Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
26-07-2021 14:05
Static task
static1
Behavioral task
behavioral1
Sample
Proforma Invoice No.42037 dated 26032021 for USD.78116.pdf.exe
Resource
win7v20210408
General
-
Target
Proforma Invoice No.42037 dated 26032021 for USD.78116.pdf.exe
-
Size
612KB
-
MD5
1b4ef34299d4b6b9d6c8af470be15953
-
SHA1
5c805afe83fd41d04bc3f119e1a635c2b1ae5f65
-
SHA256
f5f2c341e235dbe728a9545c0e308f1c3a13c73505da2f72f07874cd63b07031
-
SHA512
d97d1eaa7071fe5bfc7c0a5908fafb8c6950545887b734d802eea16fbf9904587cd1934984d89ade71f8b1a2e0008c214353adc4ff9ba207035fcfc811f80179
Malware Config
Extracted
formbook
4.1
http://www.elitegamerblog.com/gsg0/
telprix.com
multiremates.com
heytiday.com
toporganik.com
tutorincranleigh.com
oakandolivemalibu.com
ronaldvalentine.com
waytopshop.com
mythai-massage.com
matrixresults.com
teamwork256.com
qqemas.men
qnmark.com
rock-singer.com
mobiledevpros.com
miramar-agents.com
desjour.com
edensplace.net
ryanrafuls.com
xg8197.com
attakapas-ishak.com
very-easy-drive.com
smokeva.com
thebestgameofalltime.com
andrewrobertlawler.com
ikran-parts.com
todolieu.com
23sdsd.com
rodrigorondon.net
dirtyslushieandmore.com
bancodisantander.com
grosbeakgardens.com
cheaprestorations.com
rivertonfallfest.com
miragate.com
freedomcommercialcleaning.com
itoatoapparel.com
rodograss.com
discreetfinding.com
nanfangguniang.show
pharmacistshoko.com
pedegohyannis.com
janmt.com
high55.com
onefitearth.com
differentabilities.net
actsbooking.com
themesthatyoulike.com
justbrittany.com
serviceslincoln.com
dfa6r5.com
42everything.com
thekindergartensmorgasbord.com
wackomeat.com
admixphotovision.com
summer-activity-holidays.com
x2emails.xyz
frewave.com
legitimaterefunds.com
irishebikes.com
hauntspeak.com
cheerasia.com
nieght.com
shaunteeandrodlove.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
Processes:
resource yara_rule behavioral2/memory/568-121-0x0000000005230000-0x000000000523B000-memory.dmp CustAttr -
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2228-124-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/2228-125-0x000000000041EB40-mapping.dmp formbook behavioral2/memory/2152-132-0x0000000001050000-0x000000000107E000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Proforma Invoice No.42037 dated 26032021 for USD.78116.pdf.exeProforma Invoice No.42037 dated 26032021 for USD.78116.pdf.exesystray.exedescription pid process target process PID 568 set thread context of 2228 568 Proforma Invoice No.42037 dated 26032021 for USD.78116.pdf.exe Proforma Invoice No.42037 dated 26032021 for USD.78116.pdf.exe PID 2228 set thread context of 2988 2228 Proforma Invoice No.42037 dated 26032021 for USD.78116.pdf.exe Explorer.EXE PID 2152 set thread context of 2988 2152 systray.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
Proforma Invoice No.42037 dated 26032021 for USD.78116.pdf.exesystray.exepid process 2228 Proforma Invoice No.42037 dated 26032021 for USD.78116.pdf.exe 2228 Proforma Invoice No.42037 dated 26032021 for USD.78116.pdf.exe 2228 Proforma Invoice No.42037 dated 26032021 for USD.78116.pdf.exe 2228 Proforma Invoice No.42037 dated 26032021 for USD.78116.pdf.exe 2152 systray.exe 2152 systray.exe 2152 systray.exe 2152 systray.exe 2152 systray.exe 2152 systray.exe 2152 systray.exe 2152 systray.exe 2152 systray.exe 2152 systray.exe 2152 systray.exe 2152 systray.exe 2152 systray.exe 2152 systray.exe 2152 systray.exe 2152 systray.exe 2152 systray.exe 2152 systray.exe 2152 systray.exe 2152 systray.exe 2152 systray.exe 2152 systray.exe 2152 systray.exe 2152 systray.exe 2152 systray.exe 2152 systray.exe 2152 systray.exe 2152 systray.exe 2152 systray.exe 2152 systray.exe 2152 systray.exe 2152 systray.exe 2152 systray.exe 2152 systray.exe 2152 systray.exe 2152 systray.exe 2152 systray.exe 2152 systray.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2988 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Proforma Invoice No.42037 dated 26032021 for USD.78116.pdf.exesystray.exepid process 2228 Proforma Invoice No.42037 dated 26032021 for USD.78116.pdf.exe 2228 Proforma Invoice No.42037 dated 26032021 for USD.78116.pdf.exe 2228 Proforma Invoice No.42037 dated 26032021 for USD.78116.pdf.exe 2152 systray.exe 2152 systray.