Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30-10-2024 03:40
Static task
static1
Behavioral task
behavioral1
Sample
Order Inquiry No TM05-Q2-1024.scr
Resource
win7-20241010-en
General
-
Target
Order Inquiry No TM05-Q2-1024.scr
-
Size
1.0MB
-
MD5
2308945a05f8bd962152fbe15a6f6d03
-
SHA1
6c00121ecdcd68f9aace9370a33fa18b4105abb5
-
SHA256
f9b51d26f30902c804cf7df4aea874a91fc6858d1e3a3bb38708d78bc8e1c12f
-
SHA512
0610a394ee8e0e39b096fb4e2452ed4416ed800bcb6dba80eba481083680f358c88e8eb38228d8ae0edd8533f1fb6b7e53da2a02435068e25bc8fafaaf102436
-
SSDEEP
24576:KfmMv6Ckr7Mny5Qs7C5C3iYyvKoBn/9b47mJqfKT:K3v+7/5Qs7BiH5l1q4qfm
Malware Config
Extracted
formbook
4.1
ee25
eefnoodle.top
arketlivanty.store
lleranum.report
uperpotencias4.site
ab1nsf97yl.top
imselfcare.store
tupidmoney.top
4e5jys.top
ellcat.xyz
plantboxs.store
heivyoxbridge.store
00800.vip
nline-advertising-97785.bond
ndersoncarvalho.xyz
anjaexpert.makeup
scoedit.care
onstruction-jobs-99671.bond
adine-la-lourde.fun
lluminatilord.online
kkr.top
oum7.fan
luminumprofilenuts.net
utpricepharmacyqs.shop
star.top
suhot.vip
abybed.online
martbodyfuel.shop
arsodas.shop
uroe.info
ragon-money118.online
oinonos.capital
ivedoor.delivery
opytrade.meme
yciokcx.xyz
uman-design-edu.store
etfury.icu
chiri.shop
khxoxce.top
ivavanityco.store
96yhj301.top
anorly-str.dev
b68trangchu.online
nowijigu.shop
om-trackle.top
irangaclub.work
34nqaxfm.autos
xkey.biz
odrya.info
w2z1.sbs
ransluce.net
ahir-digital.online
ewevent.fun
om-tracklj.top
ashesdior.club
onw.skin
flnd.sbs
ft.global
enisecreations.shop
v-anlage.shop
ykin.site
genpalingkuat.vip
aga.cam
4s.earth
chueco.online
loridabrain.support
Signatures
-
Formbook family
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4516-3-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4516-6-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2716-12-0x0000000000B10000-0x0000000000B3F000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Order Inquiry No TM05-Q2-1024.scrsvchost.exesvchost.exedescription pid Process procid_target PID 3620 set thread context of 4516 3620 Order Inquiry No TM05-Q2-1024.scr 102 PID 4516 set thread context of 3632 4516 svchost.exe 56 PID 2716 set thread context of 3632 2716 svchost.exe 56 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Order Inquiry No TM05-Q2-1024.scrsvchost.execmd.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Order Inquiry No TM05-Q2-1024.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 2 IoCs
Processes:
Explorer.EXEdescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
svchost.exesvchost.exepid Process 4516 svchost.exe 4516 svchost.exe 4516 svchost.exe 4516 svchost.exe 2716 svchost.exe 2716 svchost.exe 2716 svchost.exe 2716 svchost.exe 2716 svchost.exe 2716 svchost.exe 2716 svchost.exe 2716 svchost.exe 2716 svchost.exe 2716 svchost.exe 2716 svchost.exe 2716 svchost.exe 2716 svchost.exe 2716 svchost.exe 2716 svchost.exe 2716 svchost.exe 2716 svchost.exe 2716 svchost.exe 2716 svchost.exe 2716 svchost.exe 2716 svchost.exe 2716 svchost.exe 2716 svchost.exe 2716 svchost.exe 2716 svchost.exe 2716 svchost.exe 2716 svchost.exe 2716 svchost.exe 2716 svchost.exe 2716 svchost.exe 2716 svchost.exe 2716 svchost.exe 2716 svchost.exe 2716 svchost.exe 2716 svchost.exe 2716 svchost.exe 2716 svchost.exe 2716 svchost.exe 2716 svchost.exe 2716 svchost.exe 2716 svchost.exe 2716 svchost.exe 2716 svchost.exe 2716 svchost.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Order Inquiry No TM05-Q2-1024.scrsvchost.exesvchost.exepid Process 3620 Order Inquiry No TM05-Q2-1024.scr 4516 svchost.exe 4516 svchost.exe 4516 svchost.exe 2716 svchost.exe 2716 svchost.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
svchost.exesvchost.exeExplorer.EXEdescription pid Process Token: SeDebugPrivilege 4516 svchost.exe Token: SeDebugPrivilege 2716 svchost.exe Token: SeShutdownPrivilege 3632 Explorer.EXE Token: SeCreatePagefilePrivilege 3632 Explorer.EXE Token: SeShutdownPrivilege 3632 Explorer.EXE Token: SeCreatePagefilePrivilege 3632 Explorer.EXE Token: SeShutdownPrivilege 3632 Explorer.EXE Token: SeCreatePagefilePrivilege 3632 Explorer.EXE Token: SeShutdownPrivilege 3632 Explorer.EXE Token: SeCreatePagefilePrivilege 3632 Explorer.EXE -
Suspicious use of FindShellTrayWindow 41 IoCs
Processes:
Order Inquiry No TM05-Q2-1024.scrpid Process 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr -
Suspicious use of SendNotifyMessage 41 IoCs
Processes:
Order Inquiry No TM05-Q2-1024.scrpid Process 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr 3620 Order Inquiry No TM05-Q2-1024.scr -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Order Inquiry No TM05-Q2-1024.scrExplorer.EXEsvchost.exedescription pid Process procid_target PID 3620 wrote to memory of 4516 3620 Order Inquiry No TM05-Q2-1024.scr 102 PID 3620 wrote to memory of 4516 3620 Order Inquiry No TM05-Q2-1024.scr 102 PID 3620 wrote to memory of 4516 3620 Order Inquiry No TM05-Q2-1024.scr 102 PID 3620 wrote to memory of 4516 3620 Order Inquiry No TM05-Q2-1024.scr 102 PID 3632 wrote to memory of 2716 3632 Explorer.EXE 103 PID 3632 wrote to memory of 2716 3632 Explorer.EXE 103 PID 3632 wrote to memory of 2716 3632 Explorer.EXE 103 PID 2716 wrote to memory of 2680 2716 svchost.exe 104 PID 2716 wrote to memory of 2680 2716 svchost.exe 104 PID 2716 wrote to memory of 2680 2716 svchost.exe 104
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Users\Admin\AppData\Local\Temp\Order Inquiry No TM05-Q2-1024.scr"C:\Users\Admin\AppData\Local\Temp\Order Inquiry No TM05-Q2-1024.scr" /S2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\Order Inquiry No TM05-Q2-1024.scr" /S3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4516
-
-
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\svchost.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2680
-
-