Analysis
-
max time kernel
149s -
max time network
137s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
26-11-2020 06:44
Static task
static1
Behavioral task
behavioral1
Sample
2020112395387_pdf.exe
Resource
win7v20201028
General
-
Target
2020112395387_pdf.exe
-
Size
390KB
-
MD5
e54d832cb872b7dc086ab7a7878d38fb
-
SHA1
dd865deaffa4558eebebcb83b5335de2b0b26327
-
SHA256
06a0e3845d7b4c5593a9143eb1ae73223760d68f2acf0e5be631b9eeab3675f3
-
SHA512
04a78936551df1bf62d4b256c2a5888af840d9f1fb1735810b1c5145af0795c6c84e03b66754137242691aa0ffa26ceb7295d3cdc59323b939daa8d7cb24bac0
Malware Config
Extracted
formbook
http://www.blog-cybersecurite.net/ogg/
constmotion.com
castinginiciadas.com
dalvgroup.com
dmetuningkw.com
everygrindcount.com
lovewrendley.com
yourtallahassee.com
healer-jou.com
china-gadge.com
theplatinumworld.com
rakutenlle.xyz
neroflex.com
zdysks.com
e-learningorange.com
starbleach.com
apexappsllc.com
sinteredsurface.com
upcas.info
monetizemybizadvertisers.com
tsptoolbox.net
kobeli.online
rfzhuan.com
hairbyjessiemohler.com
poshmaternityshop.com
iqfeggs.com
moneybusinessclub.com
dulichkaito.com
lordmichaelspencer.com
penislandbrewery.com
clubamericashop.com
afflict.xyz
paletciniz.com
aleksruizphotography.com
8khutpn8g3x9iy.net
deepseacrabclearwater.com
indomediasolutions.com
brokenpinesga.com
redvalleybank.com
yo1marketing.com
cmbclient.xyz
powderedsilk.com
anjmail.xyz
segredosdocopywriting.com
ryan-law-firm.com
annaothomas.com
befitptstudio.com
lygosfilms.info
shajalhasan.com
renewedwomen.net
clippingpathfloor.com
dharani.club
natucolombia.com
kenhdautunhadat.com
final-the.com
mybuildingneeds.com
ashtaylorgoodwin.com
aluarte.info
pustani.com
wraptechauto.com
rtedgarelwood.site
voetbalvandaag.net
undanganelegan.com
molting.life
depoarkasi.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/5092-0-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/5092-1-0x000000000041EB50-mapping.dmp formbook behavioral2/memory/3700-3-0x0000000000000000-mapping.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
2020112395387_pdf.exe2020112395387_pdf.exesvchost.exedescription pid process target process PID 4752 set thread context of 5092 4752 2020112395387_pdf.exe 2020112395387_pdf.exe PID 5092 set thread context of 3012 5092 2020112395387_pdf.exe Explorer.EXE PID 3700 set thread context of 3012 3700 svchost.exe Explorer.EXE -
Modifies registry class 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
2020112395387_pdf.exesvchost.exepid process 5092 2020112395387_pdf.exe 5092 2020112395387_pdf.exe 5092 2020112395387_pdf.exe 5092 2020112395387_pdf.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe 3700 svchost.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
2020112395387_pdf.exe2020112395387_pdf.exesvchost.exepid process 4752 2020112395387_pdf.exe 5092 2020112395387_pdf.exe 5092 2020112395387_pdf.exe 5092 2020112395387_pdf.exe 3700 svchost.exe 3700 svchost.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
2020112395387_pdf.exeExplorer.EXEsvchost.exedescription pid process Token: SeDebugPrivilege 5092 2020112395387_pdf.exe Token: SeShutdownPrivilege 3012 Explorer.EXE Token: SeCreatePagefilePrivilege 3012 Explorer.EXE Token: SeShutdownPrivilege 3012 Explorer.EXE Token: SeCreatePagefilePrivilege 3012 Explorer.EXE Token: SeDebugPrivilege 3700 svchost.exe Token: SeShutdownPrivilege 3012 Explorer.EXE Token: SeCreatePagefilePrivilege 3012 Explorer.EXE Token: SeShutdownPrivilege 3012 Explorer.EXE Token: SeCreatePagefilePrivilege 3012 Explorer.EXE Token: SeShutdownPrivilege 3012 Explorer.EXE Token: SeCreatePagefilePrivilege 3012 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
2020112395387_pdf.exeExplorer.EXEsvchost.exedescription pid process target process PID 4752 wrote to memory of 5092 4752 2020112395387_pdf.exe 2020112395387_pdf.exe PID 4752 wrote to memory of 5092 4752 2020112395387_pdf.exe 2020112395387_pdf.exe PID 4752 wrote to memory of 5092 4752 2020112395387_pdf.exe 2020112395387_pdf.exe PID 4752 wrote to memory of 5092 4752 2020112395387_pdf.exe 2020112395387_pdf.exe PID 3012 wrote to memory of 3700 3012 Explorer.EXE svchost.exe PID 3012 wrote to memory of 3700 3012 Explorer.EXE svchost.exe PID 3012 wrote to memory of 3700 3012 Explorer.EXE svchost.exe PID 3700 wrote to memory of 2084 3700 svchost.exe cmd.exe PID 3700 wrote to memory of 2084 3700 svchost.exe cmd.exe PID 3700 wrote to memory of 2084 3700 svchost.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2020112395387_pdf.exe"C:\Users\Admin\AppData\Local\Temp\2020112395387_pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2020112395387_pdf.exe"C:\Users\Admin\AppData\Local\Temp\2020112395387_pdf.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\2020112395387_pdf.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2084-6-0x0000000000000000-mapping.dmp
-
memory/3700-3-0x0000000000000000-mapping.dmp
-
memory/3700-4-0x0000000001000000-0x000000000100C000-memory.dmpFilesize
48KB
-
memory/3700-5-0x0000000001000000-0x000000000100C000-memory.dmpFilesize
48KB
-
memory/3700-7-0x0000000003F00000-0x0000000004057000-memory.dmpFilesize
1.3MB
-
memory/5092-0-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/5092-1-0x000000000041EB50-mapping.dmp