Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
-
submitted
11-08-2023 14:30
General
-
Target
Order ConfirmationLjunghall sro OC 280 CZ 11082023.exe
-
Size
674KB
-
MD5
85f088bc01813c544d2cfb3a6278355e
-
SHA1
f6fb8eb77dfe67f8734035a8ff9583e31f20da8a
-
SHA256
ca144cbf6bb204ff360d5b6c983b962430952fbb1c90b8e58f93993787719c7b
-
SHA512
764949accc3c27e7c064e90dfed098f04f99a0f28fa4b4f83f1de2e0ef32d9201bb52a31584a758d96bf92ad7ca75991ca2d582b94cf42d3efa27efb0498e9ef
-
SSDEEP
12288:tG5aaLm1mR6ud9Z9RWva8gZ7oHjgQSmeTyHKmuy51k9lqTjE:Is7Urdb9kM9o0QOOHwy5jTjE
Malware Config
Extracted
formbook
4.1
jr22
941zhe.com
lunarportal.space
xn--osmaniyeiek-t9ab.online
trejoscar.com
nrnursery.com
quizcannot.cfd
seedstockersthailand.com
watsonwindow.com
wjfholdings.com
weziclondon.com
naruot.xyz
yeji.plus
classicmenstore.com
oharatravel.com
therapyplankits.com
keviegreshonpt.com
qdlyner.com
seithupaarungal.com
casinorates.online
8ug4as.icu
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook payload 5 IoCs
-
Deletes itself 1 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 27 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Local\Temp\Order ConfirmationLjunghall sro OC 280 CZ 11082023.exe"C:\Users\Admin\AppData\Local\Temp\Order ConfirmationLjunghall sro OC 280 CZ 11082023.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order ConfirmationLjunghall sro OC 280 CZ 11082023.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\pkxPrdOuwVNeD.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pkxPrdOuwVNeD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2424.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Order ConfirmationLjunghall sro OC 280 CZ 11082023.exe"C:\Users\Admin\AppData\Local\Temp\Order ConfirmationLjunghall sro OC 280 CZ 11082023.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Order ConfirmationLjunghall sro OC 280 CZ 11082023.exe"5⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp2424.tmpFilesize
1KB
MD58600262e543bf4921e790c8eedec4c32
SHA18a2df0b2f1452e8a4cf00875af77b8a96ec96b2c
SHA256e16d7d10c4c8ae4a0effa63254a3a876411efec25b7dcbf3312682778c506455
SHA512d18366c48a7f5cb700e901d5c33a1e74b36c10f82bc742d50383fdaf3892794df9ca46d0a393d0ba6470ab3d5cbb070d99a8f8321482ba4d8c5aa8aecd82d09f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1UQ5DVD1NQ053QRN1EA8.tempFilesize
7KB
MD51e0122ad5bf062da3e41c187f961cee3
SHA1a1b63cf13d374ae0062af44547fa82e98b804236
SHA2563a7f2e6b0f450ebc3dedaab91169c00162c77a4d1e10f1613e6f59f3389e0a3f
SHA51245f31ef2e6acd001812419bdba254bf8402c14405da36fb90ad50d6241d19f4d1c38443e5daf927b384d486601cda1ea6be813462d6b6c53a6c18503f7246fe1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD51e0122ad5bf062da3e41c187f961cee3
SHA1a1b63cf13d374ae0062af44547fa82e98b804236
SHA2563a7f2e6b0f450ebc3dedaab91169c00162c77a4d1e10f1613e6f59f3389e0a3f
SHA51245f31ef2e6acd001812419bdba254bf8402c14405da36fb90ad50d6241d19f4d1c38443e5daf927b384d486601cda1ea6be813462d6b6c53a6c18503f7246fe1
-
memory/1240-110-0x00000000067F0000-0x00000000068B4000-memory.dmpFilesize
784KB
-
