Analysis
-
max time kernel
152s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 10:53
Static task
static1
Behavioral task
behavioral1
Sample
Enquiry Letter 2021_39 PDF .exe
Resource
win7-20220414-en
General
-
Target
Enquiry Letter 2021_39 PDF .exe
-
Size
706KB
-
MD5
ebf459ab9f9e3280e01aa2afc78235cb
-
SHA1
b78ba9874e119e3be2521471f0e9bdc6b22d0452
-
SHA256
8357119ef28bc4518732db5fea2e1aae12a779c36c3beb0a732a224f460abddb
-
SHA512
0831473ccb3bf1314199dd1085075967c8867a1261ec7fe03f5c3da58b2a7dd3158b41b1fa5d2496e722bea04fb0230e306baccbc4459523b21698ee0d2a8094
Malware Config
Extracted
formbook
3.9
k2w
brittanybeck.com
idapple.mobi
sharoncement.win
smerchenko.com
citizenssenergygroup.com
landhawktactical.com
yilingshenghuo.com
lifa97.com
8160pe.com
sf-purify.com
bloomingamaizing.com
thymeshares.com
rainwatercollectionhq.com
jaseba.net
whoistom.net
gn70.com
payperclickad.info
jessicagorbet.com
portlockproperty.com
mindset-beratung.com
heaven-nutfield.com
idpprograms.com
norvelfinancialsolutions.com
arlingtonyp.com
happilyevernordvik.com
radyoteleskop.com
iphone8adaptoru.com
mairie5e.com
chiquephotique.net
ndilimanitours.com
adamthaivn.com
tt727.info
wyzebuy.com
nspkfst.com
jasonchenproperties.com
cryptoeconomi.com
paulsaqueton.com
talentgrowthpartners.com
thebigandgoodfreeupgrade.win
sinfulmodels.com
cowrychina.com
dongzhengrui.com
nationalinvestorinsurance.com
kjsemx.men
aevenarobotics.com
focayasdostukoyu.com
1s1fivegrand.men
ihbhy.com
arenastudio.net
thebestregistrars.com
deepingcase.com
mercyssafechildrenhaven.net
www55554008.com
catchewtoys.com
alexandrievina.com
equifaxsecurity2p017.com
lg-support.center
myweeklyinterest.com
nonnysnook.online
streetsmartwatch.com
lenseapart.com
shcom.net
atlantique-machine.com
yebimama.com
chilogae.com
Signatures
-
Formbook Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1808-138-0x0000000000DC0000-0x0000000000DEA000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Enquiry Letter 2021_39 PDF .exeEnquiry Letter 2021_39 PDF .exeipconfig.exedescription pid process target process PID 2716 set thread context of 876 2716 Enquiry Letter 2021_39 PDF .exe Enquiry Letter 2021_39 PDF .exe PID 876 set thread context of 3116 876 Enquiry Letter 2021_39 PDF .exe Explorer.EXE PID 1808 set thread context of 3116 1808 ipconfig.exe Explorer.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 1808 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
Enquiry Letter 2021_39 PDF .exeEnquiry Letter 2021_39 PDF .exeipconfig.exepid process 2716 Enquiry Letter 2021_39 PDF .exe 2716 Enquiry Letter 2021_39 PDF .exe 876 Enquiry Letter 2021_39 PDF .exe 876 Enquiry Letter 2021_39 PDF .exe 876 Enquiry Letter 2021_39 PDF .exe 876 Enquiry Letter 2021_39 PDF .exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe 1808 ipconfig.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3116 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Enquiry Letter 2021_39 PDF .exeEnquiry Letter 2021_39 PDF .exeipconfig.exepid process 2716 Enquiry Letter 2021_39 PDF .exe 876 Enquiry Letter 2021_39 PDF .exe 876 Enquiry Letter 2021_39 PDF .exe 876 Enquiry Letter 2021_39 PDF .exe 1808 ipconfig.exe 1808 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Enquiry Letter 2021_39 PDF .exeipconfig.exedescription pid process Token: SeDebugPrivilege 876 Enquiry Letter 2021_39 PDF .exe Token: SeDebugPrivilege 1808 ipconfig.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Enquiry Letter 2021_39 PDF .exeExplorer.EXEipconfig.exedescription pid process target process PID 2716 wrote to memory of 876 2716 Enquiry Letter 2021_39 PDF .exe Enquiry Letter 2021_39 PDF .exe PID 2716 wrote to memory of 876 2716 Enquiry Letter 2021_39 PDF .exe Enquiry Letter 2021_39 PDF .exe PID 2716 wrote to memory of 876 2716 Enquiry Letter 2021_39 PDF .exe Enquiry Letter 2021_39 PDF .exe PID 3116 wrote to memory of 1808 3116 Explorer.EXE ipconfig.exe PID 3116 wrote to memory of 1808 3116 Explorer.EXE ipconfig.exe PID 3116 wrote to memory of 1808 3116 Explorer.EXE ipconfig.exe PID 1808 wrote to memory of 1912 1808 ipconfig.exe cmd.exe PID 1808 wrote to memory of 1912 1808 ipconfig.exe cmd.exe PID 1808 wrote to memory of 1912 1808 ipconfig.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Users\Admin\AppData\Local\Temp\Enquiry Letter 2021_39 PDF .exe"C:\Users\Admin\AppData\Local\Temp\Enquiry Letter 2021_39 PDF .exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Users\Admin\AppData\Local\Temp\Enquiry Letter 2021_39 PDF .exe"C:\Users\Admin\AppData\Local\Temp\Enquiry Letter 2021_39 PDF .exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:876 -
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Enquiry Letter 2021_39 PDF .exe"3⤵PID:1912
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/876-130-0x0000000000000000-mapping.dmp
-
memory/876-132-0x0000000000A20000-0x0000000000D6A000-memory.dmpFilesize
3.3MB
-
memory/876-133-0x00000000009D0000-0x00000000009E4000-memory.dmpFilesize
80KB
-
memory/1808-135-0x0000000000000000-mapping.dmp
-
memory/1808-137-0x0000000000750000-0x000000000075B000-memory.dmpFilesize
44KB
-
memory/1808-138-0x0000000000DC0000-0x0000000000DEA000-memory.dmpFilesize
168KB
-
memory/1808-139-0x00000000018A0000-0x0000000001BEA000-memory.dmpFilesize
3.3MB
-
memory/1808-140-0x00000000016A0000-0x0000000001733000-memory.dmpFilesize
588KB
-
memory/1912-136-0x0000000000000000-mapping.dmp
-
memory/2716-131-0x0000000000400000-0x00000000004B8000-memory.dmpFilesize
736KB
-
memory/3116-134-0x00000000028C0000-0x0000000002A2E000-memory.dmpFilesize
1.4MB
-
memory/3116-141-0x0000000008210000-0x0000000008338000-memory.dmpFilesize
1.2MB