Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 18:55
Static task
static1
Behavioral task
behavioral1
Sample
PO##4354267813...pdf.exe
Resource
win7-20220414-en
General
-
Target
PO##4354267813...pdf.exe
-
Size
336KB
-
MD5
c5fb3b2e9f90517e533c327808e3dc2d
-
SHA1
2a36c1413dc4276c3c1f57cf392f93285380a93a
-
SHA256
112b6fe2084ca3501c8a98a9cd90f60ce691a438864be736b049062379195818
-
SHA512
eb254fd0b9577f382b3b29d999a0f43e1643e85aeca13fd0887eadf33a77a116612c739297e90f6b0aadb392e5aefa1a435b9bf6443e7c21acc62c3a88c38054
Malware Config
Extracted
formbook
4.1
tnk
lafioletto.com
mgiuj.com
wolllafvixzies.win
wwwsbvip123.com
nadyaasnae.com
noticesinvoice2017.com
intercapati.com
tg8895.com
9245654874.com
lytsxc.info
rffuf3-liquidwebsites.com
verguet.com
peinturefleursetfemmes.com
xttmrama.com
cryptoinvestmentideas.com
kikumasacarparts.win
freeapk1.com
tasteofimagination.com
gxzyoa.com
cq-mingwei.com
tctczy.com
nafo.ltd
worstcase.store
stockbridgepsychic.com
askmewhat.men
howtobuyabitcoinwallet.com
cataddictshop.com
sauersautorepair.com
godslittlejewels.com
cckkpbqr.com
ludd67671.com
dowzysound.com
groopkhat.com
northfloridavalue.com
xvideosssss.com
cryptocasinoadvisor.com
zen-aromatherapy.com
wevr.ltd
domainhemat.com
choraclechocolate.com
passiveannuity.com
juggernaut.live
marijuanadeveloper.com
yilujiu.com
georgiapsychologists.com
michelegcharrier.com
kn6htm.com
freemporium.com
going-native.com
matrixbathsystems.com
deborah-theocspecialist.com
broader97.com
zeit-wert.com
mcx4m6x.info
ettumanoormahadevatemple.com
developsbyirfan.com
u2mee.com
1788valleyspringsave.com
rjclassic.com
shiyuan.site
leahschmittpt.com
zssheep.com
zhaocaizhan.com
supposedlysierra.com
doneym.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4428-135-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral2/memory/4428-137-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral2/memory/4632-146-0x0000000000660000-0x000000000068D000-memory.dmp formbook -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SPXLPR = "C:\\Program Files (x86)\\Ee2kda\\d8tpux4tqnnh.exe" wscript.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
PO##4354267813...pdf.exePO##4354267813...pdf.exewscript.exedescription pid process target process PID 4776 set thread context of 4428 4776 PO##4354267813...pdf.exe PO##4354267813...pdf.exe PID 4428 set thread context of 3232 4428 PO##4354267813...pdf.exe Explorer.EXE PID 4428 set thread context of 3232 4428 PO##4354267813...pdf.exe Explorer.EXE PID 4632 set thread context of 3232 4632 wscript.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
wscript.exedescription ioc process File opened for modification C:\Program Files (x86)\Ee2kda\d8tpux4tqnnh.exe wscript.exe -
Processes:
wscript.exedescription ioc process Key created \Registry\User\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 wscript.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
Processes:
PO##4354267813...pdf.exewscript.exepid process 4428 PO##4354267813...pdf.exe 4428 PO##4354267813...pdf.exe 4428 PO##4354267813...pdf.exe 4428 PO##4354267813...pdf.exe 4428 PO##4354267813...pdf.exe 4428 PO##4354267813...pdf.exe 4632 wscript.exe 4632 wscript.exe 4632 wscript.exe 4632 wscript.exe 4632 wscript.exe 4632 wscript.exe 4632 wscript.exe 4632 wscript.exe 4632 wscript.exe 4632 wscript.exe 4632 wscript.exe 4632 wscript.exe 4632 wscript.exe 4632 wscript.exe 4632 wscript.exe 4632 wscript.exe 4632 wscript.exe 4632 wscript.exe 4632 wscript.exe 4632 wscript.exe 4632 wscript.exe 4632 wscript.exe 4632 wscript.exe 4632 wscript.exe 4632 wscript.exe 4632 wscript.exe 4632 wscript.exe 4632 wscript.exe 4632 wscript.exe 4632 wscript.exe 4632 wscript.exe 4632 wscript.exe 4632 wscript.exe 4632 wscript.exe 4632 wscript.exe 4632 wscript.exe 4632 wscript.exe 4632 wscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3232 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
