Analysis
-
max time kernel
150s -
max time network
37s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-01-2021 08:02
Static task
static1
Behavioral task
behavioral1
Sample
PO_JAN907#092941_BARYSLpdf.exe
Resource
win7v20201028
General
-
Target
PO_JAN907#092941_BARYSLpdf.exe
-
Size
928KB
-
MD5
e24296acfd8c4ec1fb1e5b4b9379be14
-
SHA1
cdfcde4ab8907b98d3266eb1f80afa43821fb764
-
SHA256
7139fbd600738d2f456c7f11ae105e45ab0bb6e14a473ae0e68391b8125da393
-
SHA512
8123f2ab10402f61238d4468c472d23d7cd9788e2f01f3ea8eaf08130a576dad534ebc38329009f54f60ac23b92a26bc792a79426a35c7ac8f964148fa5dd2ac
Malware Config
Extracted
formbook
http://www.thedilleyo.com/kb8/
goodsforbuilders.com
dafuhe.com
parapharmacity.com
montclairymcamotionvibe.com
jamesmccloudart.com
reignfallentertainment.com
couplesforequality.com
pitchbop.com
minipresspaperco.com
venoam.com
so-paradise.com
surgeryprovider.com
donaldscareers.com
disney-funlife.com
biosolo.net
themodsmith.net
grandhawaiian.com
11mountains.com
immatesearch.com
stochastichq.com
buroyellow.com
blackpopsatl.com
trivietdesign.com
freedomauthor.com
barinvestmentgroup.com
atlantisbeautym.com
compresedairsystems.com
negociobrilhante.com
glenviewpulse.com
charterforengagement.com
athelon.academy
1000-help19.club
startebgine.com
kestega.com
bowieliving.com
ecotechprime.com
thenewwayofliving.com
celerindustrial.com
uniqueama.com
gedankenspiel-coaching.com
informed-citizenry.com
xn--fiqvr53rcnhev5b7vo.com
ericnewburyparkhomes.com
cmdp0o7mi0-e.info
weavrfish.com
freisaq.com
assuredoutcomesllc.com
findingmytao.com
br9898.com
tinyschoolstyle.com
bavarian-luxury.com
over50legalplan.com
bartimeu.com
land-fair.com
archeologique.com
wedesignonline.net
anna-mueller.design
spielkorb.com
nwflworkcomp.com
abyafashion.com
allrenovationcompany.com
hayalspel.com
2664senter264.com
jgmerino.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2044-8-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/2044-9-0x000000000041EB70-mapping.dmp formbook behavioral1/memory/1388-19-0x0000000000080000-0x00000000000AE000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1612 cmd.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
PO_JAN907#092941_BARYSLpdf.exePO_JAN907#092941_BARYSLpdf.exeNETSTAT.EXEdescription pid process target process PID 528 set thread context of 2044 528 PO_JAN907#092941_BARYSLpdf.exe PO_JAN907#092941_BARYSLpdf.exe PID 2044 set thread context of 1208 2044 PO_JAN907#092941_BARYSLpdf.exe Explorer.EXE PID 2044 set thread context of 1208 2044 PO_JAN907#092941_BARYSLpdf.exe Explorer.EXE PID 1388 set thread context of 1208 1388 NETSTAT.EXE Explorer.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 1388 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
PO_JAN907#092941_BARYSLpdf.exeNETSTAT.EXEpid process 2044 PO_JAN907#092941_BARYSLpdf.exe 2044 PO_JAN907#092941_BARYSLpdf.exe 2044 PO_JAN907#092941_BARYSLpdf.exe 1388 NETSTAT.EXE 1388 NETSTAT.EXE 1388 NETSTAT.EXE 1388 NETSTAT.EXE 1388 NETSTAT.EXE 1388 NETSTAT.EXE 1388 NETSTAT.EXE 1388 NETSTAT.EXE 1388 NETSTAT.EXE 1388 NETSTAT.EXE 1388 NETSTAT.EXE 1388 NETSTAT.EXE 1388 NETSTAT.EXE 1388 NETSTAT.EXE 1388 NETSTAT.EXE 1388 NETSTAT.EXE 1388 NETSTAT.EXE 1388 NETSTAT.EXE 1388 NETSTAT.EXE 1388 NETSTAT.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
