Analysis
-
max time kernel
147s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-01-2021 12:53
Static task
static1
Behavioral task
behavioral1
Sample
W21_0191,pdf.exe
Resource
win7v20201028
General
-
Target
W21_0191,pdf.exe
-
Size
1.0MB
-
MD5
2b71bd4f414944163720bffe66296f21
-
SHA1
7c86106022e7b4150d0ba2709f4df368c4b8bc15
-
SHA256
9bf3bb9e44490d5836c31036a78c59c92a51d8f6bfb33363d8c617d27967ff3f
-
SHA512
8eeb0bbcefd0109a82c806d7740a8fe4b6f811a352d20772362302ba2ed615351a0bb3df18f1cd8d5ae28cc1ff7e3bd19333d546b4e4e0faf194ee068b905a7b
Malware Config
Extracted
formbook
http://www.radissonhotelsusa.com/cp5/
glcpunix.com
marabierta-coaching.com
osrs-remastered.com
lineagehealthxwellness.com
dunyadagezilecekyerler.com
negociosyfinanzasfaciles.com
bifa510.com
houseofutamasa.com
dopeneeds.com
sailacc.com
thewindgallery.com
elvinrisky.com
flowersassistedliving.com
lzbnwy.com
mrpentester.com
joinmytradingteam.com
jasabuatvisa.com
meherunnessa-foundation.com
notyourtypicaljocks.com
lobo-sports.com
nails-of-art.com
skinatoms.com
huadijc.com
elegantligting.com
zwasperr.com
401ne19thstapt51.com
semedburiti.com
andieweb.com
best20hookups.com
planttan.com
entrenamientoenequilibrio.com
newsecho.net
cocktailcrates.com
gurumedicalsupplies.com
legaca.trade
carscompetition.com
disloc.net
hsupi.com
s-sgasia.com
dictuse.xyz
vayocart.com
boxedhawaii.com
wateryourlandscape.com
countrytouring.com
shifamedico.com
gdhymc.com
sessionsup.com
viettellongxuyen.com
shindeconstruction.com
theautocareshop.com
maxwellgolf.com
hongdajunheng.com
mwakossolutions.com
fabulashpro.com
sklsdcollege.com
sensualblogs.com
gtainsinde.com
nehyam.com
itool.group
noblehare.com
amylaib.com
photosbylanie.com
palmoiltech.com
harrypotterwithguna.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3600-15-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/3600-16-0x000000000041EBF0-mapping.dmp formbook behavioral2/memory/732-24-0x0000000000A00000-0x0000000000A2E000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
W21_0191,pdf.exeW21_0191,pdf.exenetsh.exedescription pid process target process PID 880 set thread context of 3600 880 W21_0191,pdf.exe W21_0191,pdf.exe PID 3600 set thread context of 2868 3600 W21_0191,pdf.exe Explorer.EXE PID 732 set thread context of 2868 732 netsh.exe Explorer.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
W21_0191,pdf.exeW21_0191,pdf.exenetsh.exepid process 880 W21_0191,pdf.exe 3600 W21_0191,pdf.exe 3600 W21_0191,pdf.exe 3600 W21_0191,pdf.exe 3600 W21_0191,pdf.exe 732 netsh.exe 732 netsh.exe 732 netsh.exe 732 netsh.exe 732 netsh.exe 732 netsh.exe 732 netsh.exe 732 netsh.exe 732 netsh.exe 732 netsh.exe 732 netsh.exe 732 netsh.exe 732 netsh.exe 732 netsh.exe 732 netsh.exe 732 netsh.exe 732 netsh.exe 732 netsh.exe 732 netsh.exe 732 netsh.exe 732 netsh.exe 732 netsh.exe 732 netsh.exe 732 netsh.exe 732 netsh.exe 732 netsh.exe 732 netsh.exe 732 netsh.exe 732 netsh.exe 732 netsh.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
W21_0191,pdf.exenetsh.exepid process 3600 W21_0191,pdf.exe 3600 W21_0191,pdf.exe 3600 W21_0191,pdf.exe 732 netsh.exe 732 netsh.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
W21_0191,pdf.exeW21_0191,pdf.exenetsh.exedescription pid process Token: SeDebugPrivilege 880 W21_0191,pdf.exe Token: SeDebugPrivilege 3600 W21_0191,pdf.exe Token: SeDebugPrivilege 732 netsh.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
