Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    22/09/2022, 15:11

General

  • Target

    10935009_pdf.js

  • Size

    348KB

  • MD5

    c6364fd257b51beb031c4745e31dcf74

  • SHA1

    277115c94f56547ee4499c9280a23da6fff9b060

  • SHA256

    29e1cf438fcd048f5ddaf71c092127c0d2eaae73f202b200a53e0ec3010f35a0

  • SHA512

    cd035d6c963daef3da8d0c1d86620f39ad8e4b3e317532018f8bdd5fbed31fb26f5ce499c22b74c11581897e83c03007925418d269b730df5165ea56b11a3cc6

  • SSDEEP

    6144:9aOWRyX3U5uw1WNOB5uIa6We0/oken9Tm0D4cWSB/LxPCTxUOHe:CQ0LP2Ia6Ws9Tmo4pSB/FC13+

Malware Config

Extracted

Family

formbook

Campaign

xrob

Decoy

dV8FCtdWdnfMJ9thh8l/

IJG6Bh4iMeHVBHNp2MrpTA==

NhPKKtmQxnHYF/80

f4M2RhGEf3Ot13+qLrKqxb9f3dXj9Q==

A/689/MibSRBgkPkx07m+H+g

e8OOkUu9y/uYCMsdrR3s0mODmGw3d8t9Og==

gLN5bn+Zq1VQXmOOvw==

NFcQGvViY5sxmkty83Fde4GQhg==

XWMfFSM3f7GT9w==

Ih6vvqf9R8gDObM=

FGAlLASHlpLaUUKUJIwm9ABQ2Js=

v8R615LDC8iWchwv

m+u3rLUxScgDObM=

jc3eahERf7GT9w==

TYNBVDadkpTF76HeNl/rbwWtLSbyPzM=

j6NQmhWeOi2B

aqJocUfM3v97ryScY6EiSMbVyBak

V7nYOyEZKa2J/KKh5RMhJrbyK/eC/Q==

8zPsAt3ejcgDObM=

Rpe+BrGBzpGa9q8FHKpi

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • Blocklisted process makes network request 17 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1256
    • C:\Windows\system32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Local\Temp\10935009_pdf.js
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1948
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\njdKUZLNhC.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        PID:1076
      • C:\Users\Admin\AppData\Local\Temp\bin.exe
        "C:\Users\Admin\AppData\Local\Temp\bin.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2020
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\SysWOW64\cmd.exe"
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:584
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:1304

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\bin.exe

            Filesize

            185KB

            MD5

            26db0806c0871f293a77e5d5676e2fd8

            SHA1

            7c17ccce454d81bb999c04d45e9e4913969a73ee

            SHA256

            2c623f8e02e0aef43501e320fd20a3b407dcf35676e6620574bf7e8ce4844e66

            SHA512

            0dac19dab4827a036a4e42371807639a4c378b440c3edc9ae30171cfb62a894243dc55ad5145434fac384aa37dd32381d148757e35c08300bbfe45c4cb85c09f

          • C:\Users\Admin\AppData\Local\Temp\bin.exe

            Filesize

            185KB

            MD5

            26db0806c0871f293a77e5d5676e2fd8

            SHA1

            7c17ccce454d81bb999c04d45e9e4913969a73ee

            SHA256

            2c623f8e02e0aef43501e320fd20a3b407dcf35676e6620574bf7e8ce4844e66

            SHA512

            0dac19dab4827a036a4e42371807639a4c378b440c3edc9ae30171cfb62a894243dc55ad5145434fac384aa37dd32381d148757e35c08300bbfe45c4cb85c09f

          • C:\Users\Admin\AppData\Roaming\njdKUZLNhC.js

            Filesize

            5KB

            MD5

            774056eb9cff6381f64e2c3450308480

            SHA1

            64c0ce514a5099f26f29704d4f26f997dcb01002

            SHA256

            0e6fb5c470045032112462913660c348ea900d428ea7d6eba247262a2f0d4ec8

            SHA512

            532650f4060f602e2d4c8f31c97a3293fefd77757835061ca9dd0ca01e8df479fff0cb5924af7bb9c97d30ff6317a9a3c73e81afcb643cc9b5037d6255ccaf03

          • \Users\Admin\AppData\Local\Temp\sqlite3.dll

            Filesize

            841KB

            MD5

            5fc6cd5d5ca1489d2a3c361717359a95

            SHA1

            5c630e232cd5761e7a611e41515be4afa3e7a141

            SHA256

            85c8b8a648c56cf5f063912e0e26ecebb90e0caf2f442fd5cdd8287301fe7e81

            SHA512

            5f9124a721f6b463d4f980920e87925098aa753b0fa2a59a3ff48b48d2b1a45d760fd46445414d84fb66321181cd2c82a4194361811114c15e35b42f838ab792

          • memory/584-72-0x0000000075F51000-0x0000000075F53000-memory.dmp

            Filesize

            8KB

          • memory/584-71-0x00000000000C0000-0x00000000000ED000-memory.dmp

            Filesize

            180KB

          • memory/584-69-0x00000000003F0000-0x000000000047F000-memory.dmp

            Filesize

            572KB

          • memory/584-68-0x0000000002070000-0x0000000002373000-memory.dmp

            Filesize

            3.0MB

          • memory/584-65-0x000000004AA20000-0x000000004AA6C000-memory.dmp

            Filesize

            304KB

          • memory/584-66-0x00000000000C0000-0x00000000000ED000-memory.dmp

            Filesize

            180KB

          • memory/1256-70-0x0000000006530000-0x0000000006616000-memory.dmp

            Filesize

            920KB

          • memory/1256-63-0x0000000004A80000-0x0000000004BD5000-memory.dmp

            Filesize

            1.3MB

          • memory/1256-74-0x0000000006530000-0x0000000006616000-memory.dmp

            Filesize

            920KB

          • memory/1948-54-0x000007FEFB871000-0x000007FEFB873000-memory.dmp

            Filesize

            8KB

          • memory/2020-62-0x0000000000250000-0x0000000000260000-memory.dmp

            Filesize

            64KB

          • memory/2020-61-0x00000000007C0000-0x0000000000AC3000-memory.dmp

            Filesize

            3.0MB

          • memory/2020-60-0x00000000012C0000-0x00000000012EF000-memory.dmp

            Filesize

            188KB