Analysis
-
max time kernel
150s -
max time network
179s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
10-12-2022 08:53
General
-
Target
DHL Consignment Details_pdf.exe
-
Size
1.0MB
-
MD5
a3f9e308045c0becd406e09bc06acc08
-
SHA1
5d8df88d170f59ebe6ebbe3c816406cda30a64f7
-
SHA256
4167987df2a1b3583bc8cf5a97fb1cebf68ccbc9a627e8b5c156d30413ebb139
-
SHA512
375c7cf2c03841eb7bc9113da6294e9a05a4a65c88b77e0f9f1d5161e84814ed6302b0a42f3882c339e149fb4cc94803b39f114780fbbc8ec238d9130e09976f
-
SSDEEP
24576:rhfC0AD3BXx4qpgqNzB/eV6meR+K1VQljpDpF07:EnBXx4oJBWV6meAEQZpm
Score
10/10
Malware Config
Extracted
Family
formbook
Version
4.1
Campaign
g28p
Decoy
whhmgs.asia
wellmedcaredirect.net
beggarded.com
wtpjiv.site
todo-celulares.com
parkitny.net
43345.top
pro-genie.com
cwdxz.com
cbc-inc.xyz
healthspots.net
rulil.top
pyramidaudit.solutions
k8sb15.live
hempaware.report
usclink.life
stayefs.net
05262.top
shop-izakaya-jin.com
iccworldcupnews.com
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook payload 5 IoCs
-
Deletes itself 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL Consignment Details_pdf.exe"C:\Users\Admin\AppData\Local\Temp\DHL Consignment Details_pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL Consignment Details_pdf.exe"C:\Users\Admin\AppData\Local\Temp\DHL Consignment Details_pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\DHL Consignment Details_pdf.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/628-74-0x0000000000000000-mapping.dmp
-
memory/772-67-0x0000000000920000-0x0000000000C23000-memory.dmpFilesize
3.0MB
-
memory/772-68-0x0000000000170000-0x0000000000184000-memory.dmpFilesize
80KB
-
memory/772-60-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/772-61-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/772-64-0x000000000041F100-mapping.dmp
-
memory/772-63-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/772-66-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1204-78-0x0000000003E30000-0x0000000003ED7000-memory.dmpFilesize
668KB
-
memory/1204-77-0x0000000003E30000-0x0000000003ED7000-memory.dmpFilesize
668KB
-
memory/1204-69-0x00000000060D0000-0x00000000061B6000-memory.dmpFilesize
920KB
-
memory/1368-72-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/1368-70-0x0000000000000000-mapping.dmp
-
memory/1368-71-0x0000000000D80000-0x0000000000D9B000-memory.dmpFilesize
108KB
-
memory/1368-73-0x00000000021A0000-0x00000000024A3000-memory.dmpFilesize
3.0MB
-
memory/1368-75-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/1368-76-0x0000000000AF0000-0x0000000000B83000-memory.dmpFilesize
588KB
-
memory/1956-59-0x0000000004B80000-0x0000000004C02000-memory.dmpFilesize
520KB
-
memory/1956-58-0x0000000007FE0000-0x000000000809A000-memory.dmpFilesize
744KB
-
memory/1956-54-0x0000000000E40000-0x0000000000F48000-memory.dmpFilesize
1.0MB
-
memory/1956-57-0x0000000000510000-0x000000000051E000-memory.dmpFilesize
56KB
-
memory/1956-56-0x00000000004F0000-0x000000000050A000-memory.dmpFilesize
104KB
-
memory/1956-55-0x0000000075DA1000-0x0000000075DA3000-memory.dmpFilesize
8KB