Analysis
-
max time kernel
148s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08-05-2024 07:34
Static task
static1
Behavioral task
behavioral1
Sample
order-payment094093.exe
Resource
win7-20240221-en
General
-
Target
order-payment094093.exe
-
Size
760KB
-
MD5
91592318966139c15e0171f341882fc8
-
SHA1
a6689f85a42ce934c3e96a9088f67c48e2e1fe83
-
SHA256
2ece30c08f63f4fdc4d7326b39aa0066938163811e35d1aef6ddd2e0fada475f
-
SHA512
abfd94393776b2fc7aa418f66487813a78c18b4704a3e9fd15d0ae99f9b8a28ee7dbe28edaff425a7f5a85005b324262e88a638caa098abc2f4e7fc4e8e44d99
-
SSDEEP
12288:s8ImEuiETpbmqOwYG0JHK9Do7Uw82OpdYL445DR8jIQpOQgMUA23RzD1Kl4Ev5kR:s8I+b9CG0JHKG718izDa+x
Malware Config
Extracted
formbook
4.1
hd05
businessjp6-51399.info
countyyoungpest.com
taxilasamericas.com
stairs.parts
nrgsolutions.us
cbdgirl.guru
dropshunter.net
adorabubble.co.za
alcohomeexteriors.com
aquariusbusiness.info
zaginione.com
pintoresmajadahonda.com
fursace.club
musiletras.co
carpoboutiquehotel.com
redacted.investments
symplywell.me
lezxop.xyz
stmbbill.com
1509068.cc
savdesign.online
gaiacoreresearch.com
pivoluvva-usa.com
kathrynmirabella.com
ziplnk.xyz
furanoikedanouen.com
regenesisvista.world
lorenzodavissr.com
friendlyemporium.com
7727.info
moledistillery.com
geturpdtaemza.com
sparkfirestarter.net
q3hjns.shop
thingsidonaked.com
attack.info
salihkaradag.com
vn6b6q.com
thierrydoublein.com
buddhasiddhartha.com
uniqueofferss.com
trexendofparadise.club
evans-gdaddy-test-domain.online
kgroundx.com
2us7o.us
damtherncooling.com
kakashi-hatake.shop
blogonrunning.com
lovepox.com
ramediatech.online
satwaspin.net
greenink.store
tuskerlogix.com
codyscalls.com
system.ngo
connect-talent.com
addck.top
teramilab.com
yuyuklmn123888yy.xyz
9orwr6.vip
nubeqa77.life
lmpalmour.com
sandeshkrantinews.in
find-buildings.com
vagabondtracks.com
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2732-24-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2240-28-0x00000000000C0000-0x00000000000EF000-memory.dmp formbook -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 2608 powershell.exe 2864 powershell.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2684 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
order-payment094093.exeorder-payment094093.exehelp.exedescription pid process target process PID 2784 set thread context of 2732 2784 order-payment094093.exe order-payment094093.exe PID 2732 set thread context of 1208 2732 order-payment094093.exe Explorer.EXE PID 2240 set thread context of 1208 2240 help.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
order-payment094093.exepowershell.exepowershell.exehelp.exepid process 2732 order-payment094093.exe 2732 order-payment094093.exe 2864 powershell.exe 2608 powershell.exe 2240 help.exe 2240 help.exe 2240 help.exe 2240 help.exe 2240 help.exe 2240 help.exe 2240 help.exe 2240 help.exe 2240 help.exe 2240 help.exe 2240 help.exe 2240 help.exe 2240 help.exe 2240 help.exe 2240 help.exe 2240 help.exe 2240 help.exe 2240 help.exe 2240 help.exe 2240 help.exe 2240 help.exe 2240 help.exe 2240 help.exe 2240 help.exe 2240 help.exe 2240 help.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
order-payment094093.exehelp.exepid process 2732 order-payment094093.exe 2732 order-payment094093.exe 2732 order-payment094093.exe 2240 help.exe 2240 help.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
order-payment094093.exepowershell.exepowershell.exehelp.exedescription pid process Token: SeDebugPrivilege 2732 order-payment094093.exe Token: SeDebugPrivilege 2864 powershell.exe Token: SeDebugPrivilege 2608 powershell.exe Token: SeDebugPrivilege 2240 help.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
