Overview

overview

10

Static

static

Foreign Pa...pdf.js

windows7-x64

10

Foreign Pa...pdf.js

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-10-2022 13:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Foreign Payment swift_pdf.js

  • Size

    342KB

  • MD5

    4e474a544aa97316f1f1ddf56e9c5c70

  • SHA1

    b9775c6cf7a5c6c74b8d9ed1776d35a5a1d8f494

  • SHA256

    46af67f4a2a2c3d7bc6d8743941718c5abd1f3cacb0dd08f9a4c24651a843752

  • SHA512

    4ba58f40318d2582c43e84acb993bb8e9684a3b3955e771043e0742e309020e5482b6aeb5d437dea6c4ecd31ffcf9d6df8693b268c5ac187ba866c4f04d2fbaa

  • SSDEEP

    6144:q8OjK5gRBwhZ2FlbDsmxSvODgTEqEqSMa7Z3tFuQilEI64OHdlG:buKJUlHLxSWDyREqSMstFclEz37G

Score
10/10
formbookvjw0rmxrobratspywarestealertrojanworm

Malware Config

Extracted

Family

formbook

Campaign

xrob

Decoy

dV8FCtdWdnfMJ9thh8l/

IJG6Bh4iMeHVBHNp2MrpTA==

NhPKKtmQxnHYF/80

f4M2RhGEf3Ot13+qLrKqxb9f3dXj9Q==

A/689/MibSRBgkPkx07m+H+g

e8OOkUu9y/uYCMsdrR3s0mODmGw3d8t9Og==

gLN5bn+Zq1VQXmOOvw==

NFcQGvViY5sxmkty83Fde4GQhg==

XWMfFSM3f7GT9w==

Ih6vvqf9R8gDObM=

FGAlLASHlpLaUUKUJIwm9ABQ2Js=

v8R615LDC8iWchwv

m+u3rLUxScgDObM=

jc3eahERf7GT9w==

TYNBVDadkpTF76HeNl/rbwWtLSbyPzM=

j6NQmhWeOi2B

aqJocUfM3v97ryScY6EiSMbVyBak

V7nYOyEZKa2J/KKh5RMhJrbyK/eC/Q==

8zPsAt3ejcgDObM=

Rpe+BrGBzpGa9q8FHKpi

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 6 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:1272
    • C:\Windows\system32\wscript.exe
      wscript.exe "C:\Users\Admin\AppData\Local\Temp\Foreign Payment swift_pdf.js"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4004
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ZilDzmhvTr.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        PID:2232
      • C:\Users\Admin\AppData\Local\Temp\bin.exe
        "C:\Users\Admin\AppData\Local\Temp\bin.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3024
    • C:\Windows\SysWOW64\msdt.exe
      "C:\Windows\SysWOW64\msdt.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4764
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:3428

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\bin.exe
      Filesize

      185KB

      MD5

      26db0806c0871f293a77e5d5676e2fd8

      SHA1

      7c17ccce454d81bb999c04d45e9e4913969a73ee

      SHA256

      2c623f8e02e0aef43501e320fd20a3b407dcf35676e6620574bf7e8ce4844e66

      SHA512

      0dac19dab4827a036a4e42371807639a4c378b440c3edc9ae30171cfb62a894243dc55ad5145434fac384aa37dd32381d148757e35c08300bbfe45c4cb85c09f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\bin.exe
      Filesize

      185KB

      MD5

      26db0806c0871f293a77e5d5676e2fd8

      SHA1

      7c17ccce454d81bb999c04d45e9e4913969a73ee

      SHA256

      2c623f8e02e0aef43501e320fd20a3b407dcf35676e6620574bf7e8ce4844e66

      SHA512

      0dac19dab4827a036a4e42371807639a4c378b440c3edc9ae30171cfb62a894243dc55ad5145434fac384aa37dd32381d148757e35c08300bbfe45c4cb85c09f

      Download Submit

    • C:\Users\Admin\AppData\Roaming\ZilDzmhvTr.js
      Filesize

      5KB

      MD5

      53b05290462c06f2a2989e52d53f6db8

      SHA1

      e1d348471435c8e436043a1887be65b865081b24

      SHA256

      2f36773b7bcb196289aaee5a765993bd484665840886645b4998f7a9bc97111c

      SHA512

      10b650bfb1191c57478f65aa34829a38943b71caedab4ea1844464c6c556dc8cddc9fe875d1c26ae40bec7e369ce2aa742333df68918c4a722bc165e45c7ecf1

      Download Submit

    • memory/1272-140-0x0000000008F10000-0x0000000009087000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1272-149-0x0000000008CB0000-0x0000000008DDC000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1272-147-0x0000000008CB0000-0x0000000008DDC000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3024-142-0x0000000000810000-0x000000000083F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/3024-139-0x00000000011D0000-0x00000000011E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3024-138-0x0000000001680000-0x00000000019CA000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3024-137-0x0000000000810000-0x000000000083F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/4764-143-0x0000000000D40000-0x0000000000D97000-memory.dmp

      Filesize

      348KB

      Download

    • memory/4764-144-0x0000000000F50000-0x0000000000F7D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/4764-145-0x00000000032E0000-0x000000000362A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4764-146-0x0000000003010000-0x000000000309F000-memory.dmp

      Filesize

      572KB

      Download

    • memory/4764-148-0x0000000000F50000-0x0000000000F7D000-memory.dmp

      Filesize

      180KB

      Download