Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
23-07-2021 12:50
Static task
static1
Behavioral task
behavioral1
Sample
Documents pdf.exe
Resource
win7v20210410
General
-
Target
Documents pdf.exe
-
Size
533KB
-
MD5
027d8e07155bc564f7b522183018efe6
-
SHA1
10348a89cc88e0911f507a2d4aa50071718b096c
-
SHA256
90e7c97ea4917a6efb5c0a69bd6f481b1a5023d6f8ad0f22d123c417edff8a68
-
SHA512
5d1c8f6f0121df79767de6de22e7f513972aceeafd7376086511c8575187e224190a408340ec57835e9c0e0a347d47d7e4fd70c8618f91cf638c23b3acc5c3d3
Malware Config
Extracted
formbook
4.1
http://www.valiantfinancial.net/hth0/
grahamandjana.com
surfpodcastnetwork.com
valkyrie20.com
hire4looks.com
wewalkfastasone.com
saveourschoolyear.com
5g23e.com
abusinesssystems.com
telefonepantalla.com
tailorscafe.com
schwarzer-markt.net
stopwatch247.com
458grandbetting.com
xpovision.com
kutkingbarbering.life
kppp-guxxz.xyz
chuckwagon-chow.com
la-casa-delle-vita.com
creativesocials.com
negociacoeshojebr.com
conservativestyle.life
825tache.com
birthmothersmaine.com
jwrl.net
gardiantparts.com
contodosyparaelbiendetodos.com
actymall.com
oxyde.net
adagiomusicacademy.com
newjerseyscubadiving.net
87oaks.com
overt.website
home-made-gifts.com
viralgoats.com
camediahub.com
bankruptcyprobabilities.com
yourlifematterswellness.email
earnestjourneycourses.com
landonpaints.com
aesegroup.com
omegle99.com
sparklinmomma.com
cofcwzrf.com
jam-nins.com
mazacz.com
copdrule.info
cahayaqq.life
helps-paxful.com
gerado.online
patanamedia.com
fromfeartotrust.com
deux-studios.com
wallinders.com
nilton-g.com
yijiamobile.com
ocheap3dbuy.com
flima2020a.site
battlefieldtitle.site
ferrebaviera.com
plushmint.com
achievementfound.com
dontbringcovidhome.com
cultigique.com
waveplumb.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1540-129-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/1540-130-0x000000000041ED60-mapping.dmp formbook behavioral2/memory/2064-136-0x0000000000630000-0x000000000065E000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Documents pdf.exeDocuments pdf.execmmon32.exedescription pid process target process PID 628 set thread context of 1540 628 Documents pdf.exe Documents pdf.exe PID 1540 set thread context of 2996 1540 Documents pdf.exe Explorer.EXE PID 2064 set thread context of 2996 2064 cmmon32.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 44 IoCs
Processes:
Documents pdf.execmmon32.exepid process 1540 Documents pdf.exe 1540 Documents pdf.exe 1540 Documents pdf.exe 1540 Documents pdf.exe 2064 cmmon32.exe 2064 cmmon32.exe 2064 cmmon32.exe 2064 cmmon32.exe 2064 cmmon32.exe 2064 cmmon32.exe 2064 cmmon32.exe 2064 cmmon32.exe 2064 cmmon32.exe 2064 cmmon32.exe 2064 cmmon32.exe 2064 cmmon32.exe 2064 cmmon32.exe 2064 cmmon32.exe 2064 cmmon32.exe 2064 cmmon32.exe 2064 cmmon32.exe 2064 cmmon32.exe 2064 cmmon32.exe 2064 cmmon32.exe 2064 cmmon32.exe 2064 cmmon32.exe 2064 cmmon32.exe 2064 cmmon32.exe 2064 cmmon32.exe 2064 cmmon32.exe 2064 cmmon32.exe 2064 cmmon32.exe 2064 cmmon32.exe 2064 cmmon32.exe 2064 cmmon32.exe 2064 cmmon32.exe 2064 cmmon32.exe 2064 cmmon32.exe 2064 cmmon32.exe 2064 cmmon32.exe 2064 cmmon32.exe 2064 cmmon32.exe 2064 cmmon32.exe 2064 cmmon32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2996 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Documents pdf.execmmon32.exepid process 1540 Documents pdf.exe 1540 Documents pdf.exe 1540 Documents pdf.exe 2064 cmmon32.exe 2064 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Documents pdf.execmmon32.exedescription pid process Token: SeDebugPrivilege 1540 Documents pdf.exe Token: SeDebugPrivilege 2064 cmmon32.