Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
29/09/2022, 13:16
General
-
Target
Payment_Advice.pdf.exe
-
Size
780KB
-
MD5
86855fd89cf9d73b25db56cfddcb26bb
-
SHA1
c176adca26aefc687a5a89108b0276e0f8dfd22c
-
SHA256
6f74e80cc1e0428e9c04ade080df738cd9206a4ef51e55737af9c5b5d62ca7f4
-
SHA512
8b378e20dd307bc345ac2f800c62e9c2ac3235f782ef2fd5d8fe9b550ef82dc76182d6cb25bb592d918161da9bc5bbfd220c256848c993dcc2634721b6a12ce7
-
SSDEEP
12288:wA52iNUDjyTOhNWcAsmP55Fgf/JUni6a7n/W+ZHkOYLD:j1CfOsmP55mJOFa7//ZE5L
Malware Config
Extracted
formbook
nquy
a3sidprVANFTG0llIjdA
amYQhcIbS9blLB0=
GOqH7AZQZTYBOB8vWeHGwCVnUw==
kp1yw+EwVCesxslPY5gtZ2aiBcRa
zV/0O1+y47mCh6+5
uX0OU3R898WRBa/Rog==
6val8whPkGM9wuxTFGNI
ozzlSYzyF/XOgNSKG5fsoNYzkk+pxgDF
sHo2h6PuHfFwtOdTFGNI
xZ54yOceUB/thMxtzhp4wCVnUw==
s4pIou5HdD3C1snrARcqXw==
jiOqEVW81qEjTIs5ouY+1hZ3MGvCJg==
Nga3BkamwZ4gVmz0fb5KkYs=
DNeA3Bp8vJpd8VPogb5KkYs=
tbZjsdPoeu0sRcPUqA==
RToES3S3EqV3+g2XLLtFzOHPMXwE7JvN
+c+C3eYzcETJ8hehDlIno5I=
3KE0kK71Hf/ODgNTFGNI
MPrCqTAJbjGx
fkXl/0uKuIgIDPB+aeTYSA==
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 46 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payment_Advice.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Payment_Advice.pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payment_Advice.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Payment_Advice.pdf.exe"3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
180KB
-
Filesize
572KB
-
Filesize
3.3MB
-
Filesize
180KB
-
Filesize
72KB
-
Filesize
408KB
-
Filesize
808KB
-
Filesize
624KB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
184KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB