Analysis
-
max time kernel
149s -
max time network
11s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
15-01-2021 15:58
Static task
static1
Behavioral task
behavioral1
Sample
PI_JAN9071011998_BARYSLpdf.exe
Resource
win7v20201028
General
-
Target
PI_JAN9071011998_BARYSLpdf.exe
-
Size
941KB
-
MD5
31dddef6168b1d0e0f731f01eca9ea58
-
SHA1
bd1e997473e71ae2e8021298149b692cb84aab54
-
SHA256
7a47a855968f4e82d6cc2d35186d2d56468701bc5587cc87f82a847bd2c45ae5
-
SHA512
de6ceb15b960f8b6ab95438b04495974c200086447b4b4d91401af936105a2bf66888913e16ba1ffb7a171aa1de0a7fabb6f02979362a3bef978f011571b8ebb
Malware Config
Extracted
formbook
http://www.thedilleyo.com/kb8/
goodsforbuilders.com
dafuhe.com
parapharmacity.com
montclairymcamotionvibe.com
jamesmccloudart.com
reignfallentertainment.com
couplesforequality.com
pitchbop.com
minipresspaperco.com
venoam.com
so-paradise.com
surgeryprovider.com
donaldscareers.com
disney-funlife.com
biosolo.net
themodsmith.net
grandhawaiian.com
11mountains.com
immatesearch.com
stochastichq.com
buroyellow.com
blackpopsatl.com
trivietdesign.com
freedomauthor.com
barinvestmentgroup.com
atlantisbeautym.com
compresedairsystems.com
negociobrilhante.com
glenviewpulse.com
charterforengagement.com
athelon.academy
1000-help19.club
startebgine.com
kestega.com
bowieliving.com
ecotechprime.com
thenewwayofliving.com
celerindustrial.com
uniqueama.com
gedankenspiel-coaching.com
informed-citizenry.com
xn--fiqvr53rcnhev5b7vo.com
ericnewburyparkhomes.com
cmdp0o7mi0-e.info
weavrfish.com
freisaq.com
assuredoutcomesllc.com
findingmytao.com
br9898.com
tinyschoolstyle.com
bavarian-luxury.com
over50legalplan.com
bartimeu.com
land-fair.com
archeologique.com
wedesignonline.net
anna-mueller.design
spielkorb.com
nwflworkcomp.com
abyafashion.com
allrenovationcompany.com
hayalspel.com
2664senter264.com
jgmerino.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1588-7-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1588-8-0x000000000041EB70-mapping.dmp formbook behavioral1/memory/396-9-0x0000000000000000-mapping.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1472 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
PI_JAN9071011998_BARYSLpdf.exePI_JAN9071011998_BARYSLpdf.exeNETSTAT.EXEdescription pid process target process PID 848 set thread context of 1588 848 PI_JAN9071011998_BARYSLpdf.exe PI_JAN9071011998_BARYSLpdf.exe PID 1588 set thread context of 1244 1588 PI_JAN9071011998_BARYSLpdf.exe Explorer.EXE PID 396 set thread context of 1244 396 NETSTAT.EXE Explorer.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 396 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
PI_JAN9071011998_BARYSLpdf.exeNETSTAT.EXEpid process 1588 PI_JAN9071011998_BARYSLpdf.exe 1588 PI_JAN9071011998_BARYSLpdf.exe 396 NETSTAT.EXE 396 NETSTAT.EXE 396 NETSTAT.EXE 396 NETSTAT.EXE 396 NETSTAT.EXE 396 NETSTAT.EXE 396 NETSTAT.EXE 396 NETSTAT.EXE 396 NETSTAT.EXE 396 NETSTAT.EXE 396 NETSTAT.EXE 396 NETSTAT.EXE 396 NETSTAT.EXE 396 NETSTAT.EXE 396 NETSTAT.EXE 396 NETSTAT.EXE 396 NETSTAT.EXE 396 NETSTAT.EXE 396 NETSTAT.EXE 396 NETSTAT.EXE 396 NETSTAT.EXE 396 NETSTAT.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
PI_JAN9071011998_BARYSLpdf.exeNETSTAT.EXEpid process 1588 PI_JAN9071011998_BARYSLpdf.exe 1588 PI_JAN9071011998_BARYSLpdf.exe 1588 PI_JAN9071011998_BARYSLpdf.exe 396 NETSTAT.EXE 396 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PI_JAN9071011998_BARYSLpdf.exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 1588 PI_JAN9071011998_BARYSLpdf.exe Token: SeDebugPrivilege 396 NETSTAT.EXE -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
PI_JAN9071011998_BARYSLpdf.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 848 wrote to memory of 1588 848 PI_JAN9071011998_BARYSLpdf.exe PI_JAN9071011998_BARYSLpdf.exe PID 848 wrote to memory of 1588 848 PI_JAN9071011998_BARYSLpdf.exe PI_JAN9071011998_BARYSLpdf.exe PID 848 wrote to memory of 1588 848 PI_JAN9071011998_BARYSLpdf.exe PI_JAN9071011998_BARYSLpdf.exe PID 848 wrote to memory of 1588 848 PI_JAN9071011998_BARYSLpdf.exe PI_JAN9071011998_BARYSLpdf.exe PID 848 wrote to memory of 1588 848 PI_JAN9071011998_BARYSLpdf.exe PI_JAN9071011998_BARYSLpdf.exe PID 848 wrote to memory of 1588 848 PI_JAN9071011998_BARYSLpdf.exe PI_JAN9071011998_BARYSLpdf.exe PID 848 wrote to memory of 1588 848 PI_JAN9071011998_BARYSLpdf.exe PI_JAN9071011998_BARYSLpdf.exe PID 1244 wrote to memory of 396 1244 Explorer.EXE NETSTAT.EXE PID 1244 wrote to memory of 396 1244 Explorer.EXE NETSTAT.EXE PID 1244 wrote to memory of 396 1244 Explorer.EXE NETSTAT.EXE PID 1244 wrote to memory of 396 1244 Explorer.EXE NETSTAT.EXE PID 396 wrote to memory of 1472 396 NETSTAT.EXE cmd.exe PID 396 wrote to memory of 1472 396 NETSTAT.EXE cmd.exe PID 396 wrote to memory of 1472 396 NETSTAT.EXE cmd.exe PID 396 wrote to memory of 1472 396 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PI_JAN9071011998_BARYSLpdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_JAN9071011998_BARYSLpdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PI_JAN9071011998_BARYSLpdf.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PI_JAN9071011998_BARYSLpdf.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/396-9-0x0000000000000000-mapping.dmp
-
memory/396-10-0x0000000000E90000-0x0000000000E99000-memory.dmpFilesize
36KB
-
memory/396-12-0x0000000003180000-0x0000000003262000-memory.dmpFilesize
904KB
-
memory/848-2-0x00000000748D0000-0x0000000074FBE000-memory.dmpFilesize
6.9MB
-
memory/848-3-0x0000000000800000-0x0000000000801000-memory.dmpFilesize
4KB
-
memory/848-5-0x0000000000290000-0x000000000029E000-memory.dmpFilesize
56KB
-
memory/848-6-0x0000000002140000-0x000000000218C000-memory.dmpFilesize
304KB
-
memory/1472-11-0x0000000000000000-mapping.dmp
-
memory/1588-7-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1588-8-0x000000000041EB70-mapping.dmp