Analysis
-
max time kernel
148s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 11:50
Static task
static1
Behavioral task
behavioral1
Sample
Order Nr U764D.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Order Nr U764D.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
nnmdtjq.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
nnmdtjq.exe
Resource
win10v2004-20241007-en
General
-
Target
Order Nr U764D.exe
-
Size
255KB
-
MD5
04a169e7e5c9ea7a92a2ab3debf63f41
-
SHA1
c1b35c61e8ee1382f7f83c182ccadf4bac6be2e8
-
SHA256
afc6417a1f71fe5406d149c95b046b997a99421f92f4fb8398908b73675c2012
-
SHA512
c5c932f02ae2f6ad6a67418a3302356fde44fa194eb9f6d02e6c150865fd9b87892187bf3e6aa379e9caea90892a8238b9ac3925e4e77444a2cfaa81dcf517fb
-
SSDEEP
6144:mbE/HUbWRhd2L+uUgXCafRcIVqvP5xGKO1B3kqg4:mb/EhS33cIVqZAKUXp
Malware Config
Extracted
formbook
4.1
mr06
dreamrose.shop
bamdadlive.com
avastfr.com
aishabolduc.design
nobulldownhill.com
navis.store
paintingsantaclarita.com
wdidfhqo9751ds.link
epilateurlaser.info
expertdoctor.xyz
jtfaqyxo.work
zrexvita.live
coloradomarketingfirm.com
prestigehospitality.solutions
bmayple.com
sea-food.online
mejor-proteccion-es.click
tophatlimitless.buzz
inailshickorycreek.com
tintash-sg.net
epistratagem.com
ky7437.com
ky9261.com
3308bet.com
agavedev.net
harveycrabtree.store
culturalculinaryexperiences.com
ksecurityblog.online
store-lunarclient.net
memorylocketsandcharms.com
cz-handbags.life
capsulacorp.com
pralniacms.online
shutro.online
hataymutfagi.xyz
fghfh.xyz
itconssharing.pro
nxcz.xyz
nineid.pro
espacoreconexao.online
indieglenboutique.com
thecooper.store
natura.yoga
foggel.net
remaxunity.com
tcykv.site
facialsandmore.com
staemcommmunlty.online
frituurchapeau.com
boatparty.online
socialmediaaudiences.digital
trinidadrealestate.net
hglx.bar
cardiopathy.online
vermont14selfstorage.com
highthunderrecords.com
85343.top
hechoenapure.com
dawgly.net
zonazerogamescomar.link
irremissible-moveless.info
easylearn.click
online-store48.com
cupangrejeki.click
revyoume.com
Signatures
-
Formbook family
-
Formbook payload 2 IoCs
resource yara_rule behavioral1/memory/2948-16-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2772-23-0x0000000000090000-0x00000000000BF000-memory.dmp formbook -
Executes dropped EXE 1 IoCs
pid Process 2584 nnmdtjq.exe -
Loads dropped DLL 3 IoCs
pid Process 2936 Order Nr U764D.exe 2584 nnmdtjq.exe 2948 nnmdtjq.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2584 set thread context of 2948 2584 nnmdtjq.exe 32 PID 2948 set thread context of 1412 2948 nnmdtjq.exe 21 PID 2772 set thread context of 1412 2772 cmstp.exe 21 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Order Nr U764D.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnmdtjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmstp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2948 nnmdtjq.exe 2948 nnmdtjq.exe 2772 cmstp.exe 2772 cmstp.exe 2772 cmstp.exe 2772 cmstp.exe 2772 cmstp.exe 2772 cmstp.exe 2772 cmstp.exe 2772 cmstp.exe 2772 cmstp.exe 2772 cmstp.exe 2772 cmstp.exe 2772 cmstp.exe 2772 cmstp.exe 2772 cmstp.exe 2772 cmstp.exe 2772 cmstp.exe 2772 cmstp.exe 2772 cmstp.exe 2772 cmstp.exe 2772 cmstp.exe 2772 cmstp.exe 2772 cmstp.exe 2772 cmstp.exe 2772 cmstp.exe 2772 cmstp.exe 2772 cmstp.exe 2772 cmstp.exe 2772 cmstp.exe 2772 cmstp.