Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
12/10/2023, 12:32
Static task
static1
Behavioral task
behavioral1
Sample
Orden de compra #8730.exe
Resource
win7-20230831-en
General
-
Target
Orden de compra #8730.exe
-
Size
585KB
-
MD5
f4160af2dc8460d93fd6e214342ffb5c
-
SHA1
aa38b128bc1effa340cc84895fd5e045d110f1c8
-
SHA256
4925cdeb3b005a19922432760e7fbc8ae29fe02668559b1fc22d57f571424d5a
-
SHA512
10d67a9434528aaf22704a05ff03c39b99e88ebf09d02f0b6b5b366f6084efdca00848ffb3dc7e0fcebeb588b394ef58da45033125a3b2cf1336fd2e13ab11e2
-
SSDEEP
12288:wvochCdHXBet48VRebVrnu5pVjumj9BYWun:wvochqXaxRebVru5Pj9
Malware Config
Extracted
formbook
4.1
g11y
bayivip.top
lunarrhythmsliving.com
elizabethanbello.art
plushkitchen.com
timedb.net
exploringaging.com
dreamoney.online
luvisusllc.com
strikemedialabs.com
belvederesportsclub.com
turteen.com
theofficialtrumpcards.com
x-y-z.online
otuvu.com
outhandsbpm.com
scabiosa.top
99job.store
afcxz80whz.com
mysrz3l47.top
sarekaonsaddle.com
tnzdistribution.com
paradymgym.com
ryhqd2ai.store
fre.bar
amiran.site
adventurehartford.com
elysiummania.com
aedpzjqe.click
cdgstreets.com
ipstbjj.com
gaoxiba108.com
sheildlawgroup.com
usetempest.com
coopine43.com
cloudstar.site
txa2qqt43.top
uniprocto-new.com
mccsa.cyou
flextroncis.com
polskiradio.com
faircipher.dev
reports-revolutionofbeing.com
lnmppowf.click
uyjhh.homes
buyxituo.com
joangreenedesign.com
stiffclick.com
home-box.xyz
missioncommunitychurchal.com
ewi854.com
audiimax.com
cyberplume.net
brezip.online
coronassteel.com
fxreb.store
babyshowerco.com
ovelglove.site
shoplocallytoday.com
consumer-res.com
empowerhergirlies.life
qcjunk.com
urupum.site
latidofeliz.site
63884.vip
cinelinz.com
Signatures
-
Formbook payload 4 IoCs
resource yara_rule behavioral1/memory/2536-21-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2536-25-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/552-30-0x0000000000080000-0x00000000000AF000-memory.dmp formbook behavioral1/memory/552-32-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2548 set thread context of 2536 2548 Orden de compra #8730.exe 34 PID 2536 set thread context of 1348 2536 RegSvcs.exe 8 PID 552 set thread context of 1348 552 wlanext.exe 8 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2492 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 2548 Orden de compra #8730.exe 2548 Orden de compra #8730.exe 2548 Orden de compra #8730.exe 2548 Orden de compra #8730.exe 2548 Orden de compra #8730.exe 2548 Orden de compra #8730.exe 2548 Orden de compra #8730.exe 2548 Orden de compra #8730.exe 2548 Orden de compra #8730.exe 2548 Orden de compra #8730.exe 2548 Orden de compra #8730.exe 2536 RegSvcs.exe 2536 RegSvcs.exe 552 wlanext.exe 552 wlanext.exe 552 wlanext.exe 2880 powershell.exe 552 wlanext.exe 552 wlanext.exe 552 wlanext.exe 552 wlanext.exe 552 wlanext.exe 552 wlanext.exe 552 wlanext.exe 552 wlanext.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1348 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 2536 RegSvcs.exe 2536 RegSvcs.exe 2536 RegSvcs.exe 552 wlanext.exe 552 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2548 Orden de compra #8730.exe Token: SeDebugPrivilege 2536 RegSvcs.exe Token: SeDebugPrivilege 552 wlanext.exe Token: SeDebugPrivilege 2880 powershell.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2548 wrote to memory of 2880 2548 Orden de compra #8730.exe 30 PID 2548 wrote to memory of 2880 2548 Orden de compra #8730.exe 30 PID 2548 wrote to memory of 2880 2548 Orden de compra #8730.exe 30 PID 2548 wrote to memory of 2880 2548 Orden de compra #8730.exe 30 PID 2548 wrote to memory of 2492 2548 Orden de compra #8730.exe 32 PID 2548 wrote to memory of 2492 2548 Orden de compra #8730.exe 32 PID 2548 wrote to memory of 2492 2548 Orden de compra #8730.exe 32 PID 2548 wrote to memory of 2492 2548 Orden de compra #8730.exe 32 PID 2548 wrote to memory of 2536 2548 Orden de compra #8730.exe 34 PID 2548 wrote to memory of 2536 2548 Orden de compra #8730.exe 34 PID 2548 wrote to memory of 2536 2548 Orden de compra #8730.exe 34 PID 2548 wrote to memory of 2536 2548 Orden de compra #8730.exe 34 PID 2548 wrote to memory of 2536 2548 Orden de compra #8730.exe 34 PID 2548 wrote to memory of 2536 2548 Orden de compra #8730.exe 34 PID 2548 wrote to memory of 2536 2548 Orden de compra #8730.exe 34 PID 2548 wrote to memory of 2536 2548 Orden de compra #8730.exe 34 PID 2548 wrote to memory of 2536 2548 Orden de compra #8730.exe 34 PID 2548 wrote to memory of 2536 2548 Orden de compra #8730.exe 34 PID 1348 wrote to memory of 552 1348 Explorer.EXE 36 PID 1348 wrote to memory of 552 1348 Explorer.EXE 36 PID 1348 wrote to memory of 552 1348 Explorer.EXE 36 PID 1348 wrote to memory of 552 1348 Explorer.EXE 36 PID 552 wrote to memory of 1152 552 wlanext.exe 37 PID 552 wrote to memory of 1152 552 wlanext.exe 37 PID 552 wrote to memory of 1152 552 wlanext.exe 37 PID 552 wrote to memory of 1152 552 wlanext.exe 37
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Users\Admin\AppData\Local\Temp\Orden de compra #8730.exe"C:\Users\Admin\AppData\Local\Temp\Orden de compra #8730.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\stoRXAe.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2880
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\stoRXAe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDCF7.tmp"3⤵
- Creates scheduled task(s)
PID:2492
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2536
-
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:1636
-
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:1152
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD555d1b5a33317362d725e21a2fe685c4b
SHA1d16dc3ffd0bbeec96c9bbcf928abc99fd566e7c1
SHA256ac18c49e428fe0be73a3d1a2b221f1a94373a81bc3a3f8292951a87090b37a20
SHA5125db128173610d918ae45b48d4f573a03f9cef65b612bb5d4a2ceae2979865c369511da3be2d228624703b743fca3ab228974deb2c41ab02b558c7f565aa57f8a