Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
25-10-2021 17:41
Static task
static1
Behavioral task
behavioral1
Sample
Nueva orden de compra.Pdf.exe
Resource
win7-en-20210920
General
-
Target
Nueva orden de compra.Pdf.exe
-
Size
365KB
-
MD5
59fc1e1a88d9c4968b50d8c07711da9b
-
SHA1
4f5ed7418b6af7e875608604efe3c7aec58fba92
-
SHA256
478d38451c9a4af35bb5de2ada58dfe7495a224d122d9639c6d68fc55c4bf411
-
SHA512
edc96bbfa0e1fb9a3711d3d59349ed281674f21a0da3474c1179ea075171d55f0d37363a028e4266c3d87fe166dd15186f11d11c0c97f3a1a893e9c44342d3a8
Malware Config
Extracted
formbook
4.1
dv9n
http://www.elianedefalco.com/dv9n/
nblvqing.com
delmegebuildingproducts.com
xiongba8.com
latuawebreputation.online
nowcloud.tech
cckghs.com
tradeoo.ltd
ppapo.com
tphoaphuongdo.club
whitefoxy.site
bottle-sentences.net
computersewa.com
lushberryholidays.com
motobotz.com
shadurj.com
amazonlexdeveloper.com
shunli178.xyz
sjzzlmh.com
6eu09rp.xyz
novinmes.com
elizabethdouglas.net
heathy.xyz
forsmarthings.com
mskstyle-77.store
henhencaol.xyz
palncakeswap.com
osflogistics.com
14rinapo45.com
jordinandaustin.com
natsmartultimatebest.rest
perfectelopements.com
xinsaiou.com
92billion.com
hb4um.com
amneatni.xyz
pirigame.com
93335t.xyz
forwardvalley.com
contacttracingusa.com
americanexpress2214.creditcard
gurume-naruki.com
cdminstructors.com
posetac.online
suzhouyscl.com
bakarusgroup.com
epicureanadventuretours.com
goldengooses-outlet.com
glitchking411.com
8xroe84.xyz
https29dgi.xyz
sweetspendingwholesalersllc.com
bitopvip.com
sheraton-international.com
ajansclubturkey.site
communityskiswap.com
sauna-kuu.com
stephkingspilates.com
rosnewmarkextension.net
100daysofml.com
nexbot.biz
ahhhpop.com
marfalow.com
project-candles.com
topdogiadung.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2504-125-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2504-126-0x000000000041F190-mapping.dmp formbook behavioral2/memory/680-134-0x00000000001B0000-0x00000000001DF000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Nueva orden de compra.Pdf.exeRegSvcs.exeNETSTAT.EXEdescription pid process target process PID 1524 set thread context of 2504 1524 Nueva orden de compra.Pdf.exe RegSvcs.exe PID 2504 set thread context of 3064 2504 RegSvcs.exe Explorer.EXE PID 680 set thread context of 3064 680 NETSTAT.EXE Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 680 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
Nueva orden de compra.Pdf.exeRegSvcs.exeNETSTAT.EXEpid process 1524 Nueva orden de compra.Pdf.exe 1524 Nueva orden de compra.Pdf.exe 1524 Nueva orden de compra.Pdf.exe 1524 Nueva orden de compra.Pdf.exe 2504 RegSvcs.exe 2504 RegSvcs.exe 2504 RegSvcs.exe 2504 RegSvcs.exe 680 NETSTAT.EXE 680 NETSTAT.EXE 680 NETSTAT.EXE 680 NETSTAT.EXE 680 NETSTAT.EXE 680 NETSTAT.EXE 680 NETSTAT.EXE 680 NETSTAT.EXE 680 NETSTAT.EXE 680 NETSTAT.EXE 680 NETSTAT.EXE 680 NETSTAT.EXE 680 NETSTAT.EXE 680 NETSTAT.EXE 680 NETSTAT.EXE 680 NETSTAT.EXE 680 NETSTAT.EXE 680 NETSTAT.EXE 680 NETSTAT.EXE 680 NETSTAT.EXE 680 NETSTAT.EXE 680 NETSTAT.EXE 680 NETSTAT.EXE 680 NETSTAT.EXE 680 NETSTAT.EXE 680 NETSTAT.EXE 680 NETSTAT.EXE 680 NETSTAT.EXE 680 NETSTAT.EXE 680 NETSTAT.EXE 680 NETSTAT.EXE 680 NETSTAT.EXE 680 NETSTAT.EXE 680 NETSTAT.EXE 680 NETSTAT.EXE 680 NETSTAT.EXE 680 NETSTAT.EXE 680 NETSTAT.EXE 680 NETSTAT.EXE 680 NETSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3064 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