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 2948 nnmdtjq.exe 2948 nnmdtjq.exe 2948 nnmdtjq.exe 2772 cmstp.exe 2772 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2948 nnmdtjq.exe Token: SeDebugPrivilege 2772 cmstp.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2936 wrote to memory of 2584 2936 Order Nr U764D.exe 30 PID 2936 wrote to memory of 2584 2936 Order Nr U764D.exe 30 PID 2936 wrote to memory of 2584 2936 Order Nr U764D.exe 30 PID 2936 wrote to memory of 2584 2936 Order Nr U764D.exe 30 PID 2584 wrote to memory of 2948 2584 nnmdtjq.exe 32 PID 2584 wrote to memory of 2948 2584 nnmdtjq.exe 32 PID 2584 wrote to memory of 2948 2584 nnmdtjq.exe 32 PID 2584 wrote to memory of 2948 2584 nnmdtjq.exe 32 PID 2584 wrote to memory of 2948 2584 nnmdtjq.exe 32 PID 1412 wrote to memory of 2772 1412 Explorer.EXE 42 PID 1412 wrote to memory of 2772 1412 Explorer.EXE 42 PID 1412 wrote to memory of 2772 1412 Explorer.EXE 42 PID 1412 wrote to memory of 2772 1412 Explorer.EXE 42 PID 1412 wrote to memory of 2772 1412 Explorer.EXE 42 PID 1412 wrote to memory of 2772 1412 Explorer.EXE 42 PID 1412 wrote to memory of 2772 1412 Explorer.EXE 42 PID 2772 wrote to memory of 2588 2772 cmstp.exe 43 PID 2772 wrote to memory of 2588 2772 cmstp.exe 43 PID 2772 wrote to memory of 2588 2772 cmstp.exe 43 PID 2772 wrote to memory of 2588 2772 cmstp.exe 43
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Users\Admin\AppData\Local\Temp\Order Nr U764D.exe"C:\Users\Admin\AppData\Local\Temp\Order Nr U764D.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Users\Admin\AppData\Local\Temp\nnmdtjq.exe"C:\Users\Admin\AppData\Local\Temp\nnmdtjq.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Users\Admin\AppData\Local\Temp\nnmdtjq.exe"C:\Users\Admin\AppData\Local\Temp\nnmdtjq.exe"4⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
-
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2944
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:3012
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2908
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:1476
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2372
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2920
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2924
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2168
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2176
-
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\nnmdtjq.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2588
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5b472438e8c315aa6af34d23e91d6b0a7
SHA15f3c21d6e3da172c95039f8d78ef3d9887ba287d
SHA256fd25e44e4e65785d90081fafe4a1ef3629b41a9d37acb833460e789f9e9a921e
SHA51276e6b57bb44bf7cbdca74f6fead456c3b50680fb77c1573d2967513002d05bae2509166de8c7946375ce3da139e2ee04cd0c78f9e3d46801e5f170c73f0c06fd
-
Filesize
59KB
MD58b5d0587ce1121389864bdcf9559d294
SHA12b903d531834992e37fab920d7b000187a9833bc
SHA256f57122b7b5a7eff1b245080a876201adfe42eefa299d30dfc140f0427e139285
SHA51279e92611bab464b6c56f6fb7da20d688a6d0852f9515eb68065ddfca71a6d507f591fd8e6c7a7696b025f8d1341953b920c4abd6b170f34cc6c173fc50d72f6a
-
Filesize
185KB
MD582c6372659af5de6f973de4939e76030
SHA17e88829c2585ffac7531d6e33a0778cef45d75c8
SHA256766b75812ff45f89b27284d5371aa5afc14dd84326a362de173e40f8c919a822
SHA512ab5fd72c8a41183206d365b409ccf79fe6752319e0b55e440b34f84a258eb91983dd5bcaf3cfe36e9a695bf5e5679a9cea57f998b951b782458c67b4afcddc77