Analysis
-
max time kernel
149s -
max time network
169s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 10:50
Static task
static1
Behavioral task
behavioral1
Sample
009888389998789290000-pdf.exe
Resource
win7-20220414-en
General
-
Target
009888389998789290000-pdf.exe
-
Size
876KB
-
MD5
c4dc14e8754c36300ae98fa8b4369a40
-
SHA1
9cd8e279dff02db6ffb9199cf6cb4ff5fc07cc37
-
SHA256
c303fb93eba5623184f5bfb8fefbea2458e25ead795e6d5c5d5e78e921c6490e
-
SHA512
ba4280059eb153941d0c06533542a10d25f5c95c45bbebce620f042560df2557e1eae6ea3a405d6663c9552eb8dc49bb1cfccb2659e834a06fac4587373c7382
Malware Config
Extracted
formbook
3.9
hm2
vodu.ltd
arauderghem.net
bluebackpage.com
cheapairmaxsaleclearance.com
soldiersofarts.com
fbservice.info
x9e7x7.info
davidhenkel.com
plantrak.net
66sbleiv.com
cartierringprice.com
roupeiroblog.com
thxcn.com
baboondynasty.win
thecloudm.com
everythingreviews.net
zimmermansales.net
movie.kitchen
im.help
geebzor.com
quanbaodao.com
kasalogistics.com
comomanteracasaarrumada.biz
hhmeitu.com
goodlookbook.net
genuineworldkw.com
safetraffic4upgrades.date
bbgan21.com
goldamerican.info
gotoinfo.company
courtneyraestyles.com
kushyp.com
trendzspot.com
klmdzch.com
noridabio.com
gemilangnusantara.com
evethaber.com
activehealth.online
24cassinhill.com
uniquecustomkreationz.com
arte-enlevo.com
kaphanfoundation.net
luciagiacomin.com
4444677.com
ink4speed.com
advisemi.com
wildlife-botanicals.com
islandviewantigua.com
millerwolfdental.com
testci20190225031512.com
lucyble.com
elitlazer.com
applyforpermit.com
jinshavip74.com
xdxty.com
thedragon.tech
independentdvm.com
afm-alliance.com
freelanceti.com
enemacookbook.com
starvingartistconference.com
xn--zovsa0670a.com
zuhao91.com
toprenovation101.com
nyoxibwer.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/624-63-0x0000000000070000-0x000000000009A000-memory.dmp formbook -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\JTMT9LUPQ04 = "C:\\Program Files (x86)\\Q_nrp\\servicescbcdufw.exe" wscript.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1696 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
009888389998789290000-pdf.exe009888389998789290000-pdf.exewscript.exedescription pid process target process PID 1728 set thread context of 1380 1728 009888389998789290000-pdf.exe 009888389998789290000-pdf.exe PID 1380 set thread context of 1256 1380 009888389998789290000-pdf.exe Explorer.EXE PID 624 set thread context of 1256 624 wscript.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
wscript.exedescription ioc process File opened for modification C:\Program Files (x86)\Q_nrp\servicescbcdufw.exe wscript.exe -
Processes:
wscript.exedescription ioc process Key created \Registry\User\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 wscript.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
009888389998789290000-pdf.exe009888389998789290000-pdf.exewscript.exepid process 1728 009888389998789290000-pdf.exe 1380 009888389998789290000-pdf.exe 1380 009888389998789290000-pdf.exe 624 wscript.exe 624 wscript.exe 624 wscript.exe 624 wscript.exe 624 wscript.exe 624 wscript.exe 624 wscript.exe 624 wscript.exe 624 wscript.exe 624 wscript.exe 624 wscript.exe 624 wscript.exe 624 wscript.exe 624 wscript.exe 624 wscript.exe 624 wscript.exe 624 wscript.exe 624 wscript.exe 624 wscript.exe 624 wscript.exe 624 wscript.exe 624 wscript.exe 624 wscript.exe 624 wscript.exe 624 wscript.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
009888389998789290000-pdf.exe009888389998789290000-pdf.exewscript.exepid process 1728 009888389998789290000-pdf.exe 1380 009888389998789290000-pdf.exe 1380 009888389998789290000-pdf.exe 1380 009888389998789290000-pdf.exe 624 wscript.exe 624 wscript.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
009888389998789290000-pdf.exewscript.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1380 009888389998789290000-pdf.exe Token: SeDebugPrivilege 624 wscript.exe Token: SeShutdownPrivilege 1256 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
009888389998789290000-pdf.exeExplorer.EXEwscript.exedescription pid process target process PID 1728 wrote to memory of 1380 1728 009888389998789290000-pdf.exe 009888389998789290000-pdf.exe PID 1728 wrote to memory of 1380 1728 009888389998789290000-pdf.exe 009888389998789290000-pdf.exe PID 1728 wrote to memory of 1380 1728 009888389998789290000-pdf.exe 009888389998789290000-pdf.exe PID 1728 wrote to memory of 1380 1728 009888389998789290000-pdf.exe 009888389998789290000-pdf.exe PID 1256 wrote to memory of 624 1256 Explorer.EXE wscript.exe PID 1256 wrote to memory of 624 1256 Explorer.EXE wscript.exe PID 1256 wrote to memory of 624 1256 Explorer.EXE wscript.exe PID 1256 wrote to memory of 624 1256 Explorer.EXE wscript.exe PID 624 wrote to memory of 1696 624 wscript.exe cmd.exe PID 624 wrote to memory of 1696 624 wscript.exe cmd.exe PID 624 wrote to memory of 1696 624 wscript.exe cmd.exe PID 624 wrote to memory of 1696 624 wscript.exe cmd.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer wscript.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Users\Admin\AppData\Local\Temp\009888389998789290000-pdf.exe"C:\Users\Admin\AppData\Local\Temp\009888389998789290000-pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\009888389998789290000-pdf.exe"C:\Users\Admin\AppData\Local\Temp\009888389998789290000-pdf.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1380 -
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:624 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\009888389998789290000-pdf.exe"3⤵
- Deletes itself
PID:1696
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/624-63-0x0000000000070000-0x000000000009A000-memory.dmpFilesize
168KB
-
memory/624-60-0x0000000000000000-mapping.dmp
-
memory/624-62-0x0000000000C20000-0x0000000000C46000-memory.dmpFilesize
152KB
-
memory/624-64-0x0000000002050000-0x0000000002353000-memory.dmpFilesize
3.0MB
-
memory/624-65-0x0000000002360000-0x00000000023F3000-memory.dmpFilesize
588KB
-
memory/1256-59-0x0000000004A00000-0x0000000004B4C000-memory.dmpFilesize
1.3MB
-
memory/1256-66-0x0000000004C30000-0x0000000004D4C000-memory.dmpFilesize
1.1MB
-
memory/1380-55-0x000000000041B630-mapping.dmp
-
memory/1380-57-0x00000000008A0000-0x0000000000BA3000-memory.dmpFilesize
3.0MB
-
memory/1380-58-0x0000000000350000-0x0000000000364000-memory.dmpFilesize
80KB
-
memory/1696-61-0x0000000000000000-mapping.dmp
-
memory/1728-56-0x0000000000260000-0x0000000000269000-memory.dmpFilesize
36KB
-
memory/1728-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmpFilesize
8KB