147-0x0000000000B50000-0x0000000000B7F000-memory.dmp formbook behavioral2/memory/1744-150-0x0000000000B50000-0x0000000000B7F000-memory.dmp formbook -
Executes dropped EXE 1 IoCs
Processes:
gdvvbotbw.pifpid process 2220 gdvvbotbw.pif -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Purchase order _SIP008.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation Purchase order _SIP008.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
gdvvbotbw.pifRegSvcs.exeWWAHost.exedescription pid process target process PID 2220 set thread context of 4996 2220 gdvvbotbw.pif RegSvcs.exe PID 4996 set thread context of 2592 4996 RegSvcs.exe Explorer.EXE PID 1744 set thread context of 2592 1744 WWAHost.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
RegSvcs.exeWWAHost.exepid process 4996 RegSvcs.exe 4996 RegSvcs.exe 4996 RegSvcs.exe 4996 RegSvcs.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe 1744 WWAHost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2592 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
RegSvcs.exeWWAHost.exepid process 4996 RegSvcs.exe 4996 RegSvcs.exe 4996 RegSvcs.exe 1744 WWAHost.exe 1744 WWAHost.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
RegSvcs.exeExplorer.EXEWWAHost.exedescription pid process Token: SeDebugPrivilege 4996 RegSvcs.exe Token: SeShutdownPrivilege 2592 Explorer.EXE Token: SeCreatePagefilePrivilege 2592 Explorer.EXE Token: SeShutdownPrivilege 2592 Explorer.EXE Token: SeCreatePagefilePrivilege 2592 Explorer.EXE Token: SeDebugPrivilege 1744 WWAHost.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Purchase order _SIP008.exegdvvbotbw.pifExplorer.EXEWWAHost.exedescription pid process target process PID 4156 wrote to memory of 2220 4156 Purchase order _SIP008.exe gdvvbotbw.pif PID 4156 wrote to memory of 2220 4156 Purchase order _SIP008.exe gdvvbotbw.pif PID 4156 wrote to memory of 2220 4156 Purchase order _SIP008.exe gdvvbotbw.pif PID 2220 wrote to memory of 5016 2220 gdvvbotbw.pif RegSvcs.exe PID 2220 wrote to memory of 5016 2220 gdvvbotbw.pif RegSvcs.exe PID 2220 wrote to memory of 5016 2220 gdvvbotbw.pif RegSvcs.exe PID 2220 wrote to memory of 4996 2220 gdvvbotbw.pif RegSvcs.exe PID 2220 wrote to memory of 4996 2220 gdvvbotbw.pif RegSvcs.exe PID 2220 wrote to memory of 4996 2220 gdvvbotbw.pif RegSvcs.exe PID 2220 wrote to memory of 4996 2220 gdvvbotbw.pif RegSvcs.exe PID 2220 wrote to memory of 4996 2220 gdvvbotbw.pif RegSvcs.exe PID 2220 wrote to memory of 4996 2220 gdvvbotbw.pif RegSvcs.exe PID 2592 wrote to memory of 1744 2592 Explorer.EXE WWAHost.exe PID 2592 wrote to memory of 1744 2592 Explorer.EXE WWAHost.exe PID 2592 wrote to memory of 1744 2592 Explorer.EXE WWAHost.exe PID 1744 wrote to memory of 4628 1744 WWAHost.exe cmd.exe PID 1744 wrote to memory of 4628 1744 WWAHost.exe cmd.exe PID 1744 wrote to memory of 4628 1744 WWAHost.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Purchase order _SIP008.exe"C:\Users\Admin\AppData\Local\Temp\Purchase order _SIP008.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4_21\gdvvbotbw.pif"C:\Users\Admin\AppData\Local\Temp\4_21\gdvvbotbw.pif" dvcmoef.fhw3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WWAHost.exe"C:\Windows\SysWOW64\WWAHost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\4_21\amptgiuxg.gruFilesize
371KB
MD5c3aa83222a39f8f2f3bc9306ceb6ba48
SHA1e9019020fa3ae90698dd8a88bfdd2224ea8cfda3
SHA256219ea47b9fc665fadc098f6595658e707d81f8427ad8395cac17ed621f145019
SHA512708601e8e008f9cb7383f278d966425e6b79fda4dea811f571dacf47d1685749e955364ac949b7899f3698846241ba70ba030012e8fdea9e27f4396ce63729d8
-
C:\Users\Admin\AppData\Local\Temp\4_21\dvcmoef.fhwFilesize
157.2MB
MD5d4d78cc44d83c3d81018866509c2680c
SHA147775529b23fb649d27effdc5fd18ab6dc15935d
SHA256ed19e3522a22fe69fdb120e05d0ee9bc150287bea87d9d9bd6b9350f19adc637
SHA512dd900b7623bd02ebd790a85275328e67d466b9de9a9b2c28ceee7137928b4b102884320bd991e5ee33a28925545e48c054a4531c1aaddee6b1fe1ce3079136c9
-
C:\Users\Admin\AppData\Local\Temp\4_21\gdvvbotbw.pifFilesize
906KB
MD5f28aa08788132e64db4b8918ee2430b1
SHA1ef32b1023a89dc36d7c5e98e22845fe87c5efef2
SHA256f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2
SHA512689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f
-
C:\Users\Admin\AppData\Local\Temp\4_21\gdvvbotbw.pifFilesize
906KB
MD5f28aa08788132e64db4b8918ee2430b1
SHA1ef32b1023a89dc36d7c5e98e22845fe87c5efef2
SHA256f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2
SHA512689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f
-
C:\Users\Admin\AppData\Local\Temp\4_21\kufdgekl.iniFilesize
41KB
MD5b9b577b15b95a66c42e474acc0a32876
SHA1be1932c591413d65fb01a656b398c3c004c1cbfd
SHA256ccdc69fef237ecb4a3f21261d5310cd6bc19005cc4f0a071407bd5d3ccb4e9d6
SHA51219d3e4d20c5dd59dfa7424e62de53ee909b6f990c5338b2ae9eca912154c87e011a4d005a10c8d5130f8d9711ff4f3267db8732c10b4151010d4412d83b292ad
-
memory/1744-146-0x00000000006A0000-0x000000000077C000-memory.dmpFilesize
880KB
-
memory/1744-151-0x0000000001920000-0x00000000019B4000-memory.dmpFilesize
592KB
-
memory/1744-150-0x0000000000B50000-0x0000000000B7F000-memory.dmpFilesize
188KB
-
memory/1744-149-0x0000000001BE0000-0x0000000001F2A000-memory.dmpFilesize
3.3MB
-
memory/1744-147-0x0000000000B50000-0x0000000000B7F000-memory.dmpFilesize
188KB
-
memory/1744-144-0x0000000000000000-mapping.dmp
-
memory/2220-132-0x0000000000000000-mapping.dmp
-
memory/2592-143-0x00000000027C0000-0x00000000028C2000-memory.dmpFilesize
1.0MB
-
memory/2592-152-0x0000000007950000-0x0000000007A1A000-memory.dmpFilesize
808KB
-
memory/2592-153-0x0000000007950000-0x0000000007A1A000-memory.dmpFilesize
808KB
-
memory/4628-148-0x0000000000000000-mapping.dmp
-
memory/4996-145-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4996-142-0x0000000000C80000-0x0000000000C95000-memory.dmpFilesize
84KB
-
memory/4996-140-0x0000000001120000-0x000000000146A000-memory.dmpFilesize
3.3MB
-
memory/4996-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4996-138-0x0000000000000000-mapping.dmp