Overview

overview

10

Static

static

yeni sipariş pdf.exe

windows7_x64

10

yeni sipariş pdf.exe

windows10-2004_x64

7

Analysis

  • max time kernel
    154s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    07-02-2022 12:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    yeni sipariş pdf.exe

  • Size

    822KB

  • MD5

    41d2899a4441944b48daba79bfb70dd0

  • SHA1

    463778a640b327918d8e67cd2f9fa949be3b04e8

  • SHA256

    7480e4ba962590b3f14f4516861bb1aa80ffa08223a944ee6599cfe3b4e89bce

  • SHA512

    cb5b11e73fb06ffe3e1c4f91658899d82c8da6c6db9f3b3c126840bfb728b6ee862f8b45c903366ab37c2570baff6c298af41f4ffbd92e624579e8c4bc380104

Score
10/10
formbookg2m3ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g2m3

Decoy

stocktonfingerprinting.com

metaaiqr.com

junicy.com

libertymutualgrou.com

jklhs7gl.xyz

alex-covalcova.space

socialfiguild.com

drnicholasreid.com

androidappprogrammierie.com

relatingtohumans.com

jitsystems.com

gbwpmz.com

lesaventuresdecocomango.com

wu8ggqdv077p.xyz

autnvg.com

wghakt016.xyz

lagosian.store

hilldoor.com

oculos-ajustavel-br.xyz

nameniboothac.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1384
    • C:\Users\Admin\AppData\Local\Temp\yeni sipariş pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\yeni sipariş pdf.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1108
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\oifnpghsFyo.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:276
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oifnpghsFyo" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDA18.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:804
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:752
    • C:\Windows\SysWOW64\raserver.exe
      "C:\Windows\SysWOW64\raserver.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1256
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
          PID:1504

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpDA18.tmp
      MD5

      cdecd81c8dc02b28c6ed5fa4b0f9680d

      SHA1

      d172b4bc0ccf4b062457027974c439f72d2e2e0d

      SHA256

      81282ec8c7d438093486fffaa9b6942d4b8c32ad6b4fcd6282d796dfe1f541ac

      SHA512

      be880d434f3fa2c01fd3efb6a80bd6d98c25ac62130ff703d5f8ff3134c5bb3665253f5e0730472be658a21041153614c278b79ef41839bbe245bf2396d2be51

      Download Submit
    • memory/276-64-0x0000000002310000-0x0000000002F5A000-memory.dmp
      Filesize

      12.3MB

      Download
    • memory/276-63-0x0000000002310000-0x0000000002F5A000-memory.dmp
      Filesize

      12.3MB

      Download
    • memory/276-62-0x0000000002310000-0x0000000002F5A000-memory.dmp
      Filesize

      12.3MB

      Download
    • memory/752-66-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/752-65-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/752-70-0x0000000000190000-0x00000000001A4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/752-69-0x0000000000A00000-0x0000000000D03000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/752-67-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1108-56-0x0000000075801000-0x0000000075803000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1108-55-0x0000000001340000-0x0000000001414000-memory.dmp
      Filesize

      848KB

      Download
    • memory/1108-59-0x0000000004820000-0x00000000048CA000-memory.dmp
      Filesize

      680KB

      Download
    • memory/1108-57-0x0000000004EB0000-0x0000000004EB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1108-58-0x00000000002E0000-0x00000000002EC000-memory.dmp
      Filesize

      48KB

      Download
    • memory/1256-73-0x0000000000050000-0x000000000006C000-memory.dmp
      Filesize

      112KB

      Download
    • memory/1256-74-0x0000000000120000-0x000000000014F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1256-75-0x0000000001EA0000-0x00000000021A3000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1256-76-0x00000000003B0000-0x0000000001E91000-memory.dmp
      Filesize

      26.9MB

      Download
    • memory/1384-71-0x0000000004880000-0x0000000004947000-memory.dmp
      Filesize

      796KB

      Download
    • memory/1384-77-0x0000000005090000-0x000000000518A000-memory.dmp
      Filesize

      1000KB

      Download