Analysis
-
max time kernel
145s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-01-2021 07:56
General
-
Target
2021_50SG0BK00T1,pdf.exe
-
Size
1.0MB
-
MD5
89f2269c6b922334a760d393a84e14f5
-
SHA1
c745861fede33861fb7ecb4e74fec7ffc2f65838
-
SHA256
e7063cc17e4ab85b0ae947f6366f4a955758d2e3ef81bb2476f77aec1f77daae
-
SHA512
3779f0399da5297c82086512b516fb6bfd05df9831c995001988bf0cbe2fe20258316c9e19e3810240e0414a059f7132d73835a9cfa4cc8ab5845d98887a46ce
Malware Config
Extracted
formbook
http://www.radissonhotelsusa.com/cp5/
glcpunix.com
marabierta-coaching.com
osrs-remastered.com
lineagehealthxwellness.com
dunyadagezilecekyerler.com
negociosyfinanzasfaciles.com
bifa510.com
houseofutamasa.com
dopeneeds.com
sailacc.com
thewindgallery.com
elvinrisky.com
flowersassistedliving.com
lzbnwy.com
mrpentester.com
joinmytradingteam.com
jasabuatvisa.com
meherunnessa-foundation.com
notyourtypicaljocks.com
lobo-sports.com
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook Payload 3 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 29 IoCs
-
Suspicious behavior: MapViewOfSection 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2021_50SG0BK00T1,pdf.exe"C:\Users\Admin\AppData\Local\Temp\2021_50SG0BK00T1,pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uQbWwWGLjoOA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5247.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
906442277d36decca2a3ed1700a3fc75
SHA1ba76db5f6c0d57cdd78092b97d935ece1b13c572
SHA256f738f150ce4bef6516d36d1fd6f1dd44eb24c94ec69cc7f75e54273e46b34ecc
SHA51234381402cf738a1de6c3bd80f6ef042b2176beab32a6883d13684d12d6775b42623fde30ba772e25979621f0a329f92843a5afbcc7e961a8dd7d67078a40123b
-
Filesize
80KB
-
Filesize
3.1MB
-
-
Filesize
184KB
-
-
Filesize
784KB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
412KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
140KB
-
Filesize
4KB
-
Filesize
156KB
-
Filesize
184KB
-
Filesize
3.1MB
-
Filesize
588KB
-
-