RegSvcs.exeNETSTAT.EXEpid process 2504 RegSvcs.exe 2504 RegSvcs.exe 2504 RegSvcs.exe 680 NETSTAT.EXE 680 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Nueva orden de compra.Pdf.exeRegSvcs.exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 1524 Nueva orden de compra.Pdf.exe Token: SeDebugPrivilege 2504 RegSvcs.exe Token: SeDebugPrivilege 680 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Nueva orden de compra.Pdf.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 1524 wrote to memory of 2088 1524 Nueva orden de compra.Pdf.exe schtasks.exe PID 1524 wrote to memory of 2088 1524 Nueva orden de compra.Pdf.exe schtasks.exe PID 1524 wrote to memory of 2088 1524 Nueva orden de compra.Pdf.exe schtasks.exe PID 1524 wrote to memory of 2852 1524 Nueva orden de compra.Pdf.exe RegSvcs.exe PID 1524 wrote to memory of 2852 1524 Nueva orden de compra.Pdf.exe RegSvcs.exe PID 1524 wrote to memory of 2852 1524 Nueva orden de compra.Pdf.exe RegSvcs.exe PID 1524 wrote to memory of 2504 1524 Nueva orden de compra.Pdf.exe RegSvcs.exe PID 1524 wrote to memory of 2504 1524 Nueva orden de compra.Pdf.exe RegSvcs.exe PID 1524 wrote to memory of 2504 1524 Nueva orden de compra.Pdf.exe RegSvcs.exe PID 1524 wrote to memory of 2504 1524 Nueva orden de compra.Pdf.exe RegSvcs.exe PID 1524 wrote to memory of 2504 1524 Nueva orden de compra.Pdf.exe RegSvcs.exe PID 1524 wrote to memory of 2504 1524 Nueva orden de compra.Pdf.exe RegSvcs.exe PID 3064 wrote to memory of 680 3064 Explorer.EXE NETSTAT.EXE PID 3064 wrote to memory of 680 3064 Explorer.EXE NETSTAT.EXE PID 3064 wrote to memory of 680 3064 Explorer.EXE NETSTAT.EXE PID 680 wrote to memory of 704 680 NETSTAT.EXE cmd.exe PID 680 wrote to memory of 704 680 NETSTAT.EXE cmd.exe PID 680 wrote to memory of 704 680 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Nueva orden de compra.Pdf.exe"C:\Users\Admin\AppData\Local\Temp\Nueva orden de compra.Pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QvxslQsYkA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp86DF.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/680-131-0x0000000000000000-mapping.dmp
-
memory/680-136-0x00000000009B0000-0x0000000000A43000-memory.dmpFilesize
588KB
-
memory/680-135-0x0000000002CC0000-0x0000000002FE0000-memory.dmpFilesize
3.1MB
-
memory/680-133-0x0000000000CB0000-0x0000000000CBB000-memory.dmpFilesize
44KB
-
memory/680-134-0x00000000001B0000-0x00000000001DF000-memory.dmpFilesize
188KB
-
memory/704-132-0x0000000000000000-mapping.dmp
-
memory/1524-121-0x0000000004EE0000-0x0000000004EE7000-memory.dmpFilesize
28KB
-
memory/1524-115-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/1524-117-0x0000000004FA0000-0x0000000004FA1000-memory.dmpFilesize
4KB
-
memory/1524-123-0x0000000005920000-0x0000000005970000-memory.dmpFilesize
320KB
-
memory/1524-118-0x0000000004B40000-0x0000000004B41000-memory.dmpFilesize
4KB
-
memory/1524-119-0x0000000004AA0000-0x0000000004F9E000-memory.dmpFilesize
5.0MB
-
memory/1524-120-0x0000000004F10000-0x0000000004F11000-memory.dmpFilesize
4KB
-
memory/1524-122-0x0000000005880000-0x0000000005881000-memory.dmpFilesize
4KB
-
memory/2088-124-0x0000000000000000-mapping.dmp
-
memory/2504-126-0x000000000041F190-mapping.dmp
-
memory/2504-128-0x0000000000F70000-0x0000000001290000-memory.dmpFilesize
3.1MB
-
memory/2504-129-0x0000000000F50000-0x0000000000F64000-memory.dmpFilesize
80KB
-
memory/2504-125-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3064-130-0x0000000006010000-0x00000000061BB000-memory.dmpFilesize
1.7MB
-
memory/3064-137-0x00000000027C0000-0x000000000285E000-memory.dmpFilesize
632KB