Analysis
-
max time kernel
160s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2023, 12:32
Static task
static1
Behavioral task
behavioral1
Sample
Orden de compra #8730.exe
Resource
win7-20230831-en
General
-
Target
Orden de compra #8730.exe
-
Size
585KB
-
MD5
f4160af2dc8460d93fd6e214342ffb5c
-
SHA1
aa38b128bc1effa340cc84895fd5e045d110f1c8
-
SHA256
4925cdeb3b005a19922432760e7fbc8ae29fe02668559b1fc22d57f571424d5a
-
SHA512
10d67a9434528aaf22704a05ff03c39b99e88ebf09d02f0b6b5b366f6084efdca00848ffb3dc7e0fcebeb588b394ef58da45033125a3b2cf1336fd2e13ab11e2
-
SSDEEP
12288:wvochCdHXBet48VRebVrnu5pVjumj9BYWun:wvochqXaxRebVru5Pj9
Malware Config
Extracted
formbook
4.1
g11y
bayivip.top
lunarrhythmsliving.com
elizabethanbello.art
plushkitchen.com
timedb.net
exploringaging.com
dreamoney.online
luvisusllc.com
strikemedialabs.com
belvederesportsclub.com
turteen.com
theofficialtrumpcards.com
x-y-z.online
otuvu.com
outhandsbpm.com
scabiosa.top
99job.store
afcxz80whz.com
mysrz3l47.top
sarekaonsaddle.com
tnzdistribution.com
paradymgym.com
ryhqd2ai.store
fre.bar
amiran.site
adventurehartford.com
elysiummania.com
aedpzjqe.click
cdgstreets.com
ipstbjj.com
gaoxiba108.com
sheildlawgroup.com
usetempest.com
coopine43.com
cloudstar.site
txa2qqt43.top
uniprocto-new.com
mccsa.cyou
flextroncis.com
polskiradio.com
faircipher.dev
reports-revolutionofbeing.com
lnmppowf.click
uyjhh.homes
buyxituo.com
joangreenedesign.com
stiffclick.com
home-box.xyz
missioncommunitychurchal.com
ewi854.com
audiimax.com
cyberplume.net
brezip.online
coronassteel.com
fxreb.store
babyshowerco.com
ovelglove.site
shoplocallytoday.com
consumer-res.com
empowerhergirlies.life
qcjunk.com
urupum.site
latidofeliz.site
63884.vip
cinelinz.com
Signatures
-
Formbook payload 4 IoCs
resource yara_rule behavioral2/memory/5036-21-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/5036-26-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3580-35-0x0000000000ED0000-0x0000000000EFF000-memory.dmp formbook behavioral2/memory/3580-50-0x0000000000ED0000-0x0000000000EFF000-memory.dmp formbook -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation Orden de compra #8730.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3340 set thread context of 5036 3340 Orden de compra #8730.exe 101 PID 5036 set thread context of 536 5036 RegSvcs.exe 73 PID 3580 set thread context of 536 3580 svchost.exe 73 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2020 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 3340 Orden de compra #8730.exe 3340 Orden de compra #8730.exe 3340 Orden de compra #8730.exe 3340 Orden de compra #8730.exe 5036 RegSvcs.exe 5036 RegSvcs.exe 5036 RegSvcs.exe 5036 RegSvcs.exe 4740 powershell.exe 3580 svchost.exe 3580 svchost.exe 3580 svchost.exe 3580 svchost.exe 4740 powershell.exe 3580 svchost.exe 3580 svchost.exe 3580 svchost.exe 3580 svchost.exe 3580 svchost.exe 3580 svchost.exe 3580 svchost.exe 3580 svchost.exe 3580 svchost.exe 3580 svchost.exe 3580 svchost.exe 3580 svchost.exe 3580 svchost.exe 3580 svchost.exe 3580 svchost.exe 3580 svchost.exe 3580 svchost.exe 3580 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 536 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 5036 RegSvcs.exe 5036 RegSvcs.exe 5036 RegSvcs.exe 3580 svchost.exe 3580 svchost.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 3340 Orden de compra #8730.exe Token: SeDebugPrivilege 4740 powershell.exe Token: SeDebugPrivilege 5036 RegSvcs.exe Token: SeDebugPrivilege 3580 svchost.exe Token: SeShutdownPrivilege 536 Explorer.EXE Token: SeCreatePagefilePrivilege 536 Explorer.EXE Token: SeShutdownPrivilege 536 Explorer.EXE Token: SeCreatePagefilePrivilege 536 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3340 wrote to memory of 4740 3340 Orden de compra #8730.exe 97 PID 3340 wrote to memory of 4740 3340 Orden de compra #8730.exe 97 PID 3340 wrote to memory of 4740 3340 Orden de compra #8730.exe 97 PID 3340 wrote to memory of 2020 3340 Orden de compra #8730.exe 99 PID 3340 wrote to memory of 2020 3340 Orden de compra #8730.exe 99 PID 3340 wrote to memory of 2020 3340 Orden de compra #8730.exe 99 PID 3340 wrote to memory of 5036 3340 Orden de compra #8730.exe 101 PID 3340 wrote to memory of 5036 3340 Orden de compra #8730.exe 101 PID 3340 wrote to memory of 5036 3340 Orden de compra #8730.exe 101 PID 3340 wrote to memory of 5036 3340 Orden de compra #8730.exe 101 PID 3340 wrote to memory of 5036 3340 Orden de compra #8730.exe 101 PID 3340 wrote to memory of 5036 3340 Orden de compra #8730.exe 101 PID 536 wrote to memory of 3580 536 Explorer.EXE 102 PID 536 wrote to memory of 3580 536 Explorer.EXE 102 PID 536 wrote to memory of 3580 536 Explorer.EXE 102 PID 3580 wrote to memory of 1348 3580 svchost.exe 103 PID 3580 wrote to memory of 1348 3580 svchost.exe 103 PID 3580 wrote to memory of 1348 3580 svchost.exe 103
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Users\Admin\AppData\Local\Temp\Orden de compra #8730.exe"C:\Users\Admin\AppData\Local\Temp\Orden de compra #8730.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\stoRXAe.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4740
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\stoRXAe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDDC.tmp"3⤵
- Creates scheduled task(s)
PID:2020
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5036
-
-
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:1348
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD551ed3a719a1cebff7d3fa1e714e03e8e
SHA18d8d2a9a8f23d83f11e9492baf0cfbaefbbf13e9
SHA25691f1ef9014b4f411e3c812785fe4e96271cd7fe6f824f4414890c6647a4f3eb0
SHA51207dd0c0b4983d8dcd57827a9621ff925129c59381dfd79e68655f8aa285f89a3e3c52e7584c902cd63a46dbd087d4a31c230709bbaae8a4cd6844c730800b589