Analysis
-
max time kernel
147s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
15-03-2023 09:40
Static task
static1
Behavioral task
behavioral1
Sample
NEWCUSTOMER-PDF.exe
Resource
win7-20230220-en
General
-
Target
NEWCUSTOMER-PDF.exe
-
Size
762KB
-
MD5
d0c1e2d3400adbc801fb564688620041
-
SHA1
499c664b4170c484c661286d02135186ae5e77f8
-
SHA256
77ed29ab8aa9da3669874c3f49e81c581105a981e8537a78382dc69e043943a6
-
SHA512
28a8dde829add33a2550e668461e2b1899982ae49c9733dc29118a2ce8bcff8903924049fcb964e6b6faee41b303c49decda52de9c08b6349d2dcc16c08a9c74
-
SSDEEP
12288:ZCvwk/wjZBHYBcLnCdP9+V7ywfxxM+fd6BVvhazSUQxHIugLrxhS/ESBoYXJGRTw:ZCvwIkBaf+RTG+fdifRFgLjS/7nJT
Malware Config
Extracted
formbook
4.1
h3sc
seemessage.com
bitlab.website
cheesestuff.ru
bhartiyafitness.com
bardapps.com
l7a4.com
chiara-samatanga.com
lesrollintioup.com
dropwc.com
mackey242.com
rackksfresheggs.com
thinkvlog.com
aidmedicalassist.com
firehousepickleball.net
sifreyonetici.com
teka-mart.com
ddttzone.xyz
macfeeupdate.com
ivocastillo.com
serjayparks.com
uptimeps.cfd
prioritivity.com
linjia.cfd
rentmobil99.com
amazonpublicationhouse.com
wisconsinprivatelenders.com
emavgrfcolvin.click
navegadornet.tech
extremetension.com
hpm8cnb5s2vqr.com
sxhjdp.com
breathevitality.com
easyshopalgeria.com
profibex.com
3546464356.top
shopanml.space
andhra2telangana.com
b4pizzeria.click
thehealingcoaches.com
theantalyas37d.com
tyuuhai.site
look.fashion
zbzhaochang.com
emmettis.com
data4u-e.shop
dawnzdesignzz.com
modulatic.com
measuremateshop.com
5starseptics.com
zexalin.top
r693.xyz
techcryptoreview.com
singiteasy.store
portpay.site
holmtransport.com
zkdwvtg.top
nonetdc.xyz
customerservicesafesteptub.com
myhandmadeheaven.com
prostockdirect.store
vppq.buzz
malibu5.com
alexfallah.com
93oo.top
illatales.com
Signatures
-
Formbook payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1484-71-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1260-73-0x0000000002510000-0x0000000002550000-memory.dmp formbook behavioral1/memory/1484-74-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1260-76-0x0000000002510000-0x0000000002550000-memory.dmp formbook behavioral1/memory/1496-81-0x00000000000C0000-0x00000000000EF000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
NEWCUSTOMER-PDF.exeNEWCUSTOMER-PDF.exesystray.exedescription pid process target process PID 2036 set thread context of 1484 2036 NEWCUSTOMER-PDF.exe NEWCUSTOMER-PDF.exe PID 1484 set thread context of 1352 1484 NEWCUSTOMER-PDF.exe Explorer.EXE PID 1496 set thread context of 1352 1496 systray.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
systray.exedescription ioc process Key created \Registry\User\S-1-5-21-3948302646-268491222-1934009652-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 systray.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
NEWCUSTOMER-PDF.exepowershell.exesystray.exepid process 1484 NEWCUSTOMER-PDF.exe 1484 NEWCUSTOMER-PDF.exe 1260 powershell.exe 1496 systray.exe 1496 systray.exe 1496 systray.exe 1496 systray.exe 1496 systray.exe 1496 systray.exe 1496 systray.exe 1496 systray.exe 1496 systray.exe 1496 systray.exe 1496 systray.exe 1496 systray.exe 1496 systray.exe 1496 systray.exe 1496 systray.exe 1496 systray.exe 1496 systray.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1352 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
