Analysis
-
max time kernel
149s -
max time network
133s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
21-10-2021 13:32
Static task
static1
Behavioral task
behavioral1
Sample
Factura de proforma.exe
Resource
win7-en-20211014
General
-
Target
Factura de proforma.exe
-
Size
973KB
-
MD5
3b28cc0c40a9122c19279e34ede6b2a6
-
SHA1
2c97655615b623605be40e708295e12499674640
-
SHA256
c4b4ddf8aec0347fd4640a12009f51ba60ed1b202e18b421a3faef74bfe18ea1
-
SHA512
95fc3c78c572285fa8b13993dab2cf25e5c2efbe6aa40930c7745d5b3f3bdecb14a51f6a3f78ac66ec5307b7a97d4843615f78639b5d815f16b4b31e086e3d08
Malware Config
Extracted
formbook
4.1
bc3s
http://www.topei-products.com/bc3s/
anna-ng.com
mariangelamata.com
szqnbl.com
nesherguitars.com
mysekrit.com
againbeautyviensui.xyz
appf.life
bilalsolution.com
technoratii.com
11restoran.com
birthingly.com
crystalcarrillo.com
cohenasset.info
bunchofdesign.com
highstreetmag.com
talentkerning.com
outdoor-glassesadvice.com
aliceeety.com
habbuhot.info
pao91.com
resgatarpontosparavoce.com
tuancai.net
cnynckcrw.com
visaza.com
paulettecallen.com
kandmfinancialgroup.com
malibuclassix.com
thespoonteller.com
vidyaxyp.com
xn--gmsepetim-q9ab20j.com
saudesexualdoshomens.com
safehandmarketing.com
yebimhieu.site
alimitchellmedia.com
andrewpatrickpiette.com
astro-paradise.com
domainechoquet.com
navihealthpartners.com
detroitveganseafood.com
spankingandpunishment.com
magalu-queromais.com
mallsinup.com
rmsnidlogini.cloud
lifeisveryessential.com
stolzfus.com
iniciala.com
designslayers.com
clinivahq.com
ubersms.com
welenb.com
skyegroupllc.com
happyburger.net
moredate-s.com
alon-mail.com
voceprofessor.com
dokadveri.com
lafabricadisseny.com
westwooddesign.net
blossoms-boutique.com
jumtix.xyz
dietgulfport.com
soccerstreamer.com
lapurtcedd.com
secret-mall.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1664-61-0x0000000000000000-mapping.dmp formbook behavioral1/memory/1664-65-0x0000000072480000-0x00000000724AE000-memory.dmp formbook behavioral1/memory/1176-71-0x0000000000100000-0x000000000012E000-memory.dmp formbook -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Factura de proforma.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tfiudl = "C:\\Users\\Public\\lduifT.url" Factura de proforma.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
DpiScaling.exesystray.exedescription pid process target process PID 1664 set thread context of 1276 1664 DpiScaling.exe Explorer.EXE PID 1176 set thread context of 1276 1176 systray.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
DpiScaling.exesystray.exepid process 1664 DpiScaling.exe 1664 DpiScaling.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1276 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
DpiScaling.exesystray.exepid process 1664 DpiScaling.exe 1664 DpiScaling.exe 1664 DpiScaling.exe 1176 systray.exe 1176 systray.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DpiScaling.exesystray.exedescription pid process Token: SeDebugPrivilege 1664 DpiScaling.exe Token: SeDebugPrivilege 1176 systray.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1276 Explorer.EXE 1276 Explorer.EXE -
Suspicious use of SendNotifyMessage 5 IoCs
Processes:
Explorer.EXEpid process 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Factura de proforma.exeExplorer.EXEsystray.exedescription pid process target process PID 1836 wrote to memory of 1664 1836 Factura de proforma.exe DpiScaling.exe PID 1836 wrote to memory of 1664 1836 Factura de proforma.exe DpiScaling.exe PID 1836 wrote to memory of 1664 1836 Factura de proforma.exe DpiScaling.exe PID 1836 wrote to memory of 1664 1836 Factura de proforma.exe DpiScaling.exe PID 1836 wrote to memory of 1664 1836 Factura de proforma.exe DpiScaling.exe PID 1836 wrote to memory of 1664 1836 Factura de proforma.exe DpiScaling.exe PID 1836 wrote to memory of 1664 1836 Factura de proforma.exe DpiScaling.exe PID 1276 wrote to memory of 1176 1276 Explorer.EXE systray.exe PID 1276 wrote to memory of 1176 1276 Explorer.EXE systray.exe PID 1276 wrote to memory of 1176 1276 Explorer.EXE systray.exe PID 1276 wrote to memory of 1176 1276 Explorer.EXE systray.exe PID 1176 wrote to memory of 1992 1176 systray.exe cmd.exe PID 1176 wrote to memory of 1992 1176 systray.exe cmd.exe PID 1176 wrote to memory of 1992 1176 systray.exe cmd.exe PID 1176 wrote to memory of 1992 1176 systray.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Factura de proforma.exe"C:\Users\Admin\AppData\Local\Temp\Factura de proforma.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\DpiScaling.exeC:\Windows\System32\DpiScaling.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\DpiScaling.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1176-74-0x0000000001CC0000-0x0000000001D53000-memory.dmpFilesize
588KB
-
memory/1176-72-0x0000000001E40000-0x0000000002143000-memory.dmpFilesize
3.0MB
-
memory/1176-70-0x00000000002C0000-0x00000000002C5000-memory.dmpFilesize
20KB
-
memory/1176-71-0x0000000000100000-0x000000000012E000-memory.dmpFilesize
184KB
-
memory/1176-69-0x0000000000000000-mapping.dmp
-
memory/1276-68-0x0000000004390000-0x0000000004463000-memory.dmpFilesize
844KB
-
memory/1276-75-0x0000000007100000-0x000000000722C000-memory.dmpFilesize
1.2MB
-
memory/1664-59-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/1664-66-0x0000000001EF0000-0x00000000021F3000-memory.dmpFilesize
3.0MB
-
memory/1664-65-0x0000000072480000-0x00000000724AE000-memory.dmpFilesize
184KB
-
memory/1664-67-0x0000000000280000-0x0000000000294000-memory.dmpFilesize
80KB
-
memory/1664-64-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/1664-61-0x0000000000000000-mapping.dmp
-
memory/1664-58-0x0000000072480000-0x00000000724AE000-memory.dmpFilesize
184KB
-
memory/1836-55-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/1836-57-0x0000000075D41000-0x0000000075D43000-memory.dmpFilesize
8KB
-
memory/1836-56-0x0000000000241000-0x0000000000255000-memory.dmpFilesize
80KB
-
memory/1992-73-0x0000000000000000-mapping.dmp