Analysis
-
max time kernel
152s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 09:51
Static task
static1
Behavioral task
behavioral1
Sample
img1100020222911pdf.exe
Resource
win7-20221111-en
General
-
Target
img1100020222911pdf.exe
-
Size
228KB
-
MD5
d74737867056221a34fb0f606f46b695
-
SHA1
26605c664c9b4b3bd1f007fa1068abb0bbfaf265
-
SHA256
8dec08c523bc61d2d8da23da4d82ff33e89f69c7478578af3623f9411e1a38d0
-
SHA512
5451a474a6cc55f220b43bfe0b65fe9ed2b7c66dfef0ab33b22e9b8fce26929235073ecd820681087100035b6091acf7106f927a98ca801696aa5e89c89901f4
-
SSDEEP
6144:QBn1GdcqsCyQBYm/Zyo49qd/XvU1jO6IJO:gONsCyQBPsvmyjO6yO
Malware Config
Extracted
formbook
4.1
mi08
mytimebabes.com
ycpxb.com
abdkaplani.com
cloudingersoftech.com
fthfire.xyz
christyna.work
3d-add-on.com
knowyourtechdeals.com
kcl24.com
sepatubiker.com
sunnyboy.live
zrbsq.com
rinpari.com
lesac-berra.com
yes820.com
cnnorman.com
mystichousedv.com
sbobet888auto.com
gawiul.xyz
luispenas.com
whdchb.com
094am.com
fkwjs.xyz
batobo.online
mathswatchbot.com
bereketvadisi.com
additionmovies.xyz
zgqc168.com
xamango.com
1cpi1s0u7qcuj1xus5cg1fezo1k.com
b4xy.top
owicz.com
impulseamtt.com
247plumbers.monster
tradersource.online
decrimatx.com
my-vero.com
zgshdbhy.com
cab24seven.com
adultnnewspalace.com
volpi-venture.com
pixpotengi.link
zzjyswx.xyz
xn--90aiiithifm8h.com
nextdaybannerstands.com
uniquehandicraft.store
securityapp.top
mugexpert.net
magaa.xyz
omegaverse.wiki
owlsomeclothing.com
pegasuspadel.club
d-esig-n.site
alrate.top
simplyhillpisya.monster
mentawaisurfboat.com
nwjfypy.xyz
pgcbl.online
adultarivaj.com
juicyhookahinc.com
thewisestonellc.com
it32mgn.store
coco-vista.com
cremation-services-53998.com
grassi.uno
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4952-139-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4920-146-0x0000000000D20000-0x0000000000D4F000-memory.dmp formbook behavioral2/memory/4920-149-0x0000000000D20000-0x0000000000D4F000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
eshbtmyh.exeeshbtmyh.exepid process 5016 eshbtmyh.exe 4952 eshbtmyh.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
eshbtmyh.exeeshbtmyh.exeNETSTAT.EXEdescription pid process target process PID 5016 set thread context of 4952 5016 eshbtmyh.exe eshbtmyh.exe PID 4952 set thread context of 2576 4952 eshbtmyh.exe Explorer.EXE PID 4920 set thread context of 2576 4920 NETSTAT.EXE Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 4920 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 56 IoCs
Processes:
eshbtmyh.exeNETSTAT.EXEpid process 4952 eshbtmyh.exe 4952 eshbtmyh.exe 4952 eshbtmyh.exe 4952 eshbtmyh.exe 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE 4920 NETSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2576 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
eshbtmyh.exeeshbtmyh.exeNETSTAT.EXEpid process 5016 eshbtmyh.exe 4952 eshbtmyh.exe 4952 eshbtmyh.exe 4952 eshbtmyh.exe 4920 NETSTAT.EXE 4920 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
eshbtmyh.exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 4952 eshbtmyh.exe Token: SeDebugPrivilege 4920 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
