Overview

overview

10

Static

static

Payment_Ad...df.exe

windows7_x64

10

Payment_Ad...df.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 10:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment_Advice Ref_G51433980115....pdf.exe

  • Size

    311KB

  • MD5

    419fdeab3e062e913643037511fee430

  • SHA1

    3c11f5dfdae578ab1e7afb87f05acf9477ee28cf

  • SHA256

    76d45ff13654988781428940dab2825a158e15679d0f1faf9615b76a2cbff4a7

  • SHA512

    2c108227bb344a271dec116251796049927a4df8fa7716d1b33a20df42fe840ac4f684e3af42bb64944d882bac06c90fd2217d6052cb3523667b3b3529c29a86

Score
10/10
formbookms20persistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

ms20

Decoy

ginayjasive.net

unique-bruce.com

marcaschingonas.net

artandartistonline.com

creditcubeaa.com

jnlunwen.com

adriangallop.com

gardenmebydjnui.com

dakdekker-utrecht.com

padmatrades.com

esseconsultingllc.com

heisenlintec.com

110431.info

posseco.com

team10hoodies.site

sciencewtour.com

paigeslife.com

idea-asesoria.com

crypotland.com

862575zk.info

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Formbook Payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1352
    • C:\Users\Admin\AppData\Local\Temp\Payment_Advice Ref_G51433980115....pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\Payment_Advice Ref_G51433980115....pdf.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      PID:1276
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1920
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Payment_Advice Ref_G51433980115....pdf.exe"
        3⤵
        • Deletes itself
        PID:1120

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\KNPQ3D98\KNPlogim.jpeg
    Filesize

    66KB

    MD5

    c1412670faf573b78fb72a18c0f9268b

    SHA1

    12631bdfc81058f71e314873f2ef8123a51b300c

    SHA256

    a39b1e6c33be6ca44ab7cd806b042336e452e9dba7562b63469c3f63f123193d

    SHA512

    1bda000c08759238f323c8e211ce02ee717ed4ab41387e418f7e0f96483e19bceb5ec88daf8a835342a76b0394c42fce83187d21743b644593646ecfc1147abd

    Download Submit

  • C:\Users\Admin\AppData\Roaming\KNPQ3D98\KNPlogri.ini
    Filesize

    40B

    MD5

    d63a82e5d81e02e399090af26db0b9cb

    SHA1

    91d0014c8f54743bba141fd60c9d963f869d76c9

    SHA256

    eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

    SHA512

    38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

    Download Submit

  • C:\Users\Admin\AppData\Roaming\KNPQ3D98\KNPlogrv.ini
    Filesize

    40B

    MD5

    ba3b6bc807d4f76794c4b81b09bb9ba5

    SHA1

    24cb89501f0212ff3095ecc0aba97dd563718fb1

    SHA256

    6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507

    SHA512

    ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf

    Download Submit

  • memory/1120-64-0x0000000000000000-mapping.dmp

    Download

  • memory/1276-56-0x0000000002280000-0x0000000002583000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/1276-57-0x0000000000190000-0x00000000001A4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1276-55-0x0000000000970000-0x00000000009C2000-memory.dmp

    Filesize

    328KB

    Download

  • memory/1276-54-0x0000000000970000-0x00000000009C2000-memory.dmp

    Filesize

    328KB

    Download

  • memory/1352-66-0x00000000049F0000-0x0000000004B12000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1352-58-0x0000000006A10000-0x0000000006B98000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1920-63-0x0000000002390000-0x0000000002693000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/1920-62-0x0000000000090000-0x00000000000BA000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1920-65-0x00000000007C0000-0x0000000000853000-memory.dmp

    Filesize

    588KB

    Download

  • memory/1920-61-0x00000000008A0000-0x00000000008B4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1920-60-0x0000000076C01000-0x0000000076C03000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1920-59-0x0000000000000000-mapping.dmp

    Download