Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
08-05-2024 07:34
Static task
static1
Behavioral task
behavioral1
Sample
order-payment094093.exe
Resource
win7-20240221-en
General
-
Target
order-payment094093.exe
-
Size
760KB
-
MD5
91592318966139c15e0171f341882fc8
-
SHA1
a6689f85a42ce934c3e96a9088f67c48e2e1fe83
-
SHA256
2ece30c08f63f4fdc4d7326b39aa0066938163811e35d1aef6ddd2e0fada475f
-
SHA512
abfd94393776b2fc7aa418f66487813a78c18b4704a3e9fd15d0ae99f9b8a28ee7dbe28edaff425a7f5a85005b324262e88a638caa098abc2f4e7fc4e8e44d99
-
SSDEEP
12288:s8ImEuiETpbmqOwYG0JHK9Do7Uw82OpdYL445DR8jIQpOQgMUA23RzD1Kl4Ev5kR:s8I+b9CG0JHKG718izDa+x
Malware Config
Extracted
formbook
4.1
hd05
businessjp6-51399.info
countyyoungpest.com
taxilasamericas.com
stairs.parts
nrgsolutions.us
cbdgirl.guru
dropshunter.net
adorabubble.co.za
alcohomeexteriors.com
aquariusbusiness.info
zaginione.com
pintoresmajadahonda.com
fursace.club
musiletras.co
carpoboutiquehotel.com
redacted.investments
symplywell.me
lezxop.xyz
stmbbill.com
1509068.cc
savdesign.online
gaiacoreresearch.com
pivoluvva-usa.com
kathrynmirabella.com
ziplnk.xyz
furanoikedanouen.com
regenesisvista.world
lorenzodavissr.com
friendlyemporium.com
7727.info
moledistillery.com
geturpdtaemza.com
sparkfirestarter.net
q3hjns.shop
thingsidonaked.com
attack.info
salihkaradag.com
vn6b6q.com
thierrydoublein.com
buddhasiddhartha.com
uniqueofferss.com
trexendofparadise.club
evans-gdaddy-test-domain.online
kgroundx.com
2us7o.us
damtherncooling.com
kakashi-hatake.shop
blogonrunning.com
lovepox.com
ramediatech.online
satwaspin.net
greenink.store
tuskerlogix.com
codyscalls.com
system.ngo
connect-talent.com
addck.top
teramilab.com
yuyuklmn123888yy.xyz
9orwr6.vip
nubeqa77.life
lmpalmour.com
sandeshkrantinews.in
find-buildings.com
vagabondtracks.com
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/5076-45-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/1572-92-0x0000000000890000-0x00000000008BF000-memory.dmp formbook -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 1728 powershell.exe 4436 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
order-payment094093.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation order-payment094093.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
order-payment094093.exeorder-payment094093.execmstp.exedescription pid process target process PID 404 set thread context of 5076 404 order-payment094093.exe order-payment094093.exe PID 5076 set thread context of 3528 5076 order-payment094093.exe Explorer.EXE PID 1572 set thread context of 3528 1572 cmstp.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exeorder-payment094093.execmstp.exepid process 4436 powershell.exe 4436 powershell.exe 1728 powershell.exe 1728 powershell.exe 5076 order-payment094093.exe 5076 order-payment094093.exe 5076 order-payment094093.exe 5076 order-payment094093.exe 5076 order-payment094093.exe 5076 order-payment094093.exe 4436 powershell.exe 1728 powershell.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe 1572 cmstp.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
order-payment094093.execmstp.exepid process 5076 order-payment094093.exe 5076 order-payment094093.exe 5076 order-payment094093.exe 1572 cmstp.exe 1572 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
powershell.exepowershell.exeorder-payment094093.execmstp.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 4436 powershell.exe Token: SeDebugPrivilege 1728 powershell.exe Token: SeDebugPrivilege 5076 order-payment094093.exe Token: SeDebugPrivilege 1572 cmstp.exe Token: SeShutdownPrivilege 3528 Explorer.EXE Token: SeCreatePagefilePrivilege 3528 Explorer.EXE Token: SeShutdownPrivilege 3528 Explorer.EXE Token: SeCreatePagefilePrivilege 3528 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3528 Explorer.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
order-payment094093.exeExplorer.EXEcmstp.exedescription pid process target process PID 404 wrote to memory of 1728 404 order-payment094093.exe powershell.exe PID 404 wrote to memory of 1728 404 order-payment094093.exe powershell.exe PID 404 wrote to memory of 1728 404 order-payment094093.exe powershell.exe PID 404 wrote to memory of 4436 404 order-payment094093.exe powershell.exe PID 404 wrote to memory of 4436 404 order-payment094093.exe powershell.exe PID 404 wrote to memory of 4436 404 order-payment094093.exe powershell.exe PID 404 wrote to memory of 2468 404 order-payment094093.exe schtasks.exe PID 404 wrote to memory of 2468 404 order-payment094093.exe schtasks.exe PID 404 wrote to memory of 2468 404 order-payment094093.exe schtasks.exe PID 404 wrote to memory of 5076 404 order-payment094093.exe order-payment094093.exe PID 404 wrote to memory of 5076 404 order-payment094093.exe order-payment094093.exe PID 404 wrote to memory of 5076 404 order-payment094093.exe order-payment094093.exe PID 404 wrote to memory of 5076 404 order-payment094093.exe order-payment094093.exe PID 404 wrote to memory of 5076 404 order-payment094093.exe order-payment094093.exe PID 404 wrote to memory of 5076 404 order-payment094093.exe order-payment094093.exe PID 3528 wrote to memory of 1572 3528 Explorer.EXE cmstp.exe PID 3528 wrote to memory of 1572 3528 Explorer.EXE cmstp.exe PID 3528 wrote to memory of 1572 3528 Explorer.EXE cmstp.exe PID 1572 wrote to memory of 2072 1572 cmstp.exe cmd.exe PID 1572 wrote to memory of 2072 1572 cmstp.exe cmd.exe PID 1572 wrote to memory of 2072 1572 cmstp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Users\Admin\AppData\Local\Temp\order-payment094093.exe"C:\Users\Admin\AppData\Local\Temp\order-payment094093.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\order-payment094093.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NFOLsr.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4436 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NFOLsr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp76D6.tmp"3⤵
- Creates scheduled task(s)
PID:2468 -
C:\Users\Admin\AppData\Local\Temp\order-payment094093.exe"C:\Users\Admin\AppData\Local\Temp\order-payment094093.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5076 -
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\order-payment094093.exe"3⤵PID:2072
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD5430a2daf0fb2fd3ec1e2aa80a609b030
SHA1990e26ce6a6c91c97db186f6a54639165dda4ef8
SHA25629fb32ef3c21e3ffce379977d3babf1f9f5e527bb6895a37df03d9532f9f29ef
SHA5121838d94a3bb92f9b1701e082b0f63d56ddf2665928b1a88f3af97a313d8985bb6a96ab8a264c722c74d91c5262fcc21324382e7ea44a29bad431fc4cf04784e8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD52861e46fbb7912ed83d107a58467b8a4
SHA167d8b0e6e53b7544c06207e1fdd360c479f4559a
SHA2567be83be54198eef6da4832fabd22964417d416d58218656857f66d6f2160c7a8
SHA512292137cb5f22fab499814055798f139c9d0644af325d94029f818ce599f4bcd769046a24e5bf76a55a740cf60f2b379c4ccd1a93a78e06073bc5b0e7cf119bfa