Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
26-10-2021 13:22
Static task
static1
Behavioral task
behavioral1
Sample
Factura de proforma.Pdf.exe
Resource
win7-en-20210920
General
-
Target
Factura de proforma.Pdf.exe
-
Size
416KB
-
MD5
1023715ab1412b3ab39be25ad6054e9c
-
SHA1
b93d9283fffc26259a3675195ed878b3089ca8b7
-
SHA256
b4585da149dee9da71100f73ac5088f6dcd2f0bad3a155a78615ab321fce3f71
-
SHA512
63a837b607dd274a3285380d2bdad3b0b059ffbb39b7e7f14a9d76eb3dc4fca861cf0bcfd6be4420f3a13d83f3388afbc41859a08c3b87778bdebdd399eca376
Malware Config
Extracted
formbook
4.1
dv9n
http://www.elianedefalco.com/dv9n/
nblvqing.com
delmegebuildingproducts.com
xiongba8.com
latuawebreputation.online
nowcloud.tech
cckghs.com
tradeoo.ltd
ppapo.com
tphoaphuongdo.club
whitefoxy.site
bottle-sentences.net
computersewa.com
lushberryholidays.com
motobotz.com
shadurj.com
amazonlexdeveloper.com
shunli178.xyz
sjzzlmh.com
6eu09rp.xyz
novinmes.com
elizabethdouglas.net
heathy.xyz
forsmarthings.com
mskstyle-77.store
henhencaol.xyz
palncakeswap.com
osflogistics.com
14rinapo45.com
jordinandaustin.com
natsmartultimatebest.rest
perfectelopements.com
xinsaiou.com
92billion.com
hb4um.com
amneatni.xyz
pirigame.com
93335t.xyz
forwardvalley.com
contacttracingusa.com
americanexpress2214.creditcard
gurume-naruki.com
cdminstructors.com
posetac.online
suzhouyscl.com
bakarusgroup.com
epicureanadventuretours.com
goldengooses-outlet.com
glitchking411.com
8xroe84.xyz
https29dgi.xyz
sweetspendingwholesalersllc.com
bitopvip.com
sheraton-international.com
ajansclubturkey.site
communityskiswap.com
sauna-kuu.com
stephkingspilates.com
rosnewmarkextension.net
100daysofml.com
nexbot.biz
ahhhpop.com
marfalow.com
project-candles.com
topdogiadung.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1656-126-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/1656-127-0x000000000041F190-mapping.dmp formbook behavioral2/memory/3328-134-0x0000000002F90000-0x0000000002FBF000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Factura de proforma.Pdf.exeRegSvcs.exeraserver.exedescription pid process target process PID 3168 set thread context of 1656 3168 Factura de proforma.Pdf.exe RegSvcs.exe PID 1656 set thread context of 3056 1656 RegSvcs.exe Explorer.EXE PID 3328 set thread context of 3056 3328 raserver.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
Factura de proforma.Pdf.exeRegSvcs.exeraserver.exepid process 3168 Factura de proforma.Pdf.exe 3168 Factura de proforma.Pdf.exe 3168 Factura de proforma.Pdf.exe 3168 Factura de proforma.Pdf.exe 3168 Factura de proforma.Pdf.exe 3168 Factura de proforma.Pdf.exe 1656 RegSvcs.exe 1656 RegSvcs.exe 1656 RegSvcs.exe 1656 RegSvcs.exe 3328 raserver.exe 3328 raserver.exe 3328 raserver.exe 3328 raserver.exe 3328 raserver.exe 3328 raserver.exe 3328 raserver.exe 3328 raserver.exe 3328 raserver.exe 3328 raserver.exe 3328 raserver.exe 3328 raserver.exe 3328 raserver.exe 3328 raserver.exe 3328 raserver.exe 3328 raserver.exe 3328 raserver.exe 3328 raserver.exe 3328 raserver.exe 3328 raserver.exe 3328 raserver.exe 3328 raserver.exe 3328 raserver.exe 3328 raserver.exe 3328 raserver.exe 3328 raserver.exe 3328 raserver.exe 3328 raserver.exe 3328 raserver.exe 3328 raserver.exe 3328 raserver.exe 3328 raserver.exe 3328 raserver.exe 3328 raserver.exe 3328 raserver.exe 3328 raserver.exe 3328 raserver.exe 3328 raserver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3056 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
RegSvcs.exeraserver.exepid process 1656 RegSvcs.exe 1656 RegSvcs.exe 1656 RegSvcs.exe 3328 raserver.exe 3328 raserver.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
