Analysis
-
max time kernel
157s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 22:59
Static task
static1
Behavioral task
behavioral1
Sample
KRD2020000000002 PDF.exe
Resource
win7-20220414-en
General
-
Target
KRD2020000000002 PDF.exe
-
Size
735KB
-
MD5
4e904adeaaeac677885bbe4c6be06a3a
-
SHA1
48fe1138bb8323fa29f5b9d7b8e02a97dc0c9afa
-
SHA256
d104548b154ac28142944b839993b9f0c8ad45d42a3e72d888aa8ba0e22562fd
-
SHA512
2803b5a5b4cab020a2a3bb1861601633ec8041a20946cd6f8fc57f5a936bf1f535ec3dc2a597c60f360ad4cc2a45f97b372be04351c9ac30ec9a053804e696ef
Malware Config
Extracted
formbook
4.1
hnh
stackingplans.info
landscapingcanberra.com
apxlegal.com
gzajs.com
senladvocaten.com
stephanieabella.com
indivmgtsvc.com
wildlife-botanicals.com
fingrfull.com
ustar-electric.com
timesharebefree.com
safefirstresponder.com
giliticketoperator.com
silverstarscents.com
4752condordrive.info
joomak.net
new-auto-news.com
ottodesign.store
kxg01.com
chrisoncreation.com
robielutsey.com
dhayaltechsystems.com
giftbizz.com
outpost-security.com
wwwjinsha937.com
pro-piedades.com
buffalocoresupply.com
netw.site
gooddayrental.com
qingyujian.com
atiasyariv.com
immaver.com
intervention4change.com
landlockedtraveler.com
onionfaucet.win
fairygroundsocks.com
adrianscharfetter.com
prolumen.biz
ibkmalakhit.net
rivertownehomeforsale.com
productsarehard.com
recoreltd.com
111972.info
wahzik.com
lackyshopping.com
xn--u8jxbl0m2g4a1h6q.com
ousxqh.men
bobingxiaochengxu.com
fullkiwi.com
dearwaltdisney.com
njduqiang.com
firesideeditions.com
cuagonhuaviettin.com
imaginethatideas.com
tian.agency
astrosolarfast.com
chosentechshopandreview.com
avatar99.com
lakazanono.com
news-chinatimes.com
www245234.com
hojespecial.com
x13q876dvq.com
tmtcaa.info
patlod.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2764-139-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral2/memory/688-146-0x00000000014B0000-0x00000000014DD000-memory.dmp formbook -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
KRD2020000000002 PDF.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion KRD2020000000002 PDF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion KRD2020000000002 PDF.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WWAHost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ITQLRT20UH = "C:\\Program Files (x86)\\Or8oxv4bp\\5jbxnrlftpehsp.exe" WWAHost.exe Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run WWAHost.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
KRD2020000000002 PDF.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum KRD2020000000002 PDF.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 KRD2020000000002 PDF.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
KRD2020000000002 PDF.exeKRD2020000000002 PDF.exeWWAHost.exedescription pid process target process PID 3456 set thread context of 2764 3456 KRD2020000000002 PDF.exe KRD2020000000002 PDF.exe PID 2764 set thread context of 2560 2764 KRD2020000000002 PDF.exe Explorer.EXE PID 688 set thread context of 2560 688 WWAHost.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
WWAHost.exedescription ioc process File opened for modification C:\Program Files (x86)\Or8oxv4bp\5jbxnrlftpehsp.exe WWAHost.exe -
Processes:
WWAHost.exedescription ioc process Key created \Registry\User\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 WWAHost.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
KRD2020000000002 PDF.exeKRD2020000000002 PDF.exeWWAHost.exepid process 3456 KRD2020000000002 PDF.exe 3456 KRD2020000000002 PDF.exe 3456 KRD2020000000002 PDF.exe 2764 KRD2020000000002 PDF.exe 2764 KRD2020000000002 PDF.exe 2764 KRD2020000000002 PDF.exe 2764 KRD2020000000002 PDF.exe 688 WWAHost.exe 688 WWAHost.exe 688 WWAHost.exe 688 WWAHost.exe 688 WWAHost.exe 688 WWAHost.exe 688 WWAHost.exe 688 WWAHost.exe 688 WWAHost.exe 688 WWAHost.exe 688 WWAHost.exe 688 WWAHost.exe 688 WWAHost.exe 688 WWAHost.exe 688 WWAHost.exe 688 WWAHost.exe 688 WWAHost.exe 688 WWAHost.exe 688 WWAHost.exe 688 WWAHost.exe 688 WWAHost.exe 688 WWAHost.exe 688 WWAHost.exe 688 WWAHost.exe 688 WWAHost.exe 688 WWAHost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2560 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
KRD2020000000002 PDF.exeWWAHost.exepid process 2764 KRD2020000000002 PDF.exe 2764 KRD2020000000002 PDF.exe 2764 KRD2020000000002 PDF.exe 688 WWAHost.exe 688 WWAHost.exe 688 WWAHost.exe 688 WWAHost.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