memory/1240-90-0x0000000007670000-0x000000000781B000-memory.dmpFilesize
1.7MB
-
memory/1240-99-0x0000000003ED0000-0x0000000003F82000-memory.dmpFilesize
712KB
-
memory/1240-104-0x0000000003ED0000-0x0000000003F82000-memory.dmpFilesize
712KB
-
memory/1240-81-0x0000000000010000-0x0000000000020000-memory.dmpFilesize
64KB
-
memory/1240-107-0x00000000067F0000-0x00000000068B4000-memory.dmpFilesize
784KB
-
memory/1240-109-0x00000000067F0000-0x00000000068B4000-memory.dmpFilesize
784KB
-
memory/1676-61-0x00000000051C0000-0x000000000522E000-memory.dmpFilesize
440KB
-
memory/1676-55-0x0000000074310000-0x00000000749FE000-memory.dmpFilesize
6.9MB
-
memory/1676-54-0x0000000000DE0000-0x0000000000E8E000-memory.dmpFilesize
696KB
-
memory/1676-56-0x0000000004EC0000-0x0000000004F00000-memory.dmpFilesize
256KB
-
memory/1676-57-0x0000000000830000-0x000000000084C000-memory.dmpFilesize
112KB
-
memory/1676-79-0x0000000074310000-0x00000000749FE000-memory.dmpFilesize
6.9MB
-
memory/1676-58-0x0000000074310000-0x00000000749FE000-memory.dmpFilesize
6.9MB
-
memory/1676-60-0x0000000000860000-0x000000000086E000-memory.dmpFilesize
56KB
-
memory/1676-59-0x0000000004EC0000-0x0000000004F00000-memory.dmpFilesize
256KB
-
memory/2276-74-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2276-97-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2276-86-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2276-87-0x0000000000200000-0x0000000000214000-memory.dmpFilesize
80KB
-
memory/2276-75-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2276-76-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2276-78-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2276-98-0x00000000005A0000-0x00000000005B4000-memory.dmpFilesize
80KB
-
memory/2276-92-0x0000000000870000-0x0000000000B73000-memory.dmpFilesize
3.0MB
-
memory/2288-82-0x000000006F590000-0x000000006FB3B000-memory.dmpFilesize
5.7MB
-
memory/2288-89-0x0000000002560000-0x00000000025A0000-memory.dmpFilesize
256KB
-
memory/2288-93-0x000000006F590000-0x000000006FB3B000-memory.dmpFilesize
5.7MB
-
memory/2288-94-0x000000006F590000-0x000000006FB3B000-memory.dmpFilesize
5.7MB
-
memory/2288-84-0x0000000002560000-0x00000000025A0000-memory.dmpFilesize
256KB
-
memory/2776-105-0x00000000000C0000-0x00000000000EF000-memory.dmpFilesize
188KB
-
memory/2776-100-0x0000000000420000-0x0000000000427000-memory.dmpFilesize
28KB
-
memory/2776-101-0x0000000000420000-0x0000000000427000-memory.dmpFilesize
28KB
-
memory/2776-102-0x00000000000C0000-0x00000000000EF000-memory.dmpFilesize
188KB
-
memory/2776-103-0x0000000001F50000-0x0000000002253000-memory.dmpFilesize
3.0MB
-
memory/2776-106-0x0000000002260000-0x00000000022F3000-memory.dmpFilesize
588KB
-
memory/3032-91-0x00000000023F0000-0x0000000002430000-memory.dmpFilesize
256KB
-
memory/3032-85-0x00000000023F0000-0x0000000002430000-memory.dmpFilesize
256KB
-
memory/3032-83-0x000000006F590000-0x000000006FB3B000-memory.dmpFilesize
5.7MB
-
memory/3032-95-0x000000006F590000-0x000000006FB3B000-memory.dmpFilesize
5.7MB
-
memory/3032-88-0x00000000023F0000-0x0000000002430000-memory.dmpFilesize
256KB