NEWCUSTOMER-PDF.exesystray.exepid process 1484 NEWCUSTOMER-PDF.exe 1484 NEWCUSTOMER-PDF.exe 1484 NEWCUSTOMER-PDF.exe 1496 systray.exe 1496 systray.exe 1496 systray.exe 1496 systray.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
NEWCUSTOMER-PDF.exepowershell.exesystray.exedescription pid process Token: SeDebugPrivilege 1484 NEWCUSTOMER-PDF.exe Token: SeDebugPrivilege 1260 powershell.exe Token: SeDebugPrivilege 1496 systray.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1352 Explorer.EXE 1352 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1352 Explorer.EXE 1352 Explorer.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
NEWCUSTOMER-PDF.exeExplorer.EXEsystray.exedescription pid process target process PID 2036 wrote to memory of 1260 2036 NEWCUSTOMER-PDF.exe powershell.exe PID 2036 wrote to memory of 1260 2036 NEWCUSTOMER-PDF.exe powershell.exe PID 2036 wrote to memory of 1260 2036 NEWCUSTOMER-PDF.exe powershell.exe PID 2036 wrote to memory of 1260 2036 NEWCUSTOMER-PDF.exe powershell.exe PID 2036 wrote to memory of 860 2036 NEWCUSTOMER-PDF.exe schtasks.exe PID 2036 wrote to memory of 860 2036 NEWCUSTOMER-PDF.exe schtasks.exe PID 2036 wrote to memory of 860 2036 NEWCUSTOMER-PDF.exe schtasks.exe PID 2036 wrote to memory of 860 2036 NEWCUSTOMER-PDF.exe schtasks.exe PID 2036 wrote to memory of 1484 2036 NEWCUSTOMER-PDF.exe NEWCUSTOMER-PDF.exe PID 2036 wrote to memory of 1484 2036 NEWCUSTOMER-PDF.exe NEWCUSTOMER-PDF.exe PID 2036 wrote to memory of 1484 2036 NEWCUSTOMER-PDF.exe NEWCUSTOMER-PDF.exe PID 2036 wrote to memory of 1484 2036 NEWCUSTOMER-PDF.exe NEWCUSTOMER-PDF.exe PID 2036 wrote to memory of 1484 2036 NEWCUSTOMER-PDF.exe NEWCUSTOMER-PDF.exe PID 2036 wrote to memory of 1484 2036 NEWCUSTOMER-PDF.exe NEWCUSTOMER-PDF.exe PID 2036 wrote to memory of 1484 2036 NEWCUSTOMER-PDF.exe NEWCUSTOMER-PDF.exe PID 1352 wrote to memory of 1496 1352 Explorer.EXE systray.exe PID 1352 wrote to memory of 1496 1352 Explorer.EXE systray.exe PID 1352 wrote to memory of 1496 1352 Explorer.EXE systray.exe PID 1352 wrote to memory of 1496 1352 Explorer.EXE systray.exe PID 1496 wrote to memory of 1812 1496 systray.exe Firefox.exe PID 1496 wrote to memory of 1812 1496 systray.exe Firefox.exe PID 1496 wrote to memory of 1812 1496 systray.exe Firefox.exe PID 1496 wrote to memory of 1812 1496 systray.exe Firefox.exe PID 1496 wrote to memory of 1812 1496 systray.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\NEWCUSTOMER-PDF.exe"C:\Users\Admin\AppData\Local\Temp\NEWCUSTOMER-PDF.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UdaCiZJIbbVG.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UdaCiZJIbbVG" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCB9A.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\NEWCUSTOMER-PDF.exe"C:\Users\Admin\AppData\Local\Temp\NEWCUSTOMER-PDF.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpCB9A.tmpFilesize
1KB
MD57b7f71b3e0590299fc5d9a19b987f7ed
SHA1903d1999d1b3f316768258d1e8c5e917342818ed
SHA256bfb163edb432cee444f76d5a797978c789313efc52b45b2708abd4ddaecf736a
