Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    20-12-2022 14:53

General

  • Target

    PEDIDO pdf.exe

  • Size

    752KB

  • MD5

    e3698fc9d5c6152297de00168360d550

  • SHA1

    eb53bcf6fd90162cc5b3d74fd018e6a981919c43

  • SHA256

    26166c41b0a5364406a3c3f9c42d3f2bc3786aa5f32c71ee0675773bd7cc2125

  • SHA512

    7c3c6c80fbda902fbde5ff554147852295d7c9508f4237ca3fba8ce03e7ae94cabb8d259f01dcd029036c5b7e845ac6c657a7638b5e9319ff66f6f298d9e55f2

  • SSDEEP

    12288:mUdLctyTcf0hA/p4f2MjHJJY90LmRO1oTznmbhMGg3g43XR8:0UT40a/p4f2QLmEiTznmbvg3R3XR8

Malware Config

Extracted

Family

formbook

Campaign

asdo

Decoy

31/RFVD/FFkpCuo=

LS2evkT1Hf54yJ3A01ZhjLFKSw==

Dw25w8eoM4HRQ9T8YA==

F2rI9TgH1uCf

VOuuxD/qTPifG/QDJ76coQ==

9smUEHwvvAcD3rnTM3IZg7fh

k4RlZq6jXYrfEg==

1+E7QsiGloB8qoio4Oh/

dALS/H0nMg+jCtM1RpZ+

thNv9GMouDLIFvESJ76coQ==

Tc54uifIU66mck2hvrtXnVbp

cINUAYgiqlkpCuo=

ma2AwPyPmpxd2bPRMksak0T7uEg9kA==

RlMlYJ9UpFIz7dg1RpZ+

klG+mNmHrHcFhmZ12SNGhmN+0f6MaMs=

V/nT2VgHD+hito+tBumEzTyVl5g=

0Zto8FjseN7v8MAW6ZkZg7fh

gbGlkddlXYrfEg==

pymXGHouvjhnKg8+qD8bLcY=

VelU01Tk/+CzegtywL4=

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1232
    • C:\Users\Admin\AppData\Local\Temp\PEDIDO pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\PEDIDO pdf.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\Users\Admin\AppData\Local\Temp\PEDIDO pdf.exe
        "C:\Users\Admin\AppData\Local\Temp\PEDIDO pdf.exe"
        3⤵
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:828
        • C:\Windows\SysWOW64\rundll32.exe
          "C:\Windows\SysWOW64\rundll32.exe"
          4⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1708
          • C:\Program Files\Mozilla Firefox\Firefox.exe
            "C:\Program Files\Mozilla Firefox\Firefox.exe"
            5⤵
              PID:2036

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Collection

    Data from Local System

    1
    T1005

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\sqlite3.dll
      Filesize

      831KB

      MD5

      05ace2f6d9bef6fd9bbd05ee5262a1f2

      SHA1

      5cce2228e0d9c6cc913cf551e0bf7c76ed74ff59

      SHA256

      002459f4d4758011b4d7f36935f1fe323494b847f8c173a551076a3d30475ebc

      SHA512

      1e717a66a72eb626727144fa7458f472ada54fd1be37072c9e740945e34ba94025737aef44e54752c50c5b79a583c6a91a0d8043bf1bf7c3e7cab8537207f9fc

    • memory/828-70-0x0000000000190000-0x00000000001A0000-memory.dmp
      Filesize

      64KB

    • memory/828-77-0x0000000000401000-0x000000000042F000-memory.dmp
      Filesize

      184KB

    • memory/828-69-0x0000000000A40000-0x0000000000D43000-memory.dmp
      Filesize

      3.0MB

    • memory/828-73-0x00000000001D0000-0x00000000001E0000-memory.dmp
      Filesize

      64KB

    • memory/828-76-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

    • memory/828-60-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

    • memory/828-61-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

    • memory/828-63-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

    • memory/828-64-0x00000000004012B0-mapping.dmp
    • memory/828-66-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

    • memory/828-67-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

    • memory/828-68-0x0000000000401000-0x000000000042F000-memory.dmp
      Filesize

      184KB

    • memory/1232-83-0x0000000005F20000-0x000000000601D000-memory.dmp
      Filesize

      1012KB

    • memory/1232-74-0x0000000003DE0000-0x0000000003E93000-memory.dmp
      Filesize

      716KB

    • memory/1232-85-0x0000000005F20000-0x000000000601D000-memory.dmp
      Filesize

      1012KB

    • memory/1232-71-0x00000000026E0000-0x00000000027AC000-memory.dmp
      Filesize

      816KB

    • memory/1708-80-0x00000000000D0000-0x00000000000FD000-memory.dmp
      Filesize

      180KB

    • memory/1708-75-0x0000000000000000-mapping.dmp
    • memory/1708-81-0x0000000002120000-0x0000000002423000-memory.dmp
      Filesize

      3.0MB

    • memory/1708-79-0x0000000000D10000-0x0000000000D1E000-memory.dmp
      Filesize

      56KB

    • memory/1708-84-0x00000000000D0000-0x00000000000FD000-memory.dmp
      Filesize

      180KB

    • memory/1708-82-0x0000000000A60000-0x0000000000AEF000-memory.dmp
      Filesize

      572KB

    • memory/1992-56-0x00000000005B0000-0x00000000005C0000-memory.dmp
      Filesize

      64KB

    • memory/1992-58-0x0000000005150000-0x00000000051C0000-memory.dmp
      Filesize

      448KB

    • memory/1992-55-0x00000000754E1000-0x00000000754E3000-memory.dmp
      Filesize

      8KB

    • memory/1992-54-0x0000000000F30000-0x0000000000FF2000-memory.dmp
      Filesize

      776KB

    • memory/1992-59-0x0000000004400000-0x0000000004434000-memory.dmp
      Filesize

      208KB

    • memory/1992-57-0x00000000005E0000-0x00000000005EA000-memory.dmp
      Filesize

      40KB