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 2996 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Documents pdf.exeExplorer.EXEcmmon32.exedescription pid process target process PID 628 wrote to memory of 2960 628 Documents pdf.exe schtasks.exe PID 628 wrote to memory of 2960 628 Documents pdf.exe schtasks.exe PID 628 wrote to memory of 2960 628 Documents pdf.exe schtasks.exe PID 628 wrote to memory of 1540 628 Documents pdf.exe Documents pdf.exe PID 628 wrote to memory of 1540 628 Documents pdf.exe Documents pdf.exe PID 628 wrote to memory of 1540 628 Documents pdf.exe Documents pdf.exe PID 628 wrote to memory of 1540 628 Documents pdf.exe Documents pdf.exe PID 628 wrote to memory of 1540 628 Documents pdf.exe Documents pdf.exe PID 628 wrote to memory of 1540 628 Documents pdf.exe Documents pdf.exe PID 2996 wrote to memory of 2064 2996 Explorer.EXE cmmon32.exe PID 2996 wrote to memory of 2064 2996 Explorer.EXE cmmon32.exe PID 2996 wrote to memory of 2064 2996 Explorer.EXE cmmon32.exe PID 2064 wrote to memory of 3688 2064 cmmon32.exe cmd.exe PID 2064 wrote to memory of 3688 2064 cmmon32.exe cmd.exe PID 2064 wrote to memory of 3688 2064 cmmon32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Documents pdf.exe"C:\Users\Admin\AppData\Local\Temp\Documents pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PwTRIU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3A99.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Documents pdf.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Documents pdf.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp3A99.tmpMD5
892d199bb47b34d23f86eda3f47d83d1
SHA146101a313e64d34d511d201e1a75c5f063ffcd07
SHA2561f095a66a580a135e5a182735b3912fc69a81897ca95ce60a0b81c43bdd97286
SHA5125a0c7ec2832d81a96f96c5bfcb9d5e8a915c3a850b756c7246819f7b891c8dfa9a67f031bc0839bc956406938c10389345640b257be2569b8a54cc8373e72e36
-
memory/628-125-0x00000000050A0000-0x000000000512A000-memory.dmpFilesize
552KB
-
memory/628-120-0x0000000004B40000-0x0000000004B41000-memory.dmpFilesize
4KB
-
memory/628-126-0x0000000005010000-0x000000000504A000-memory.dmpFilesize
232KB
-
memory/628-116-0x0000000004950000-0x00000000049B7000-memory.dmpFilesize
412KB
-
memory/628-114-0x0000000000150000-0x0000000000151000-memory.dmpFilesize
4KB
-
memory/628-121-0x000000000E2C0000-0x000000000E2C1000-memory.dmpFilesize
4KB
-
memory/628-122-0x0000000004B80000-0x0000000004B82000-memory.dmpFilesize
8KB
-
memory/628-123-0x0000000004B73000-0x0000000004B75000-memory.dmpFilesize
8KB
-
memory/628-124-0x0000000004C30000-0x0000000004C31000-memory.dmpFilesize
4KB
-
memory/628-119-0x0000000004B70000-0x0000000004B71000-memory.dmpFilesize
4KB
-
memory/628-118-0x0000000009F00000-0x0000000009F01000-memory.dmpFilesize
4KB
-
memory/628-117-0x000000000A400000-0x000000000A401000-memory.dmpFilesize
4KB
-
memory/1540-129-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1540-130-0x000000000041ED60-mapping.dmp
-
memory/1540-132-0x00000000014F0000-0x0000000001504000-memory.dmpFilesize
80KB
-
memory/1540-131-0x0000000001520000-0x0000000001840000-memory.dmpFilesize
3.1MB
-
memory/2064-138-0x00000000045E0000-0x0000000004900000-memory.dmpFilesize
3.1MB
-
memory/2064-139-0x0000000004440000-0x00000000044D3000-memory.dmpFilesize
588KB
-
memory/2064-134-0x0000000000000000-mapping.dmp
-
memory/2064-136-0x0000000000630000-0x000000000065E000-memory.dmpFilesize
184KB
-
memory/2064-135-0x0000000000E90000-0x0000000000E9C000-memory.dmpFilesize
48KB
-
memory/2960-127-0x0000000000000000-mapping.dmp
-
memory/2996-133-0x0000000007080000-0x0000000007151000-memory.dmpFilesize
836KB
-
memory/2996-140-0x0000000009130000-0x0000000009299000-memory.dmpFilesize
1.4MB
-
memory/3688-137-0x0000000000000000-mapping.dmp