Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 08:50
Static task
static1
Behavioral task
behavioral1
Sample
Maersk Arrival Notice ready for Bill of Lading 238591458.exe
Resource
win7-20240220-en
General
-
Target
Maersk Arrival Notice ready for Bill of Lading 238591458.exe
-
Size
1.1MB
-
MD5
7d8eba7ae0e5cb213b8b3c8d202d69eb
-
SHA1
2f4fdf21a78bf6128a3cffe55e916b7daad175c9
-
SHA256
d67c467e851c6f18a79386dbbae7049d07c9c6381a98d141638eef7d83106373
-
SHA512
38de5d3e64362d445e4d4469fded251d29a5502f980fe9a6fce710111f26f3efeb5e41ca8839ec391905cec46fc20cff16303412f84356f38456b5dac3193e43
-
SSDEEP
24576:bAHnh+eWsN3skA4RV1Hom2KXMmHaDeipba5:2h+ZkldoPK8YaDTU
Malware Config
Extracted
formbook
4.1
ss63
catpig.xyz
chatladyanzensei7.site
onewayonepaydroptaxi.com
bima188.lol
wealth-km.online
seepao27200.top
6c958u9.lol
fbyu57ytsd.shop
baranetentegre.com
webaichimie.com
h3k38q2.lol
abicomsrl.com
338kp.vip
rescuecube.com
bubatz-t.com
psgluxuryapartments.com
goodfellowlawfirm.com
bais141.com
imingchu.com
ekzeanjfolzaks.top
hanweixn.com
getwalkapp.com
pharm-resources.com
montessorigpt.com
novaprivatecare.com
3656444.com
h61u4oxx4sraqjm.buzz
vak888.life
q43n.top
sushiommen.com
wvinsiders.com
emran-tahhan.com
manipulatedalgorithms.com
presentiei.shop
juntospelors.com
j0a6doy1x8eyx.com
yexoiup.xyz
bricoarq.com
hnxymaritime.com
selllocaljet.com
h5left513.xyz
65yty.com
everymgs01.com
barbaraht.com
mx5cucs.xyz
checkscamsv.com
smpn1madangsuku2.store
mixefy.shop
gacordewa288.life
srisaiprintpack.com
gasdepo168.com
etancheite-ajaccio.com
slow-man.com
thewhitehorsepub.biz
bay6studio.com
djhtshrtshgrg.lol
xcxocez.shop
games.broker
nudkiss.com
ccconnectglobal.com
wifmilio.com
dpuntada.com
ads8562.shop
diferenciaes.com
fashionchc.com
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2368-11-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2368-15-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/3020-21-0x00000000000D0000-0x00000000000FF000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Maersk Arrival Notice ready for Bill of Lading 238591458.exesvchost.exewuapp.exedescription pid process target process PID 2176 set thread context of 2368 2176 Maersk Arrival Notice ready for Bill of Lading 238591458.exe svchost.exe PID 2368 set thread context of 1196 2368 svchost.exe Explorer.EXE PID 3020 set thread context of 1196 3020 wuapp.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
svchost.exewuapp.exepid process 2368 svchost.exe 2368 svchost.exe 3020 wuapp.exe 3020 wuapp.exe 3020 wuapp.exe 3020 wuapp.exe 3020 wuapp.exe 3020 wuapp.exe 3020 wuapp.exe 3020 wuapp.exe 3020 wuapp.exe 3020 wuapp.exe 3020 wuapp.exe 3020 wuapp.exe 3020 wuapp.exe 3020 wuapp.exe 3020 wuapp.exe 3020 wuapp.exe 3020 wuapp.exe 3020 wuapp.exe 3020 wuapp.exe 3020 wuapp.exe 3020 wuapp.exe 3020 wuapp.exe 3020 wuapp.exe 3020 wuapp.exe 3020 wuapp.exe 3020 wuapp.exe 3020 wuapp.exe 3020 wuapp.exe 3020 wuapp.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Maersk Arrival Notice ready for Bill of Lading 238591458.exesvchost.exewuapp.exepid process 2176 Maersk Arrival Notice ready for Bill of Lading 238591458.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 3020 wuapp.exe 3020 wuapp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
