Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
30-10-2024 03:40
Static task
static1
Behavioral task
behavioral1
Sample
Order Inquiry No TM05-Q2-1024.scr
Resource
win7-20241010-en
General
-
Target
Order Inquiry No TM05-Q2-1024.scr
-
Size
1.0MB
-
MD5
2308945a05f8bd962152fbe15a6f6d03
-
SHA1
6c00121ecdcd68f9aace9370a33fa18b4105abb5
-
SHA256
f9b51d26f30902c804cf7df4aea874a91fc6858d1e3a3bb38708d78bc8e1c12f
-
SHA512
0610a394ee8e0e39b096fb4e2452ed4416ed800bcb6dba80eba481083680f358c88e8eb38228d8ae0edd8533f1fb6b7e53da2a02435068e25bc8fafaaf102436
-
SSDEEP
24576:KfmMv6Ckr7Mny5Qs7C5C3iYyvKoBn/9b47mJqfKT:K3v+7/5Qs7BiH5l1q4qfm
Malware Config
Extracted
formbook
4.1
ee25
eefnoodle.top
arketlivanty.store
lleranum.report
uperpotencias4.site
ab1nsf97yl.top
imselfcare.store
tupidmoney.top
4e5jys.top
ellcat.xyz
plantboxs.store
heivyoxbridge.store
00800.vip
nline-advertising-97785.bond
ndersoncarvalho.xyz
anjaexpert.makeup
scoedit.care
onstruction-jobs-99671.bond
adine-la-lourde.fun
lluminatilord.online
kkr.top
oum7.fan
luminumprofilenuts.net
utpricepharmacyqs.shop
star.top
suhot.vip
abybed.online
martbodyfuel.shop
arsodas.shop
uroe.info
ragon-money118.online
oinonos.capital
ivedoor.delivery
opytrade.meme
yciokcx.xyz
uman-design-edu.store
etfury.icu
chiri.shop
khxoxce.top
ivavanityco.store
96yhj301.top
anorly-str.dev
b68trangchu.online
nowijigu.shop
om-trackle.top
irangaclub.work
34nqaxfm.autos
xkey.biz
odrya.info
w2z1.sbs
ransluce.net
ahir-digital.online
ewevent.fun
om-tracklj.top
ashesdior.club
onw.skin
flnd.sbs
ft.global
enisecreations.shop
v-anlage.shop
ykin.site
genpalingkuat.vip
aga.cam
4s.earth
chueco.online
loridabrain.support
Signatures
-
Formbook family
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2392-3-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2392-6-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2636-12-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Order Inquiry No TM05-Q2-1024.scrsvchost.exechkdsk.exedescription pid Process procid_target PID 1740 set thread context of 2392 1740 Order Inquiry No TM05-Q2-1024.scr 31 PID 2392 set thread context of 1204 2392 svchost.exe 21 PID 2636 set thread context of 1204 2636 chkdsk.exe 21 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 2452 1740 WerFault.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Order Inquiry No TM05-Q2-1024.scrchkdsk.execmd.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Order Inquiry No TM05-Q2-1024.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chkdsk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
svchost.exechkdsk.exepid Process 2392 svchost.exe 2392 svchost.exe 2636 chkdsk.exe 2636 chkdsk.exe 2636 chkdsk.exe 2636 chkdsk.exe 2636 chkdsk.exe 2636 chkdsk.exe 2636 chkdsk.exe 2636 chkdsk.exe 2636 chkdsk.exe 2636 chkdsk.exe 2636 chkdsk.exe 2636 chkdsk.exe 2636 chkdsk.exe 2636 chkdsk.exe 2636 chkdsk.exe 2636 chkdsk.exe 2636 chkdsk.exe 2636 chkdsk.exe 2636 chkdsk.exe 2636 chkdsk.exe 2636 chkdsk.exe 2636 chkdsk.exe 2636 chkdsk.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Order Inquiry No TM05-Q2-1024.scrsvchost.exechkdsk.exepid Process 1740 Order Inquiry No TM05-Q2-1024.scr 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2636 chkdsk.exe 2636 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
svchost.exeExplorer.EXEchkdsk.exedescription pid Process Token: SeDebugPrivilege 2392 svchost.exe Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeDebugPrivilege 2636 chkdsk.exe Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE -
Suspicious use of FindShellTrayWindow 48 IoCs
Processes:
Order Inquiry No TM05-Q2-1024.scrExplorer.EXEpid Process 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1204 Explorer.EXE 1204 Explorer.EXE -
Suspicious use of SendNotifyMessage 46 IoCs
Processes:
Order Inquiry No TM05-Q2-1024.scrpid Process 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr 1740 Order Inquiry No TM05-Q2-1024.scr -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Order Inquiry No TM05-Q2-1024.scrExplorer.EXEchkdsk.exedescription pid Process procid_target PID 1740 wrote to memory of 2392 1740 Order Inquiry No TM05-Q2-1024.scr 31 PID 1740 wrote to memory of 2392 1740 Order Inquiry No TM05-Q2-1024.scr 31 PID 1740 wrote to memory of 2392 1740 Order Inquiry No TM05-Q2-1024.scr 31 PID 1740 wrote to memory of 2392 1740 Order Inquiry No TM05-Q2-1024.scr 31 PID 1740 wrote to memory of 2392 1740 Order Inquiry No TM05-Q2-1024.scr 31 PID 1740 wrote to memory of 2452 1740 Order Inquiry No TM05-Q2-1024.scr 32 PID 1740 wrote to memory of 2452 1740 Order Inquiry No TM05-Q2-1024.scr 32 PID 1740 wrote to memory of 2452 1740 Order Inquiry No TM05-Q2-1024.scr 32 PID 1740 wrote to memory of 2452 1740 Order Inquiry No TM05-Q2-1024.scr 32 PID 1204 wrote to memory of 2636 1204 Explorer.EXE 33 PID 1204 wrote to memory of 2636 1204 Explorer.EXE 33 PID 1204 wrote to memory of 2636 1204 Explorer.EXE 33 PID 1204 wrote to memory of 2636 1204 Explorer.EXE 33 PID 2636 wrote to memory of 2748 2636 chkdsk.exe 34 PID 2636 wrote to memory of 2748 2636 chkdsk.exe 34 PID 2636 wrote to memory of 2748 2636 chkdsk.exe 34 PID 2636 wrote to memory of 2748 2636 chkdsk.exe 34
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\Order Inquiry No TM05-Q2-1024.scr"C:\Users\Admin\AppData\Local\Temp\Order Inquiry No TM05-Q2-1024.scr" /S2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\Order Inquiry No TM05-Q2-1024.scr" /S3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 3963⤵
- Program crash
PID:2452
-
-
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\svchost.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2748
-
-