Analysis
-
max time kernel
152s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
21-02-2022 09:20
Static task
static1
Behavioral task
behavioral1
Sample
proformafaktura.exe
Resource
win7-en-20211208
General
-
Target
proformafaktura.exe
-
Size
1.4MB
-
MD5
b7f3fc76e71df26b2610742c6343da72
-
SHA1
e8251404fa0acad1c0c5ddef1c17265e2952d3f2
-
SHA256
ddb5440189f6a486cae5317df13fd6fa94129941e9aa8a0586bca4c5ed97fb54
-
SHA512
fd94b2ba6e757cbb09cc01f5d5e7093e9ba131c4d3e5fa492b49a63a9040848e20e42ff982d4b344e5bd8f7037441ac6e5b8a98bceded13b07b5df193e0f1192
Malware Config
Extracted
formbook
4.1
n7ak
audereventur.com
huro14.com
wwwjinsha155.com
antiquevendor.com
samuraisoulfood.net
traffic4updates.download
hypersarv.com
rapport-happy-wedding.com
rokutechnosupport.online
allworljob.com
hanaleedossmann.com
kauai-marathon.com
bepbosch.com
kangen-international.com
zoneshopemenowz.com
belviderewrestling.com
ipllink.com
sellingforcreators.com
wwwswty6655.com
qtumboa.com
bazarmoney.net
librosdecienciaficcion.com
shopmomsthebomb.com
vanjacob.com
tgyaa.com
theporncollective.net
hydrabadproperties.com
brindesecologicos.com
sayagayrimenkul.net
4btoken.com
shycedu.com
overall789.top
maison-pierre-bayle.com
elitemediamasters.com
sharmasfabrics.com
hoshamp.com
myultimateleadgenerator.com
office4u.info
thaimart1.com
ultimatewindowusa.com
twoblazesartworks.com
airteloffer.com
shoupaizhao.com
741dakotadr.info
books4arab.net
artedelcioccolato.biz
tjqcu.info
teccoop.net
maturebridesdressguide.com
excelcapfunding.com
bitcoinak.com
profileorderflow.com
unbelievabowboutique.com
midlandshomesolutionsltd.com
healthywithhook.com
stirlingpiper.com
manfast.online
arikorin.com
texastrustedinsurance.com
moodandmystery.com
yh77808.com
s-immotanger.com
runzexd.com
meteoannecy.net
joomlas123.info
Signatures
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2388-135-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral2/memory/2460-141-0x0000000000870000-0x000000000089D000-memory.dmp formbook -
Drops startup file 1 IoCs
Processes:
proformafaktura.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url proformafaktura.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
proformafaktura.exeproformafaktura.exerundll32.exedescription pid process target process PID 1532 set thread context of 2388 1532 proformafaktura.exe proformafaktura.exe PID 2388 set thread context of 896 2388 proformafaktura.exe Explorer.EXE PID 2460 set thread context of 896 2460 rundll32.exe Explorer.EXE -
Drops file in Windows directory 6 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Suspicious behavior: EnumeratesProcesses 59 IoCs
Processes:
proformafaktura.exerundll32.exepid process 2388 proformafaktura.exe 2388 proformafaktura.exe 2388 proformafaktura.exe 2388 proformafaktura.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe 2460 rundll32.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
proformafaktura.exeproformafaktura.exerundll32.exepid process 1532 proformafaktura.exe 1532 proformafaktura.exe 2388 proformafaktura.exe 2388 proformafaktura.exe 2388 proformafaktura.exe 2460 rundll32.exe 2460 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
proformafaktura.exerundll32.exesvchost.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 2388 proformafaktura.exe Token: SeDebugPrivilege 2460 rundll32.exe Token: SeShutdownPrivilege 3964 svchost.exe Token: SeCreatePagefilePrivilege 3964 svchost.exe Token: SeShutdownPrivilege 3964 svchost.exe Token: SeCreatePagefilePrivilege 3964 svchost.exe Token: SeShutdownPrivilege 3964 svchost.exe Token: SeCreatePagefilePrivilege 3964 svchost.exe Token: SeShutdownPrivilege 896 Explorer.EXE Token: SeCreatePagefilePrivilege 896 Explorer.EXE -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
proformafaktura.exepid process 1532 proformafaktura.exe 1532 proformafaktura.exe 1532 proformafaktura.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
proformafaktura.exepid process 1532 proformafaktura.exe 1532 proformafaktura.exe 1532 proformafaktura.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 896 Explorer.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
proformafaktura.exeExplorer.EXErundll32.exedescription pid process target process PID 1532 wrote to memory of 1900 1532 proformafaktura.exe proformafaktura.exe PID 1532 wrote to memory of 1900 1532 proformafaktura.exe proformafaktura.exe PID 1532 wrote to memory of 1900 1532 proformafaktura.exe proformafaktura.exe PID 1532 wrote to memory of 2388 1532 proformafaktura.exe proformafaktura.exe PID 1532 wrote to memory of 2388 1532 proformafaktura.exe proformafaktura.exe PID 1532 wrote to memory of 2388 1532 proformafaktura.exe proformafaktura.exe PID 1532 wrote to memory of 2388 1532 proformafaktura.exe proformafaktura.exe PID 896 wrote to memory of 2460 896 Explorer.EXE rundll32.exe PID 896 wrote to memory of 2460 896 Explorer.EXE rundll32.exe PID 896 wrote to memory of 2460 896 Explorer.EXE rundll32.exe PID 2460 wrote to memory of 3324 2460 rundll32.exe cmd.exe PID 2460 wrote to memory of 3324 2460 rundll32.exe cmd.exe PID 2460 wrote to memory of 3324 2460 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\proformafaktura.exe"C:\Users\Admin\AppData\Local\Temp\proformafaktura.exe"2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\proformafaktura.exe"C:\Users\Admin\AppData\Local\Temp\proformafaktura.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\proformafaktura.exe"C:\Users\Admin\AppData\Local\Temp\proformafaktura.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\proformafaktura.exe"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/896-139-0x0000000008DA0000-0x0000000008F48000-memory.dmpFilesize
1.7MB
-
memory/896-147-0x0000000008590000-0x000000000867A000-memory.dmpFilesize
936KB
-
memory/1532-134-0x0000000000CC0000-0x0000000000CC3000-memory.dmpFilesize
12KB
-
memory/1532-133-0x0000000000B30000-0x0000000000B5D000-memory.dmpFilesize
180KB
-
memory/2388-136-0x0000000001B60000-0x0000000001EAA000-memory.dmpFilesize
3.3MB
-
memory/2388-138-0x0000000002060000-0x0000000002074000-memory.dmpFilesize
80KB
-
memory/2388-137-0x000000000041E000-0x000000000041F000-memory.dmpFilesize
4KB
-
memory/2388-135-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/2460-140-0x0000000000DF0000-0x0000000000E04000-memory.dmpFilesize
80KB
-
memory/2460-141-0x0000000000870000-0x000000000089D000-memory.dmpFilesize
180KB
-
memory/2460-142-0x0000000002910000-0x0000000002C5A000-memory.dmpFilesize
3.3MB
-
memory/2460-146-0x0000000002720000-0x00000000027B3000-memory.dmpFilesize
588KB
-
memory/3964-143-0x000001E4DEF20000-0x000001E4DEF30000-memory.dmpFilesize
64KB
-
memory/3964-144-0x000001E4DEF80000-0x000001E4DEF90000-memory.dmpFilesize
64KB
-
memory/3964-145-0x000001E4E1630000-0x000001E4E1634000-memory.dmpFilesize
16KB