SHA5122d041c6b039c5909a83c73c71b52b0930cb438b5e5a0818b91200873809331d6a712ec832a9be8ed54dc867d5b4401274b24c78de8add9557430456f09b3f093
-
C:\Users\Admin\AppData\Roaming\5M25R11A\5M2logim.jpegFilesize
66KB
MD5690213bad75d16181d671d53cb4d769c
SHA1658d3c465bd4393ccf4c31dc51adab006b732645
SHA25655df8836f8af7b374bc345f773c6c75487cebdc4ab6af95123fd672bf5bf37fe
SHA51255669f2f622354d961556cb31f74413bbaae9312a3ae6b614a31266c7bdc5ebf8bf8a74a4eb57403a58d9fc37e3619f3e37f9563f73e8f8b532d199770fd3250
-
C:\Users\Admin\AppData\Roaming\5M25R11A\5M2logrf.iniFilesize
40B
MD52f245469795b865bdd1b956c23d7893d
SHA16ad80b974d3808f5a20ea1e766c7d2f88b9e5895
SHA2561662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361
SHA512909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f
-
C:\Users\Admin\AppData\Roaming\5M25R11A\5M2logri.iniFilesize
40B
MD5d63a82e5d81e02e399090af26db0b9cb
SHA191d0014c8f54743bba141fd60c9d963f869d76c9
SHA256eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA51238afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad
-
C:\Users\Admin\AppData\Roaming\5M25R11A\5M2logrv.iniFilesize
40B
MD5ba3b6bc807d4f76794c4b81b09bb9ba5
SHA124cb89501f0212ff3095ecc0aba97dd563718fb1
SHA2566eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507
SHA512ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf
-
memory/1260-73-0x0000000002510000-0x0000000002550000-memory.dmpFilesize
256KB
-
memory/1260-76-0x0000000002510000-0x0000000002550000-memory.dmpFilesize
256KB
-
memory/1352-94-0x0000000006FC0000-0x00000000070FF000-memory.dmpFilesize
1.2MB
-
memory/1352-90-0x0000000006FC0000-0x00000000070FF000-memory.dmpFilesize
1.2MB
-
memory/1352-89-0x0000000006FC0000-0x00000000070FF000-memory.dmpFilesize
1.2MB
-
memory/1352-78-0x0000000006980000-0x0000000006B2D000-memory.dmpFilesize
1.7MB
-
memory/1484-68-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1484-70-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1484-71-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1484-69-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1484-74-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1484-75-0x0000000000B40000-0x0000000000E43000-memory.dmpFilesize
3.0MB
-
memory/1484-77-0x0000000000190000-0x00000000001A5000-memory.dmpFilesize
84KB
-
memory/1496-82-0x0000000002010000-0x0000000002313000-memory.dmpFilesize
3.0MB
-
memory/1496-80-0x0000000000930000-0x0000000000935000-memory.dmpFilesize
20KB
-
memory/1496-81-0x00000000000C0000-0x00000000000EF000-memory.dmpFilesize
188KB
-
memory/1496-88-0x0000000001D40000-0x0000000001DD4000-memory.dmpFilesize
592KB
-
memory/1496-79-0x0000000000930000-0x0000000000935000-memory.dmpFilesize
20KB
-
memory/1496-93-0x0000000001D40000-0x0000000001DD4000-memory.dmpFilesize
592KB
-
memory/2036-54-0x0000000000A70000-0x0000000000B34000-memory.dmpFilesize
784KB
-
memory/2036-67-0x0000000004DE0000-0x0000000004E18000-memory.dmpFilesize
224KB
-
memory/2036-64-0x0000000002160000-0x0000000002168000-memory.dmpFilesize
32KB
-
memory/2036-58-0x0000000005810000-0x00000000058C0000-memory.dmpFilesize
704KB
-
memory/2036-57-0x00000000003A0000-0x00000000003AC000-memory.dmpFilesize
48KB
-
memory/2036-56-0x0000000000510000-0x000000000052E000-memory.dmpFilesize
120KB
-
memory/2036-55-0x0000000004D50000-0x0000000004D90000-memory.dmpFilesize
256KB