Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 16:25
Static task
static1
Behavioral task
behavioral1
Sample
ORDEN DE COMPRA.exe
Resource
win7-20240903-en
General
-
Target
ORDEN DE COMPRA.exe
-
Size
646KB
-
MD5
70bde9fa5edadae3f5297aa0f16400db
-
SHA1
2c940e38e28a1b8b4463ba0aec7f43fc0f9f99ac
-
SHA256
e4c12ae8b0d5cbc65ece0631c799e6c4129bef10796d6f559865080c2c6684cc
-
SHA512
550eb811029da589d7e567eb138df698fb9b35296dce5c40dfb826875418482b309dfbc6c70fcaef5a465011905ac3b9f8290f965c45ae2397068a0878a0c4c2
-
SSDEEP
12288:mES23pYuJ9bj2vB68pMOCtcZN7Kz9yPOp7hbjA48D+QmL5iBKOr:3evBDKOCtgBAy8ggiB
Malware Config
Extracted
formbook
4.1
gs25
real-food.store
marketdatalibrary.com
jolidens.space
ydental.info
tattoosbyjayinked.com
buytradesellpei.com
61983.xyz
identitysolver.xyz
mgfang.com
teizer.one
staychillax.com
ylanzarote.com
workte.net
maukigato.shop
coolbag.site
btya1r.com
dkhaohao.shop
zugaro.xyz
boon168.com
xn--80aeegahlwtdkp.com
ofiarx.com
militaryees.com
moshrifmontagebau.com
usesportcompany.com
savagesocietyclothing.com
wethedreamrs.com
allhealthzdorovoiscilenie.sbs
legacycrossingbroker.com
dompietro.com
hallconciergerie.com
xn--289a95vn5cmx6a.com
siervostinting.com
windesk.info
braxton.construction
scarefullym.shop
organicyummyvegan.com
maniza.shop
moviesmod.one
wenmingsm.com
techgist.tech
infodescansovital.click
adsfuture.shop
54844.site
opensea.creditcard
yassinshield.com
daubacthanhdeneasy.online
governmentmarketstrategies.com
socioeconomical.pics
blackmail.guide
tdrevolution.net
mega-pornx.info
favrity.com
cuocsongtot2022.site
touchlyfe.com
track-usps.info
kitchentimeremodeling.com
jettylearn.com
hookguy.buzz
cojo.world
negocio-naweb.store
kern3361ren1.site
smithbryan.website
jlxseat.top
rocksology.net
crownglassware.info
Signatures
-
Formbook family
-
Formbook payload 3 IoCs
resource yara_rule behavioral2/memory/2368-26-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2368-42-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3020-82-0x0000000000BD0000-0x0000000000BFF000-memory.dmp formbook -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1108 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation ORDEN DE COMPRA.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 736 set thread context of 2368 736 ORDEN DE COMPRA.exe 107 PID 2368 set thread context of 3452 2368 RegSvcs.exe 56 PID 3020 set thread context of 3452 3020 chkdsk.exe 56 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ORDEN DE COMPRA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chkdsk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 404 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
pid Process 736 ORDEN DE COMPRA.exe 736 ORDEN DE COMPRA.exe 1108 powershell.exe 2368 RegSvcs.exe 2368 RegSvcs.exe 2368 RegSvcs.exe 2368 RegSvcs.exe 1108 powershell.exe 3020 chkdsk.exe 3020 chkdsk.exe 3020 chkdsk.exe 3020 chkdsk.exe 3020 chkdsk.exe 3020 chkdsk.exe 3020 chkdsk.exe 3020 chkdsk.exe 3020 chkdsk.exe 3020 chkdsk.exe 3020 chkdsk.exe 3020 chkdsk.exe 3020 chkdsk.exe 3020 chkdsk.exe 3020 chkdsk.exe 3020 chkdsk.exe 3020 chkdsk.exe 3020 chkdsk.exe 3020 chkdsk.exe 3020 chkdsk.exe 3020 chkdsk.exe 3020 chkdsk.exe 3020 chkdsk.exe 3020 chkdsk.exe 3020 chkdsk.exe 3020 chkdsk.exe 3020 chkdsk.exe 3020 chkdsk.exe 3020 chkdsk.exe 3020 chkdsk.exe 3020 chkdsk.exe 3020 chkdsk.exe 3020 chkdsk.exe 3020 chkdsk.exe 3020 chkdsk.exe 3020 chkdsk.exe 3020 chkdsk.exe 3020 chkdsk.exe 3020 chkdsk.exe 3020 chkdsk.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 2368 RegSvcs.exe 2368 RegSvcs.exe 2368 RegSvcs.exe 3020 chkdsk.exe 3020 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 736 ORDEN DE COMPRA.exe Token: SeDebugPrivilege 1108 powershell.exe Token: SeDebugPrivilege 2368 RegSvcs.exe Token: SeDebugPrivilege 3020 chkdsk.exe Token: SeShutdownPrivilege 3452 Explorer.EXE Token: SeCreatePagefilePrivilege 3452 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 736 wrote to memory of 1108 736 ORDEN DE COMPRA.exe 103 PID 736 wrote to memory of 1108 736 ORDEN DE COMPRA.exe 103 PID 736 wrote to memory of 1108 736 ORDEN DE COMPRA.exe 103 PID 736 wrote to memory of 404 736 ORDEN DE COMPRA.exe 105 PID 736 wrote to memory of 404 736 ORDEN DE COMPRA.exe 105 PID 736 wrote to memory of 404 736 ORDEN DE COMPRA.exe 105 PID 736 wrote to memory of 2368 736 ORDEN DE COMPRA.exe 107 PID 736 wrote to memory of 2368 736 ORDEN DE COMPRA.exe 107 PID 736 wrote to memory of 2368 736 ORDEN DE COMPRA.exe 107 PID 736 wrote to memory of 2368 736 ORDEN DE COMPRA.exe 107 PID 736 wrote to memory of 2368 736 ORDEN DE COMPRA.exe 107 PID 736 wrote to memory of 2368 736 ORDEN DE COMPRA.exe 107 PID 3452 wrote to memory of 3020 3452 Explorer.EXE 108 PID 3452 wrote to memory of 3020 3452 Explorer.EXE 108 PID 3452 wrote to memory of 3020 3452 Explorer.EXE 108 PID 3020 wrote to memory of 3952 3020 chkdsk.exe 109 PID 3020 wrote to memory of 3952 3020 chkdsk.exe 109 PID 3020 wrote to memory of 3952 3020 chkdsk.exe 109
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Users\Admin\AppData\Local\Temp\ORDEN DE COMPRA.exe"C:\Users\Admin\AppData\Local\Temp\ORDEN DE COMPRA.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xxDBcSgHB.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1108
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xxDBcSgHB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3F56.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:404
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
-
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- System Location Discovery: System Language Discovery
PID:3952
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5b3cab94064cdc4a32e0012179779c230
SHA134d822246ee05bffcfda47b3c26ca373f10c8eb7
SHA256437a910d310de57ae5e218f3c7c6c1fe0ee5a17097e3259625c742ca73863c96
SHA512000e969560aff43276ee94d5a25c00211a9d0c9d0d65fa58cdee4b4c0412adb8793849fe5830909bec31a9abbf7e8bd9b20dfe30dbe330c9be5f05ef7b9da764