Analysis
-
max time kernel
149s -
max time network
138s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
26-10-2021 20:33
Static task
static1
Behavioral task
behavioral1
Sample
Factura de proforma.Pdf.exe
Resource
win7-en-20211014
General
-
Target
Factura de proforma.Pdf.exe
-
Size
416KB
-
MD5
1023715ab1412b3ab39be25ad6054e9c
-
SHA1
b93d9283fffc26259a3675195ed878b3089ca8b7
-
SHA256
b4585da149dee9da71100f73ac5088f6dcd2f0bad3a155a78615ab321fce3f71
-
SHA512
63a837b607dd274a3285380d2bdad3b0b059ffbb39b7e7f14a9d76eb3dc4fca861cf0bcfd6be4420f3a13d83f3388afbc41859a08c3b87778bdebdd399eca376
Malware Config
Extracted
formbook
4.1
dv9n
http://www.elianedefalco.com/dv9n/
nblvqing.com
delmegebuildingproducts.com
xiongba8.com
latuawebreputation.online
nowcloud.tech
cckghs.com
tradeoo.ltd
ppapo.com
tphoaphuongdo.club
whitefoxy.site
bottle-sentences.net
computersewa.com
lushberryholidays.com
motobotz.com
shadurj.com
amazonlexdeveloper.com
shunli178.xyz
sjzzlmh.com
6eu09rp.xyz
novinmes.com
elizabethdouglas.net
heathy.xyz
forsmarthings.com
mskstyle-77.store
henhencaol.xyz
palncakeswap.com
osflogistics.com
14rinapo45.com
jordinandaustin.com
natsmartultimatebest.rest
perfectelopements.com
xinsaiou.com
92billion.com
hb4um.com
amneatni.xyz
pirigame.com
93335t.xyz
forwardvalley.com
contacttracingusa.com
americanexpress2214.creditcard
gurume-naruki.com
cdminstructors.com
posetac.online
suzhouyscl.com
bakarusgroup.com
epicureanadventuretours.com
goldengooses-outlet.com
glitchking411.com
8xroe84.xyz
https29dgi.xyz
sweetspendingwholesalersllc.com
bitopvip.com
sheraton-international.com
ajansclubturkey.site
communityskiswap.com
sauna-kuu.com
stephkingspilates.com
rosnewmarkextension.net
100daysofml.com
nexbot.biz
ahhhpop.com
marfalow.com
project-candles.com
topdogiadung.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1072-64-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1072-65-0x000000000041F190-mapping.dmp formbook behavioral1/memory/956-72-0x00000000000E0000-0x000000000010F000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Factura de proforma.Pdf.exeRegSvcs.exesystray.exedescription pid process target process PID 1748 set thread context of 1072 1748 Factura de proforma.Pdf.exe RegSvcs.exe PID 1072 set thread context of 1304 1072 RegSvcs.exe Explorer.EXE PID 956 set thread context of 1304 956 systray.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
Factura de proforma.Pdf.exeRegSvcs.exesystray.exepid process 1748 Factura de proforma.Pdf.exe 1748 Factura de proforma.Pdf.exe 1072 RegSvcs.exe 1072 RegSvcs.exe 956 systray.exe 956 systray.exe 956 systray.exe 956 systray.exe 956 systray.exe 956 systray.exe 956 systray.exe 956 systray.exe 956 systray.exe 956 systray.exe 956 systray.exe 956 systray.exe 956 systray.exe 956 systray.exe 956 systray.exe 956 systray.exe 956 systray.exe 956 systray.exe 956 systray.exe 956 systray.exe 956 systray.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
RegSvcs.exesystray.exepid process 1072 RegSvcs.exe 1072 RegSvcs.exe 1072 RegSvcs.exe 956 systray.exe 956 systray.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Factura de proforma.Pdf.exeRegSvcs.exesystray.exedescription pid process Token: SeDebugPrivilege 1748 Factura de proforma.Pdf.exe Token: SeDebugPrivilege 1072 RegSvcs.exe Token: SeDebugPrivilege 956 systray.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1304 Explorer.EXE 1304 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1304 Explorer.EXE 1304 Explorer.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