img1100020222911pdf.exeeshbtmyh.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 808 wrote to memory of 5016 808 img1100020222911pdf.exe eshbtmyh.exe PID 808 wrote to memory of 5016 808 img1100020222911pdf.exe eshbtmyh.exe PID 808 wrote to memory of 5016 808 img1100020222911pdf.exe eshbtmyh.exe PID 5016 wrote to memory of 4952 5016 eshbtmyh.exe eshbtmyh.exe PID 5016 wrote to memory of 4952 5016 eshbtmyh.exe eshbtmyh.exe PID 5016 wrote to memory of 4952 5016 eshbtmyh.exe eshbtmyh.exe PID 5016 wrote to memory of 4952 5016 eshbtmyh.exe eshbtmyh.exe PID 2576 wrote to memory of 4920 2576 Explorer.EXE NETSTAT.EXE PID 2576 wrote to memory of 4920 2576 Explorer.EXE NETSTAT.EXE PID 2576 wrote to memory of 4920 2576 Explorer.EXE NETSTAT.EXE PID 4920 wrote to memory of 2732 4920 NETSTAT.EXE cmd.exe PID 4920 wrote to memory of 2732 4920 NETSTAT.EXE cmd.exe PID 4920 wrote to memory of 2732 4920 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Users\Admin\AppData\Local\Temp\img1100020222911pdf.exe"C:\Users\Admin\AppData\Local\Temp\img1100020222911pdf.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Users\Admin\AppData\Local\Temp\eshbtmyh.exe"C:\Users\Admin\AppData\Local\Temp\eshbtmyh.exe" C:\Users\Admin\AppData\Local\Temp\artrnvmjmeh.uz3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Users\Admin\AppData\Local\Temp\eshbtmyh.exe"C:\Users\Admin\AppData\Local\Temp\eshbtmyh.exe" C:\Users\Admin\AppData\Local\Temp\artrnvmjmeh.uz4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4952
-
-
-
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\eshbtmyh.exe"3⤵PID:2732
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5bf08797130b2716c878ce43694b70a00
SHA147cb8c4548094999b211f9c33dd5228cb069189d
SHA256bf771c640f25137bc6d7f6a4d5ec4efa9b6ee66e7c6515dfcbaa7a9fcb52aa38
SHA512e07763b41c1570b7dbc9ddd6921cd02b0494b7e4bd67e751ec3de990f780ccad1aa15a4f61f3bd498ae0bf3a663a819b9e7fb6b6ce48de95912a4b5d8206a7ab
-
Filesize
59KB
MD5c23565b815af9468d59e97b63aadce26
SHA151fe24f24c98738ce936d9f9a66d759297018729
SHA256511646182f1e77634cb75442ff180bf9fd490addf15a7b943a20fce6a347c5d6
SHA5129553be9b57add87a08b0cdc1f9290e30f7cc4d3d92e425da6b6c4ba80acad11bf8b2643a62c4d6d48de6dc97a3b15c007021045bcc9d15a86d13ad074e9694c6
-
Filesize
59KB
MD5c23565b815af9468d59e97b63aadce26
SHA151fe24f24c98738ce936d9f9a66d759297018729
SHA256511646182f1e77634cb75442ff180bf9fd490addf15a7b943a20fce6a347c5d6
SHA5129553be9b57add87a08b0cdc1f9290e30f7cc4d3d92e425da6b6c4ba80acad11bf8b2643a62c4d6d48de6dc97a3b15c007021045bcc9d15a86d13ad074e9694c6
-
Filesize
59KB
MD5c23565b815af9468d59e97b63aadce26
SHA151fe24f24c98738ce936d9f9a66d759297018729
SHA256511646182f1e77634cb75442ff180bf9fd490addf15a7b943a20fce6a347c5d6
SHA5129553be9b57add87a08b0cdc1f9290e30f7cc4d3d92e425da6b6c4ba80acad11bf8b2643a62c4d6d48de6dc97a3b15c007021045bcc9d15a86d13ad074e9694c6
-
Filesize
185KB
MD5732eb533f6228a0f63b83dc52a820b45
SHA17994ca7bc8f02de4793a4de85c20dc55e18b2018
SHA2564635d82c00779c583704bb744fe7d8d242d1d3e3aaf26bd0ed452885e4de7af0
SHA5121b583f852f992e6656ad578749ed9d9e54bd9b262d98860afbd03332a3cd5cf11d9d566a23462283ac9c03e89f0473f0f9812e01c37cf62a3444fd970c7fdd61