W21_0191,pdf.exeExplorer.EXEnetsh.exedescription pid process target process PID 880 wrote to memory of 3056 880 W21_0191,pdf.exe schtasks.exe PID 880 wrote to memory of 3056 880 W21_0191,pdf.exe schtasks.exe PID 880 wrote to memory of 3056 880 W21_0191,pdf.exe schtasks.exe PID 880 wrote to memory of 3600 880 W21_0191,pdf.exe W21_0191,pdf.exe PID 880 wrote to memory of 3600 880 W21_0191,pdf.exe W21_0191,pdf.exe PID 880 wrote to memory of 3600 880 W21_0191,pdf.exe W21_0191,pdf.exe PID 880 wrote to memory of 3600 880 W21_0191,pdf.exe W21_0191,pdf.exe PID 880 wrote to memory of 3600 880 W21_0191,pdf.exe W21_0191,pdf.exe PID 880 wrote to memory of 3600 880 W21_0191,pdf.exe W21_0191,pdf.exe PID 2868 wrote to memory of 732 2868 Explorer.EXE netsh.exe PID 2868 wrote to memory of 732 2868 Explorer.EXE netsh.exe PID 2868 wrote to memory of 732 2868 Explorer.EXE netsh.exe PID 732 wrote to memory of 1240 732 netsh.exe cmd.exe PID 732 wrote to memory of 1240 732 netsh.exe cmd.exe PID 732 wrote to memory of 1240 732 netsh.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\W21_0191,pdf.exe"C:\Users\Admin\AppData\Local\Temp\W21_0191,pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ErUoKVSz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp99B0.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\W21_0191,pdf.exe"C:\Users\Admin\AppData\Local\Temp\W21_0191,pdf.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\W21_0191,pdf.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp99B0.tmpMD5
be39af2a2f092e75e4f1113c22e98426
SHA158893785a3c3093a4a3806b06a521c80925c9441
SHA25643cb05a1d2e43e0e95a9f2f2e133772d023abef7c7f4a68353aaa26e3cdc610a
SHA5126840b0fd633f815711bf3970bc953d27b6e3219cdb2ba18238f6abb1609c91ba7573bacd6deb4cff993a7b2e463e70133a80e880dfcb92c1ed56a3a32d4ff586
-
memory/732-27-0x0000000001260000-0x00000000012F3000-memory.dmpFilesize
588KB
-
memory/732-26-0x0000000001380000-0x00000000016A0000-memory.dmpFilesize
3.1MB
-
memory/732-23-0x00000000017F0000-0x000000000180E000-memory.dmpFilesize
120KB
-
memory/732-24-0x0000000000A00000-0x0000000000A2E000-memory.dmpFilesize
184KB
-
memory/732-22-0x0000000000000000-mapping.dmp
-
memory/880-9-0x0000000004960000-0x0000000004961000-memory.dmpFilesize
4KB
-
memory/880-6-0x0000000004F80000-0x0000000004F81000-memory.dmpFilesize
4KB
-
memory/880-11-0x00000000049A0000-0x00000000049C3000-memory.dmpFilesize
140KB
-
memory/880-12-0x0000000005840000-0x00000000058A6000-memory.dmpFilesize
408KB
-
memory/880-3-0x0000000000040000-0x0000000000041000-memory.dmpFilesize
4KB
-
memory/880-2-0x0000000073460000-0x0000000073B4E000-memory.dmpFilesize
6.9MB
-
memory/880-5-0x00000000049E0000-0x00000000049E1000-memory.dmpFilesize
4KB
-
memory/880-10-0x0000000004C40000-0x0000000004C41000-memory.dmpFilesize
4KB
-
memory/880-7-0x0000000004A80000-0x0000000004A81000-memory.dmpFilesize
4KB
-
memory/880-8-0x0000000004CB0000-0x0000000004CB1000-memory.dmpFilesize
4KB
-
memory/1240-25-0x0000000000000000-mapping.dmp
-
memory/2868-21-0x0000000005FA0000-0x00000000060E1000-memory.dmpFilesize
1.3MB
-
memory/2868-28-0x0000000006220000-0x0000000006397000-memory.dmpFilesize
1.5MB
-
memory/3056-13-0x0000000000000000-mapping.dmp
-
memory/3600-20-0x0000000001640000-0x0000000001654000-memory.dmpFilesize
80KB
-
memory/3600-19-0x0000000001AA0000-0x0000000001DC0000-memory.dmpFilesize
3.1MB
-
memory/3600-16-0x000000000041EBF0-mapping.dmp
-
memory/3600-15-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB