Overview

overview

10

Static

static

1

E-dekont.pdf.exe

windows7-x64

10

E-dekont.pdf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-02-2023 10:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    E-dekont.pdf.exe

  • Size

    266KB

  • MD5

    fbbdef7b1be694b9913a9e6e91681847

  • SHA1

    e81a9326b40b5d23b249ce018f3038172eeea087

  • SHA256

    eea29ccf59fa6a6aa5a3c14360db6068144f14601d987ec37ea21a35cdac9430

  • SHA512

    53613b4b7be5db5f0ae1d8ae744a46cbd2ae87838bae9f39381a2a120abfdcd0ebafad41859d5808a1cb786befd35c1af27a6f3e6308187c8841ffd408d9fded

  • SSDEEP

    6144:vYa6rCjol7mXbdsH7sXM5CErVGf0xWdEkw5U+mWINbles4lmA1C0Vl3qIhOP:vYB3lKdsH7Xj+vhF5N4R1PnW

Score
10/10
formbookme29ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

me29

Decoy

borne-selfie-valence.com

erccore.com

fontebono.com

58619.se

smartmetersystems.co.uk

defrag.team

az-architecture.com

healingthehoard.com

eqde.ru

kingsedubd.com

hoibeebu.net

findbesthomesolution.com

dinkdfw.com

alfa-outlet.com

claritybiometrics.video

lewshopok.cfd

crofton77.online

assetzstat.info

indianhillsequine.com

vetsclosetomylocation.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 56 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2684
    • C:\Users\Admin\AppData\Local\Temp\E-dekont.pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\E-dekont.pdf.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4072
      • C:\Users\Admin\AppData\Local\Temp\kbelhfem.exe
        "C:\Users\Admin\AppData\Local\Temp\kbelhfem.exe" C:\Users\Admin\AppData\Local\Temp\hvcxoiprr.iw
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1876
        • C:\Users\Admin\AppData\Local\Temp\kbelhfem.exe
          "C:\Users\Admin\AppData\Local\Temp\kbelhfem.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:4960
    • C:\Windows\SysWOW64\mstsc.exe
      "C:\Windows\SysWOW64\mstsc.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2200
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\kbelhfem.exe"
        3⤵
          PID:4080

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\fnapkdxj.w
      Filesize

      205KB

      MD5

      226dc80ceb00b90d6adbb2f2da52f3eb

      SHA1

      daffcca2acd30a7864cb3d4e05198121a1ca1418

      SHA256

      e55ae09e59c5eb86d6db73308ef3134b346cf7954a17db1ed49bffa1da714962

      SHA512

      3a70a5734b72f666d7aa7d8ac449c65ee4a903edda486a3dd0bdc6235944cd237cefbabfc0817694fbffebba1ea01e75b2530765e1ce19729a971382ec4dbd48

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\hvcxoiprr.iw
      Filesize

      5KB

      MD5

      b2b83721d58addd770932eef88c22daa

      SHA1

      644099fa2e7e64f7f3d30f425bc73d11d8892622

      SHA256

      44c9382a88cc124ca3543d0344733bca34445894f28ae032acae54e81d30dd97

      SHA512

      a0cab248737e7fd6db5ebc8ff804e1f59f27d10c779ad6bcf6bc45ae54a652dda3f4eab5b6e42fa1c15ced1b7220c91a079023f33c0729e6e03181e2d2f9fd53

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\kbelhfem.exe
      Filesize

      63KB

      MD5

      05672db6a9fc4e8594bf3f4aefedaa2b

      SHA1

      c4b83ff5b9e076793422e1cab77d58a9c41faeca

      SHA256

      687fb4cf29fea51d6192be6492ddaded88a83f3722df92214478fe8627c4da73

      SHA512

      7735070f57c539f9c78a44f1b1735b46ac1f8ef0ad0ab961ab9b72b1537a62e9919f8cf8ac648a0eab9cadaf20645a717d52b67acc5bf7570a041136cbb19f17

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\kbelhfem.exe
      Filesize

      63KB

      MD5

      05672db6a9fc4e8594bf3f4aefedaa2b

      SHA1

      c4b83ff5b9e076793422e1cab77d58a9c41faeca

      SHA256

      687fb4cf29fea51d6192be6492ddaded88a83f3722df92214478fe8627c4da73

      SHA512

      7735070f57c539f9c78a44f1b1735b46ac1f8ef0ad0ab961ab9b72b1537a62e9919f8cf8ac648a0eab9cadaf20645a717d52b67acc5bf7570a041136cbb19f17

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\kbelhfem.exe
      Filesize

      63KB

      MD5

      05672db6a9fc4e8594bf3f4aefedaa2b

      SHA1

      c4b83ff5b9e076793422e1cab77d58a9c41faeca

      SHA256

      687fb4cf29fea51d6192be6492ddaded88a83f3722df92214478fe8627c4da73

      SHA512

      7735070f57c539f9c78a44f1b1735b46ac1f8ef0ad0ab961ab9b72b1537a62e9919f8cf8ac648a0eab9cadaf20645a717d52b67acc5bf7570a041136cbb19f17

      Download Submit

    • memory/2200-146-0x0000000001270000-0x000000000129F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2200-152-0x0000000001270000-0x000000000129F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2200-148-0x0000000003180000-0x00000000034CA000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2200-150-0x0000000003020000-0x00000000030B3000-memory.dmp

      Filesize

      588KB

      Download

    • memory/2200-145-0x0000000000170000-0x00000000002AA000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2684-151-0x0000000007950000-0x0000000007A4A000-memory.dmp

      Filesize

      1000KB

      Download

    • memory/2684-149-0x00000000077C0000-0x0000000007942000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2684-142-0x00000000077C0000-0x0000000007942000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2684-153-0x0000000007950000-0x0000000007A4A000-memory.dmp

      Filesize

      1000KB

      Download

    • memory/4960-144-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/4960-141-0x00000000006D0000-0x00000000006E4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/4960-140-0x0000000000B60000-0x0000000000EAA000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4960-139-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download