KRD2020000000002 PDF.exeKRD2020000000002 PDF.exeWWAHost.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 3456 KRD2020000000002 PDF.exe Token: SeDebugPrivilege 2764 KRD2020000000002 PDF.exe Token: SeDebugPrivilege 688 WWAHost.exe Token: SeShutdownPrivilege 2560 Explorer.EXE Token: SeCreatePagefilePrivilege 2560 Explorer.EXE Token: SeShutdownPrivilege 2560 Explorer.EXE Token: SeCreatePagefilePrivilege 2560 Explorer.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
KRD2020000000002 PDF.exeExplorer.EXEWWAHost.exedescription pid process target process PID 3456 wrote to memory of 1680 3456 KRD2020000000002 PDF.exe KRD2020000000002 PDF.exe PID 3456 wrote to memory of 1680 3456 KRD2020000000002 PDF.exe KRD2020000000002 PDF.exe PID 3456 wrote to memory of 1680 3456 KRD2020000000002 PDF.exe KRD2020000000002 PDF.exe PID 3456 wrote to memory of 2764 3456 KRD2020000000002 PDF.exe KRD2020000000002 PDF.exe PID 3456 wrote to memory of 2764 3456 KRD2020000000002 PDF.exe KRD2020000000002 PDF.exe PID 3456 wrote to memory of 2764 3456 KRD2020000000002 PDF.exe KRD2020000000002 PDF.exe PID 3456 wrote to memory of 2764 3456 KRD2020000000002 PDF.exe KRD2020000000002 PDF.exe PID 3456 wrote to memory of 2764 3456 KRD2020000000002 PDF.exe KRD2020000000002 PDF.exe PID 3456 wrote to memory of 2764 3456 KRD2020000000002 PDF.exe KRD2020000000002 PDF.exe PID 2560 wrote to memory of 688 2560 Explorer.EXE WWAHost.exe PID 2560 wrote to memory of 688 2560 Explorer.EXE WWAHost.exe PID 2560 wrote to memory of 688 2560 Explorer.EXE WWAHost.exe PID 688 wrote to memory of 2300 688 WWAHost.exe cmd.exe PID 688 wrote to memory of 2300 688 WWAHost.exe cmd.exe PID 688 wrote to memory of 2300 688 WWAHost.exe cmd.exe PID 688 wrote to memory of 5044 688 WWAHost.exe cmd.exe PID 688 wrote to memory of 5044 688 WWAHost.exe cmd.exe PID 688 wrote to memory of 5044 688 WWAHost.exe cmd.exe PID 688 wrote to memory of 2988 688 WWAHost.exe Firefox.exe PID 688 wrote to memory of 2988 688 WWAHost.exe Firefox.exe PID 688 wrote to memory of 2988 688 WWAHost.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Users\Admin\AppData\Local\Temp\KRD2020000000002 PDF.exe"C:\Users\Admin\AppData\Local\Temp\KRD2020000000002 PDF.exe"2⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Users\Admin\AppData\Local\Temp\KRD2020000000002 PDF.exe"C:\Users\Admin\AppData\Local\Temp\KRD2020000000002 PDF.exe"3⤵PID:1680
-
C:\Users\Admin\AppData\Local\Temp\KRD2020000000002 PDF.exe"C:\Users\Admin\AppData\Local\Temp\KRD2020000000002 PDF.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2764 -
C:\Windows\SysWOW64\WWAHost.exe"C:\Windows\SysWOW64\WWAHost.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\KRD2020000000002 PDF.exe"3⤵PID:2300
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵PID:5044
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:2988
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
memory/688-149-0x0000000001E50000-0x0000000001EE3000-memory.dmpFilesize
588KB
-
memory/688-148-0x0000000001FB0000-0x00000000022FA000-memory.dmpFilesize
3.3MB
-
memory/688-146-0x00000000014B0000-0x00000000014DD000-memory.dmpFilesize
180KB
-
memory/688-145-0x0000000000850000-0x000000000092C000-memory.dmpFilesize
880KB
-
memory/688-144-0x0000000000000000-mapping.dmp
-
memory/1680-137-0x0000000000000000-mapping.dmp
-
memory/2300-147-0x0000000000000000-mapping.dmp
-
memory/2560-143-0x0000000002DA0000-0x0000000002E7F000-memory.dmpFilesize
892KB
-
memory/2560-150-0x0000000007C40000-0x0000000007D42000-memory.dmpFilesize
1.0MB
-
memory/2764-141-0x0000000001440000-0x000000000178A000-memory.dmpFilesize
3.3MB
-
memory/2764-142-0x0000000000F40000-0x0000000000F54000-memory.dmpFilesize
80KB
-
memory/2764-139-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/2764-138-0x0000000000000000-mapping.dmp
-
memory/3456-130-0x00000000006C0000-0x000000000077C000-memory.dmpFilesize
752KB
-
memory/3456-136-0x0000000006180000-0x00000000061E6000-memory.dmpFilesize
408KB
-
memory/3456-135-0x00000000053B0000-0x0000000005406000-memory.dmpFilesize
344KB
-
memory/3456-134-0x0000000005110000-0x000000000511A000-memory.dmpFilesize
40KB
-
memory/3456-133-0x0000000005220000-0x00000000052B2000-memory.dmpFilesize
584KB
-
memory/3456-132-0x00000000057D0000-0x0000000005D74000-memory.dmpFilesize
5.6MB
-
memory/3456-131-0x0000000005180000-0x000000000521C000-memory.dmpFilesize
624KB
-
memory/5044-151-0x0000000000000000-mapping.dmp