Factura de proforma.Pdf.exeRegSvcs.exeraserver.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 3168 Factura de proforma.Pdf.exe Token: SeDebugPrivilege 1656 RegSvcs.exe Token: SeDebugPrivilege 3328 raserver.exe Token: SeShutdownPrivilege 3056 Explorer.EXE Token: SeCreatePagefilePrivilege 3056 Explorer.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
Factura de proforma.Pdf.exeExplorer.EXEraserver.exedescription pid process target process PID 3168 wrote to memory of 1644 3168 Factura de proforma.Pdf.exe schtasks.exe PID 3168 wrote to memory of 1644 3168 Factura de proforma.Pdf.exe schtasks.exe PID 3168 wrote to memory of 1644 3168 Factura de proforma.Pdf.exe schtasks.exe PID 3168 wrote to memory of 1608 3168 Factura de proforma.Pdf.exe RegSvcs.exe PID 3168 wrote to memory of 1608 3168 Factura de proforma.Pdf.exe RegSvcs.exe PID 3168 wrote to memory of 1608 3168 Factura de proforma.Pdf.exe RegSvcs.exe PID 3168 wrote to memory of 1828 3168 Factura de proforma.Pdf.exe RegSvcs.exe PID 3168 wrote to memory of 1828 3168 Factura de proforma.Pdf.exe RegSvcs.exe PID 3168 wrote to memory of 1828 3168 Factura de proforma.Pdf.exe RegSvcs.exe PID 3168 wrote to memory of 1656 3168 Factura de proforma.Pdf.exe RegSvcs.exe PID 3168 wrote to memory of 1656 3168 Factura de proforma.Pdf.exe RegSvcs.exe PID 3168 wrote to memory of 1656 3168 Factura de proforma.Pdf.exe RegSvcs.exe PID 3168 wrote to memory of 1656 3168 Factura de proforma.Pdf.exe RegSvcs.exe PID 3168 wrote to memory of 1656 3168 Factura de proforma.Pdf.exe RegSvcs.exe PID 3168 wrote to memory of 1656 3168 Factura de proforma.Pdf.exe RegSvcs.exe PID 3056 wrote to memory of 3328 3056 Explorer.EXE raserver.exe PID 3056 wrote to memory of 3328 3056 Explorer.EXE raserver.exe PID 3056 wrote to memory of 3328 3056 Explorer.EXE raserver.exe PID 3328 wrote to memory of 2088 3328 raserver.exe cmd.exe PID 3328 wrote to memory of 2088 3328 raserver.exe cmd.exe PID 3328 wrote to memory of 2088 3328 raserver.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Factura de proforma.Pdf.exe"C:\Users\Admin\AppData\Local\Temp\Factura de proforma.Pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BKcHlxwvyiaYUp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp69C2.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1644-125-0x0000000000000000-mapping.dmp
-
memory/1656-129-0x0000000001720000-0x0000000001A40000-memory.dmpFilesize
3.1MB
-
memory/1656-130-0x0000000001600000-0x0000000001614000-memory.dmpFilesize
80KB
-
memory/1656-127-0x000000000041F190-mapping.dmp
-
memory/1656-126-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2088-136-0x0000000000000000-mapping.dmp
-
memory/3056-138-0x00000000050E0000-0x00000000051A0000-memory.dmpFilesize
768KB
-
memory/3056-131-0x0000000006B20000-0x0000000006CC9000-memory.dmpFilesize
1.7MB
-
memory/3168-121-0x00000000070C0000-0x00000000070C1000-memory.dmpFilesize
4KB
-
memory/3168-118-0x0000000006E20000-0x0000000006E21000-memory.dmpFilesize
4KB
-
memory/3168-123-0x0000000009390000-0x0000000009397000-memory.dmpFilesize
28KB
-
memory/3168-122-0x000000007F110000-0x000000007F111000-memory.dmpFilesize
4KB
-
memory/3168-115-0x00000000000B0000-0x00000000000B1000-memory.dmpFilesize
4KB
-
memory/3168-120-0x0000000006F80000-0x0000000006F81000-memory.dmpFilesize
4KB
-
memory/3168-119-0x0000000006D20000-0x000000000721E000-memory.dmpFilesize
5.0MB
-
memory/3168-124-0x0000000008980000-0x00000000089D0000-memory.dmpFilesize
320KB
-
memory/3168-117-0x0000000007220000-0x0000000007221000-memory.dmpFilesize
4KB
-
memory/3328-132-0x0000000000000000-mapping.dmp
-
memory/3328-135-0x0000000004740000-0x0000000004A60000-memory.dmpFilesize
3.1MB
-
memory/3328-134-0x0000000002F90000-0x0000000002FBF000-memory.dmpFilesize
188KB
-
memory/3328-137-0x0000000004B00000-0x0000000004B93000-memory.dmpFilesize
588KB
-
memory/3328-133-0x00000000001B0000-0x00000000001CF000-memory.dmpFilesize
124KB