order-payment094093.exeExplorer.EXEhelp.exedescription pid process target process PID 2784 wrote to memory of 2608 2784 order-payment094093.exe powershell.exe PID 2784 wrote to memory of 2608 2784 order-payment094093.exe powershell.exe PID 2784 wrote to memory of 2608 2784 order-payment094093.exe powershell.exe PID 2784 wrote to memory of 2608 2784 order-payment094093.exe powershell.exe PID 2784 wrote to memory of 2864 2784 order-payment094093.exe powershell.exe PID 2784 wrote to memory of 2864 2784 order-payment094093.exe powershell.exe PID 2784 wrote to memory of 2864 2784 order-payment094093.exe powershell.exe PID 2784 wrote to memory of 2864 2784 order-payment094093.exe powershell.exe PID 2784 wrote to memory of 2764 2784 order-payment094093.exe schtasks.exe PID 2784 wrote to memory of 2764 2784 order-payment094093.exe schtasks.exe PID 2784 wrote to memory of 2764 2784 order-payment094093.exe schtasks.exe PID 2784 wrote to memory of 2764 2784 order-payment094093.exe schtasks.exe PID 2784 wrote to memory of 2732 2784 order-payment094093.exe order-payment094093.exe PID 2784 wrote to memory of 2732 2784 order-payment094093.exe order-payment094093.exe PID 2784 wrote to memory of 2732 2784 order-payment094093.exe order-payment094093.exe PID 2784 wrote to memory of 2732 2784 order-payment094093.exe order-payment094093.exe PID 2784 wrote to memory of 2732 2784 order-payment094093.exe order-payment094093.exe PID 2784 wrote to memory of 2732 2784 order-payment094093.exe order-payment094093.exe PID 2784 wrote to memory of 2732 2784 order-payment094093.exe order-payment094093.exe PID 1208 wrote to memory of 2240 1208 Explorer.EXE help.exe PID 1208 wrote to memory of 2240 1208 Explorer.EXE help.exe PID 1208 wrote to memory of 2240 1208 Explorer.EXE help.exe PID 1208 wrote to memory of 2240 1208 Explorer.EXE help.exe PID 2240 wrote to memory of 2684 2240 help.exe cmd.exe PID 2240 wrote to memory of 2684 2240 help.exe cmd.exe PID 2240 wrote to memory of 2684 2240 help.exe cmd.exe PID 2240 wrote to memory of 2684 2240 help.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Users\Admin\AppData\Local\Temp\order-payment094093.exe"C:\Users\Admin\AppData\Local\Temp\order-payment094093.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\order-payment094093.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NFOLsr.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NFOLsr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp68A2.tmp"3⤵
- Creates scheduled task(s)
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\order-payment094093.exe"C:\Users\Admin\AppData\Local\Temp\order-payment094093.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2732 -
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\order-payment094093.exe"3⤵
- Deletes itself
PID:2684
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50fee7cafde00b770405ec9d8728366b1
SHA1f7f55eaf0ccda0b1c5aec5e03882e9424ef875bc
SHA25690d89779ed5c7b12543e4f6cb463b3a905edb2ffddbe81ccd3ef5132b05dc545
SHA512af866440b6d3bf9bfc60a698da33a8258cbb4e594c1eaa44e61a7bf2fce29f36706829123930800fe4869d9e0c907358209775f3e9c1f75bdfeba058fd926beb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VQVNES7IDUPHBXCJ9TNV.temp
Filesize7KB
MD5131d179c7edd2d98e2a15a1aeb5accb4
SHA16e7279cd45dd1677914bb85a2abe7b6bafc4a6d8
SHA25622cf562f52542c72b3bbae5aa7d1253bc4660a1a7e6940c1833fd32b44957482
SHA512bc55e403cb6d3f2dc70c8bdd367d3255389e523a30fadad025f863513b8b8ec76b495e72f64820630d3ef04dc5eee425d961ef04c61fbb971d021e48f6df30ba