PO_JAN907#092941_BARYSLpdf.exeNETSTAT.EXEpid process 2044 PO_JAN907#092941_BARYSLpdf.exe 2044 PO_JAN907#092941_BARYSLpdf.exe 2044 PO_JAN907#092941_BARYSLpdf.exe 2044 PO_JAN907#092941_BARYSLpdf.exe 1388 NETSTAT.EXE 1388 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PO_JAN907#092941_BARYSLpdf.exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 2044 PO_JAN907#092941_BARYSLpdf.exe Token: SeDebugPrivilege 1388 NETSTAT.EXE -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
PO_JAN907#092941_BARYSLpdf.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 528 wrote to memory of 2044 528 PO_JAN907#092941_BARYSLpdf.exe PO_JAN907#092941_BARYSLpdf.exe PID 528 wrote to memory of 2044 528 PO_JAN907#092941_BARYSLpdf.exe PO_JAN907#092941_BARYSLpdf.exe PID 528 wrote to memory of 2044 528 PO_JAN907#092941_BARYSLpdf.exe PO_JAN907#092941_BARYSLpdf.exe PID 528 wrote to memory of 2044 528 PO_JAN907#092941_BARYSLpdf.exe PO_JAN907#092941_BARYSLpdf.exe PID 528 wrote to memory of 2044 528 PO_JAN907#092941_BARYSLpdf.exe PO_JAN907#092941_BARYSLpdf.exe PID 528 wrote to memory of 2044 528 PO_JAN907#092941_BARYSLpdf.exe PO_JAN907#092941_BARYSLpdf.exe PID 528 wrote to memory of 2044 528 PO_JAN907#092941_BARYSLpdf.exe PO_JAN907#092941_BARYSLpdf.exe PID 1208 wrote to memory of 1388 1208 Explorer.EXE NETSTAT.EXE PID 1208 wrote to memory of 1388 1208 Explorer.EXE NETSTAT.EXE PID 1208 wrote to memory of 1388 1208 Explorer.EXE NETSTAT.EXE PID 1208 wrote to memory of 1388 1208 Explorer.EXE NETSTAT.EXE PID 1388 wrote to memory of 1612 1388 NETSTAT.EXE cmd.exe PID 1388 wrote to memory of 1612 1388 NETSTAT.EXE cmd.exe PID 1388 wrote to memory of 1612 1388 NETSTAT.EXE cmd.exe PID 1388 wrote to memory of 1612 1388 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO_JAN907#092941_BARYSLpdf.exe"C:\Users\Admin\AppData\Local\Temp\PO_JAN907#092941_BARYSLpdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO_JAN907#092941_BARYSLpdf.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PO_JAN907#092941_BARYSLpdf.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/528-3-0x0000000000A20000-0x0000000000A21000-memory.dmpFilesize
4KB
-
memory/528-5-0x0000000004DA0000-0x0000000004DA1000-memory.dmpFilesize
4KB
-
memory/528-6-0x0000000000430000-0x000000000043E000-memory.dmpFilesize
56KB
-
memory/528-7-0x0000000002370000-0x00000000023CF000-memory.dmpFilesize
380KB
-
memory/528-2-0x0000000074DC0000-0x00000000754AE000-memory.dmpFilesize
6.9MB
-
memory/1208-13-0x0000000004010000-0x00000000040D9000-memory.dmpFilesize
804KB
-
memory/1208-15-0x0000000004BB0000-0x0000000004CA2000-memory.dmpFilesize
968KB
-
memory/1388-16-0x0000000000000000-mapping.dmp
-
memory/1388-18-0x0000000000880000-0x0000000000889000-memory.dmpFilesize
36KB
-
memory/1388-19-0x0000000000080000-0x00000000000AE000-memory.dmpFilesize
184KB
-
memory/1388-20-0x0000000002240000-0x0000000002543000-memory.dmpFilesize
3.0MB
-
memory/1388-21-0x0000000002100000-0x0000000002193000-memory.dmpFilesize
588KB
-
memory/1612-17-0x0000000000000000-mapping.dmp
-
memory/2044-12-0x0000000000160000-0x0000000000174000-memory.dmpFilesize
80KB
-
memory/2044-11-0x0000000000B10000-0x0000000000E13000-memory.dmpFilesize
3.0MB
-
memory/2044-14-0x0000000000360000-0x0000000000374000-memory.dmpFilesize
80KB
-
memory/2044-9-0x000000000041EB70-mapping.dmp
-
memory/2044-8-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB