Overview
overview
10Static
static
8BL. NO. AN...21.exe
windows7_x64
10BL. NO. AN...21.exe
windows10_x64
10Sample_101...mg.exe
windows7_x64
10Sample_101...mg.exe
windows10_x64
10Invoice 19...df.exe
windows7_x64
1Invoice 19...df.exe
windows10_x64
10Leak/PROFO...CE.doc
windows7_x64
10Leak/PROFO...CE.doc
windows10_x64
1Payment re...df.exe
windows7_x64
10Payment re...df.exe
windows10_x64
10Leak/Profo...mg.xls
windows7_x64
10Leak/Profo...mg.xls
windows10_x64
10Analysis
-
max time kernel
600s -
max time network
597s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
26-10-2021 07:00
Static task
static1
Behavioral task
behavioral1
Sample
BL. NO. ANSMUNDAR3621.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
BL. NO. ANSMUNDAR3621.exe
Resource
win10-en-20210920
Behavioral task
behavioral3
Sample
Sample_10120351200_ISO_035117img.exe
Resource
win7-en-20210920
Behavioral task
behavioral4
Sample
Sample_10120351200_ISO_035117img.exe
Resource
win10-en-20211014
Behavioral task
behavioral5
Sample
Invoice 1905-20-1907-20.pdf.exe
Resource
win7-en-20210920
Behavioral task
behavioral6
Sample
Invoice 1905-20-1907-20.pdf.exe
Resource
win10-en-20211014
Behavioral task
behavioral7
Sample
Leak/PROFORMA INVOICE.doc
Resource
win7-en-20210920
Behavioral task
behavioral8
Sample
Leak/PROFORMA INVOICE.doc
Resource
win10-en-20211014
Behavioral task
behavioral9
Sample
Payment receipt.pdf.exe
Resource
win7-en-20210920
Behavioral task
behavioral10
Sample
Payment receipt.pdf.exe
Resource
win10-en-20210920
Behavioral task
behavioral11
Sample
Leak/Proforma invoice35117img.xls
Resource
win7-en-20211014
Behavioral task
behavioral12
Sample
Leak/Proforma invoice35117img.xls
Resource
win10-en-20210920
General
-
Target
Payment receipt.pdf.exe
-
Size
707KB
-
MD5
d4be4730ee0e801938ae40b02b5ec346
-
SHA1
5a36a50fe19f08f5c34db24127b43bdceb85bb42
-
SHA256
0e6c644f1252507e018b0fbe6b83902adcd2278a083fe1902092f627babf3711
-
SHA512
d4e4a31f6be9df302010ef550191ab5c4f37aaa277e61b88600253ebd8cb7f3a670b13dfd459dc75f88946f78bc2403ca6739d042a6909411bd20dcfda149a29
Malware Config
Extracted
formbook
4.1
mo9n
http://www.lievival.info/mo9n/
circuit-town.com
stock-high.xyz
barlindelivery.com
littletoucans.com
bright-tailor.com
firsthandcares.com
ecompropeller.com
circuitoalberghiero.net
creative-egyptps.com
bitracks56.com
douhonghong.com
fingertipcollection.com
happy-bihada.space
blockchainairdropreward.com
xn--reljame-jwa.com
polloycarnesdelivery.com
d22.group
eslamshahrservice.com
vanzing.com
juzide.com
g5795ky.com
ufound1.com
cifbit.com
shawtopia.com
tourmethere.com
heritagepedia.com
832391.com
voltera.solar
greatergods.com
shchengtang.com
oyakudachibiz.com
kentislandeats.com
quietaou.com
infinitephoenix.club
tmrtg.com
menes.digital
sefappliancerepair.com
tnghana.com
tanyan.xyz
findyourtrailhead.com
labizandbryan.com
agnesdesigner.net
lebai100.com
lz-fcaini1718-hw0917-bs.xyz
nucleustudio.com
smartsparklegal.com
streets4suites.com
neo-graphite.com
maquinariaarenastlaxmexcom.com
svartmancoaching.com
icarus-groupe.com
media777.club
juicyyjuicebox.com
sakinawlake.properties
escrubpro.com
onlinecasino-tengoku.com
ganymede.sbs
sunshineprofitness.com
solideo.place
septemberstockevent100.com
tjginde.com
shopamwplanner.com
ee7r.com
sootherelaxandheal.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral10/memory/3996-126-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral10/memory/3996-127-0x000000000041F110-mapping.dmp formbook behavioral10/memory/2012-134-0x0000000000A40000-0x0000000000A6F000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Payment receipt.pdf.exePayment receipt.pdf.exewscript.exedescription pid process target process PID 2044 set thread context of 3996 2044 Payment receipt.pdf.exe Payment receipt.pdf.exe PID 3996 set thread context of 3040 3996 Payment receipt.pdf.exe Explorer.EXE PID 2012 set thread context of 3040 2012 wscript.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Payment receipt.pdf.exewscript.exepid process 3996 Payment receipt.pdf.exe 3996 Payment receipt.pdf.exe 3996 Payment receipt.pdf.exe 3996 Payment receipt.pdf.