PO##4354267813...pdf.exewscript.exepid process 4428 PO##4354267813...pdf.exe 4428 PO##4354267813...pdf.exe 4428 PO##4354267813...pdf.exe 4428 PO##4354267813...pdf.exe 4632 wscript.exe 4632 wscript.exe 4632 wscript.exe 4632 wscript.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
PO##4354267813...pdf.exewscript.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 4428 PO##4354267813...pdf.exe Token: SeDebugPrivilege 4632 wscript.exe Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
PO##4354267813...pdf.exeExplorer.EXEwscript.exedescription pid process target process PID 4776 wrote to memory of 4428 4776 PO##4354267813...pdf.exe PO##4354267813...pdf.exe PID 4776 wrote to memory of 4428 4776 PO##4354267813...pdf.exe PO##4354267813...pdf.exe PID 4776 wrote to memory of 4428 4776 PO##4354267813...pdf.exe PO##4354267813...pdf.exe PID 4776 wrote to memory of 4428 4776 PO##4354267813...pdf.exe PO##4354267813...pdf.exe PID 4776 wrote to memory of 4428 4776 PO##4354267813...pdf.exe PO##4354267813...pdf.exe PID 4776 wrote to memory of 4428 4776 PO##4354267813...pdf.exe PO##4354267813...pdf.exe PID 3232 wrote to memory of 4632 3232 Explorer.EXE wscript.exe PID 3232 wrote to memory of 4632 3232 Explorer.EXE wscript.exe PID 3232 wrote to memory of 4632 3232 Explorer.EXE wscript.exe PID 4632 wrote to memory of 4552 4632 wscript.exe cmd.exe PID 4632 wrote to memory of 4552 4632 wscript.exe cmd.exe PID 4632 wrote to memory of 4552 4632 wscript.exe cmd.exe PID 4632 wrote to memory of 4168 4632 wscript.exe cmd.exe PID 4632 wrote to memory of 4168 4632 wscript.exe cmd.exe PID 4632 wrote to memory of 4168 4632 wscript.exe cmd.exe PID 4632 wrote to memory of 5116 4632 wscript.exe Firefox.exe PID 4632 wrote to memory of 5116 4632 wscript.exe Firefox.exe PID 4632 wrote to memory of 5116 4632 wscript.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO##4354267813...pdf.exe"C:\Users\Admin\AppData\Local\Temp\PO##4354267813...pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO##4354267813...pdf.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PO##4354267813...pdf.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
memory/3232-140-0x0000000007C70000-0x0000000007DB4000-memory.dmpFilesize
1.3MB
-
memory/3232-150-0x0000000007FE0000-0x000000000811F000-memory.dmpFilesize
1.2MB
-
memory/3232-143-0x0000000007E30000-0x0000000007F63000-memory.dmpFilesize
1.2MB
-
memory/4168-151-0x0000000000000000-mapping.dmp
-
memory/4428-142-0x0000000002D20000-0x0000000002D34000-memory.dmpFilesize
80KB
-
memory/4428-134-0x0000000000000000-mapping.dmp
-
memory/4428-138-0x0000000000F20000-0x000000000126A000-memory.dmpFilesize
3.3MB
-
memory/4428-135-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/4428-139-0x00000000013E0000-0x00000000013F4000-memory.dmpFilesize
80KB
-
memory/4428-137-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/4552-147-0x0000000000000000-mapping.dmp
-
memory/4632-144-0x0000000000000000-mapping.dmp
-
memory/4632-146-0x0000000000660000-0x000000000068D000-memory.dmpFilesize
180KB
-
memory/4632-145-0x0000000000610000-0x0000000000637000-memory.dmpFilesize
156KB
-
memory/4632-148-0x00000000027F0000-0x0000000002B3A000-memory.dmpFilesize
3.3MB
-
memory/4632-149-0x0000000002530000-0x00000000025C3000-memory.dmpFilesize
588KB
-
memory/4776-130-0x0000000000600000-0x000000000065A000-memory.dmpFilesize
360KB
-
memory/4776-133-0x00000000084C0000-0x000000000855C000-memory.dmpFilesize
624KB
-
memory/4776-132-0x00000000075A0000-0x0000000007632000-memory.dmpFilesize
584KB
-
memory/4776-131-0x0000000007A70000-0x0000000008014000-memory.dmpFilesize
5.6MB