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Proforma Invoice No.42037 dated 26032021 for USD.78116.pdf.exesystray.exedescription pid process Token: SeDebugPrivilege 2228 Proforma Invoice No.42037 dated 26032021 for USD.78116.pdf.exe Token: SeDebugPrivilege 2152 systray.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 2988 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Proforma Invoice No.42037 dated 26032021 for USD.78116.pdf.exeExplorer.EXEsystray.exedescription pid process target process PID 568 wrote to memory of 2228 568 Proforma Invoice No.42037 dated 26032021 for USD.78116.pdf.exe Proforma Invoice No.42037 dated 26032021 for USD.78116.pdf.exe PID 568 wrote to memory of 2228 568 Proforma Invoice No.42037 dated 26032021 for USD.78116.pdf.exe Proforma Invoice No.42037 dated 26032021 for USD.78116.pdf.exe PID 568 wrote to memory of 2228 568 Proforma Invoice No.42037 dated 26032021 for USD.78116.pdf.exe Proforma Invoice No.42037 dated 26032021 for USD.78116.pdf.exe PID 568 wrote to memory of 2228 568 Proforma Invoice No.42037 dated 26032021 for USD.78116.pdf.exe Proforma Invoice No.42037 dated 26032021 for USD.78116.pdf.exe PID 568 wrote to memory of 2228 568 Proforma Invoice No.42037 dated 26032021 for USD.78116.pdf.exe Proforma Invoice No.42037 dated 26032021 for USD.78116.pdf.exe PID 568 wrote to memory of 2228 568 Proforma Invoice No.42037 dated 26032021 for USD.78116.pdf.exe Proforma Invoice No.42037 dated 26032021 for USD.78116.pdf.exe PID 2988 wrote to memory of 2152 2988 Explorer.EXE systray.exe PID 2988 wrote to memory of 2152 2988 Explorer.EXE systray.exe PID 2988 wrote to memory of 2152 2988 Explorer.EXE systray.exe PID 2152 wrote to memory of 2100 2152 systray.exe cmd.exe PID 2152 wrote to memory of 2100 2152 systray.exe cmd.exe PID 2152 wrote to memory of 2100 2152 systray.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Proforma Invoice No.42037 dated 26032021 for USD.78116.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Proforma Invoice No.42037 dated 26032021 for USD.78116.pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Proforma Invoice No.42037 dated 26032021 for USD.78116.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Proforma Invoice No.42037 dated 26032021 for USD.78116.pdf.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Proforma Invoice No.42037 dated 26032021 for USD.78116.pdf.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/568-114-0x00000000005F0000-0x00000000005F1000-memory.dmpFilesize
4KB
-
memory/568-116-0x00000000053E0000-0x00000000053E1000-memory.dmpFilesize
4KB
-
memory/568-117-0x0000000004F80000-0x0000000004F81000-memory.dmpFilesize
4KB
-
memory/568-118-0x0000000005020000-0x0000000005021000-memory.dmpFilesize
4KB
-
memory/568-119-0x0000000002970000-0x0000000002971000-memory.dmpFilesize
4KB
-
memory/568-120-0x0000000004EE0000-0x00000000053DE000-memory.dmpFilesize
5.0MB
-
memory/568-121-0x0000000005230000-0x000000000523B000-memory.dmpFilesize
44KB
-
memory/568-122-0x0000000007560000-0x00000000075D9000-memory.dmpFilesize
484KB
-
memory/568-123-0x00000000075E0000-0x0000000007615000-memory.dmpFilesize
212KB
-
memory/2100-130-0x0000000000000000-mapping.dmp
-
memory/2152-129-0x0000000000000000-mapping.dmp
-
memory/2152-132-0x0000000001050000-0x000000000107E000-memory.dmpFilesize
184KB
-
memory/2152-131-0x0000000001140000-0x0000000001146000-memory.dmpFilesize
24KB
-
memory/2152-133-0x0000000004FD0000-0x00000000052F0000-memory.dmpFilesize
3.1MB
-
memory/2152-134-0x0000000004E00000-0x0000000004E93000-memory.dmpFilesize
588KB
-
memory/2228-125-0x000000000041EB40-mapping.dmp
-
memory/2228-127-0x0000000001520000-0x0000000001534000-memory.dmpFilesize
80KB
-
memory/2228-126-0x0000000001A20000-0x0000000001D40000-memory.dmpFilesize
3.1MB
-
memory/2228-124-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/2988-128-0x00000000060F0000-0x0000000006292000-memory.dmpFilesize
1.6MB
-
memory/2988-135-0x00000000050E0000-0x000000000525B000-memory.dmpFilesize
1.5MB