svchost.exewuapp.exedescription pid process Token: SeDebugPrivilege 2368 svchost.exe Token: SeDebugPrivilege 3020 wuapp.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Maersk Arrival Notice ready for Bill of Lading 238591458.exeExplorer.EXEpid process 2176 Maersk Arrival Notice ready for Bill of Lading 238591458.exe 2176 Maersk Arrival Notice ready for Bill of Lading 238591458.exe 1196 Explorer.EXE 1196 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Maersk Arrival Notice ready for Bill of Lading 238591458.exepid process 2176 Maersk Arrival Notice ready for Bill of Lading 238591458.exe 2176 Maersk Arrival Notice ready for Bill of Lading 238591458.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Maersk Arrival Notice ready for Bill of Lading 238591458.exeExplorer.EXEwuapp.exedescription pid process target process PID 2176 wrote to memory of 2368 2176 Maersk Arrival Notice ready for Bill of Lading 238591458.exe svchost.exe PID 2176 wrote to memory of 2368 2176 Maersk Arrival Notice ready for Bill of Lading 238591458.exe svchost.exe PID 2176 wrote to memory of 2368 2176 Maersk Arrival Notice ready for Bill of Lading 238591458.exe svchost.exe PID 2176 wrote to memory of 2368 2176 Maersk Arrival Notice ready for Bill of Lading 238591458.exe svchost.exe PID 2176 wrote to memory of 2368 2176 Maersk Arrival Notice ready for Bill of Lading 238591458.exe svchost.exe PID 1196 wrote to memory of 3020 1196 Explorer.EXE wuapp.exe PID 1196 wrote to memory of 3020 1196 Explorer.EXE wuapp.exe PID 1196 wrote to memory of 3020 1196 Explorer.EXE wuapp.exe PID 1196 wrote to memory of 3020 1196 Explorer.EXE wuapp.exe PID 1196 wrote to memory of 3020 1196 Explorer.EXE wuapp.exe PID 1196 wrote to memory of 3020 1196 Explorer.EXE wuapp.exe PID 1196 wrote to memory of 3020 1196 Explorer.EXE wuapp.exe PID 3020 wrote to memory of 2392 3020 wuapp.exe cmd.exe PID 3020 wrote to memory of 2392 3020 wuapp.exe cmd.exe PID 3020 wrote to memory of 2392 3020 wuapp.exe cmd.exe PID 3020 wrote to memory of 2392 3020 wuapp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Maersk Arrival Notice ready for Bill of Lading 238591458.exe"C:\Users\Admin\AppData\Local\Temp\Maersk Arrival Notice ready for Bill of Lading 238591458.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\Maersk Arrival Notice ready for Bill of Lading 238591458.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wuapp.exe"C:\Windows\SysWOW64\wuapp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\svchost.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1196-23-0x00000000051B0000-0x00000000052A0000-memory.dmpFilesize
960KB
-
memory/1196-31-0x00000000075A0000-0x0000000007732000-memory.dmpFilesize
1.6MB
-
memory/1196-28-0x00000000075A0000-0x0000000007732000-memory.dmpFilesize
1.6MB
-
memory/1196-27-0x00000000075A0000-0x0000000007732000-memory.dmpFilesize
1.6MB
-
memory/1196-16-0x0000000003B00000-0x0000000003C00000-memory.dmpFilesize
1024KB
-
memory/1196-17-0x00000000051B0000-0x00000000052A0000-memory.dmpFilesize
960KB
-
memory/2176-10-0x00000000000B0000-0x00000000000B4000-memory.dmpFilesize
16KB
-
memory/2368-15-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2368-14-0x0000000000260000-0x0000000000275000-memory.dmpFilesize
84KB
-
memory/2368-13-0x0000000000700000-0x0000000000A03000-memory.dmpFilesize
3.0MB
-
memory/2368-11-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3020-20-0x0000000000FC0000-0x0000000000FCB000-memory.dmpFilesize
44KB
-
memory/3020-21-0x00000000000D0000-0x00000000000FF000-memory.dmpFilesize
188KB
-
memory/3020-18-0x0000000000FC0000-0x0000000000FCB000-memory.dmpFilesize
44KB