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe 2012 wscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3040 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Payment receipt.pdf.exewscript.exepid process 3996 Payment receipt.pdf.exe 3996 Payment receipt.pdf.exe 3996 Payment receipt.pdf.exe 2012 wscript.exe 2012 wscript.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Payment receipt.pdf.exewscript.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 3996 Payment receipt.pdf.exe Token: SeDebugPrivilege 2012 wscript.exe Token: SeShutdownPrivilege 3040 Explorer.EXE Token: SeCreatePagefilePrivilege 3040 Explorer.EXE Token: SeShutdownPrivilege 3040 Explorer.EXE Token: SeCreatePagefilePrivilege 3040 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Payment receipt.pdf.exeExplorer.EXEwscript.exedescription pid process target process PID 2044 wrote to memory of 3996 2044 Payment receipt.pdf.exe Payment receipt.pdf.exe PID 2044 wrote to memory of 3996 2044 Payment receipt.pdf.exe Payment receipt.pdf.exe PID 2044 wrote to memory of 3996 2044 Payment receipt.pdf.exe Payment receipt.pdf.exe PID 2044 wrote to memory of 3996 2044 Payment receipt.pdf.exe Payment receipt.pdf.exe PID 2044 wrote to memory of 3996 2044 Payment receipt.pdf.exe Payment receipt.pdf.exe PID 2044 wrote to memory of 3996 2044 Payment receipt.pdf.exe Payment receipt.pdf.exe PID 3040 wrote to memory of 2012 3040 Explorer.EXE wscript.exe PID 3040 wrote to memory of 2012 3040 Explorer.EXE wscript.exe PID 3040 wrote to memory of 2012 3040 Explorer.EXE wscript.exe PID 2012 wrote to memory of 1908 2012 wscript.exe cmd.exe PID 2012 wrote to memory of 1908 2012 wscript.exe cmd.exe PID 2012 wrote to memory of 1908 2012 wscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Users\Admin\AppData\Local\Temp\Payment receipt.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Payment receipt.pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\Payment receipt.pdf.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3996 -
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:2904
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Payment receipt.pdf.exe"3⤵PID:1908
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1908-135-0x0000000000000000-mapping.dmp
-
memory/2012-132-0x0000000000000000-mapping.dmp
-
memory/2012-137-0x0000000004C00000-0x0000000004C93000-memory.dmpFilesize
588KB
-
memory/2012-136-0x0000000004DD0000-0x00000000050F0000-memory.dmpFilesize
3.1MB
-
memory/2012-133-0x0000000000B40000-0x0000000000B67000-memory.dmpFilesize
156KB
-
memory/2012-134-0x0000000000A40000-0x0000000000A6F000-memory.dmpFilesize
188KB
-
memory/2044-121-0x0000000007770000-0x0000000007771000-memory.dmpFilesize
4KB
-
memory/2044-119-0x0000000007870000-0x0000000007871000-memory.dmpFilesize
4KB
-
memory/2044-124-0x0000000002C90000-0x0000000002D13000-memory.dmpFilesize
524KB
-
memory/2044-125-0x00000000064E0000-0x0000000006510000-memory.dmpFilesize
192KB
-
memory/2044-123-0x0000000007A10000-0x0000000007A1E000-memory.dmpFilesize
56KB
-
memory/2044-117-0x00000000077D0000-0x00000000077D1000-memory.dmpFilesize
4KB
-
memory/2044-118-0x0000000007D70000-0x0000000007D71000-memory.dmpFilesize
4KB
-
memory/2044-122-0x0000000007A50000-0x0000000007A51000-memory.dmpFilesize
4KB
-
memory/2044-115-0x0000000000880000-0x0000000000881000-memory.dmpFilesize
4KB
-
memory/2044-120-0x0000000005370000-0x0000000005371000-memory.dmpFilesize
4KB
-
memory/3040-138-0x0000000006920000-0x0000000006A21000-memory.dmpFilesize
1.0MB
-
memory/3040-131-0x0000000002AC0000-0x0000000002B80000-memory.dmpFilesize
768KB
-
memory/3996-126-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3996-130-0x0000000001450000-0x0000000001464000-memory.dmpFilesize
80KB
-
memory/3996-129-0x0000000001A50000-0x0000000001D70000-memory.dmpFilesize
3.1MB
-
memory/3996-127-0x000000000041F110-mapping.dmp