Factura de proforma.Pdf.exeExplorer.EXEsystray.exedescription pid process target process PID 1748 wrote to memory of 1820 1748 Factura de proforma.Pdf.exe schtasks.exe PID 1748 wrote to memory of 1820 1748 Factura de proforma.Pdf.exe schtasks.exe PID 1748 wrote to memory of 1820 1748 Factura de proforma.Pdf.exe schtasks.exe PID 1748 wrote to memory of 1820 1748 Factura de proforma.Pdf.exe schtasks.exe PID 1748 wrote to memory of 1072 1748 Factura de proforma.Pdf.exe RegSvcs.exe PID 1748 wrote to memory of 1072 1748 Factura de proforma.Pdf.exe RegSvcs.exe PID 1748 wrote to memory of 1072 1748 Factura de proforma.Pdf.exe RegSvcs.exe PID 1748 wrote to memory of 1072 1748 Factura de proforma.Pdf.exe RegSvcs.exe PID 1748 wrote to memory of 1072 1748 Factura de proforma.Pdf.exe RegSvcs.exe PID 1748 wrote to memory of 1072 1748 Factura de proforma.Pdf.exe RegSvcs.exe PID 1748 wrote to memory of 1072 1748 Factura de proforma.Pdf.exe RegSvcs.exe PID 1748 wrote to memory of 1072 1748 Factura de proforma.Pdf.exe RegSvcs.exe PID 1748 wrote to memory of 1072 1748 Factura de proforma.Pdf.exe RegSvcs.exe PID 1748 wrote to memory of 1072 1748 Factura de proforma.Pdf.exe RegSvcs.exe PID 1304 wrote to memory of 956 1304 Explorer.EXE systray.exe PID 1304 wrote to memory of 956 1304 Explorer.EXE systray.exe PID 1304 wrote to memory of 956 1304 Explorer.EXE systray.exe PID 1304 wrote to memory of 956 1304 Explorer.EXE systray.exe PID 956 wrote to memory of 1984 956 systray.exe cmd.exe PID 956 wrote to memory of 1984 956 systray.exe cmd.exe PID 956 wrote to memory of 1984 956 systray.exe cmd.exe PID 956 wrote to memory of 1984 956 systray.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Factura de proforma.Pdf.exe"C:\Users\Admin\AppData\Local\Temp\Factura de proforma.Pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BKcHlxwvyiaYUp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp582E.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/956-70-0x0000000000000000-mapping.dmp
-
memory/956-75-0x0000000000920000-0x00000000009B3000-memory.dmpFilesize
588KB
-
memory/956-74-0x0000000000A50000-0x0000000000D53000-memory.dmpFilesize
3.0MB
-
memory/956-72-0x00000000000E0000-0x000000000010F000-memory.dmpFilesize
188KB
-
memory/956-71-0x0000000000D90000-0x0000000000D95000-memory.dmpFilesize
20KB
-
memory/1072-66-0x00000000008D0000-0x0000000000BD3000-memory.dmpFilesize
3.0MB
-
memory/1072-68-0x0000000000190000-0x00000000001A4000-memory.dmpFilesize
80KB
-
memory/1072-64-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1072-65-0x000000000041F190-mapping.dmp
-
memory/1072-63-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1072-62-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1304-69-0x00000000060E0000-0x000000000619B000-memory.dmpFilesize
748KB
-
memory/1304-76-0x0000000007F40000-0x00000000080A1000-memory.dmpFilesize
1.4MB
-
memory/1748-55-0x0000000000C00000-0x0000000000C01000-memory.dmpFilesize
4KB
-
memory/1748-60-0x0000000000AB0000-0x0000000000B00000-memory.dmpFilesize
320KB
-
memory/1748-59-0x00000000008C0000-0x00000000008C7000-memory.dmpFilesize
28KB
-
memory/1748-58-0x000000007EF40000-0x000000007EF41000-memory.dmpFilesize
4KB
-
memory/1748-57-0x00000000070F0000-0x00000000070F1000-memory.dmpFilesize
4KB
-
memory/1820-61-0x0000000000000000-mapping.dmp
-
memory/1984-73-0x0000000000000000-mapping.dmp