Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
23-03-2023 07:27
Static task
static1
Behavioral task
behavioral1
Sample
E-dekont.pdf.exe
Resource
win7-20230220-en
General
-
Target
E-dekont.pdf.exe
-
Size
259KB
-
MD5
d40c752afda958acd686a4cdc7d6ae9f
-
SHA1
026b08860087225aef946bf2d57659c9fb839287
-
SHA256
60d85cc9cdf5ea1c43d698843974eb8ed2a5acb05443ab1a0d24e237438a5b7b
-
SHA512
eb22b3267fe94bfb866a5293877a4100e7f4dd5825cec2ad1875b33e5d711eb4a4258e27ae73e7df28d38a687e372163013c6a41437f7b2e5ae676aa2569e811
-
SSDEEP
6144:PYa6FB67K+gdNGetVdBOrpZWcTUDMDJ+p5lAlnTnc4gexmTnQvx:PYPBKK+ylrCpZWdADJYalTxx
Malware Config
Extracted
formbook
4.1
me29
borne-selfie-valence.com
erccore.com
fontebono.com
58619.se
smartmetersystems.co.uk
defrag.team
az-architecture.com
healingthehoard.com
eqde.ru
kingsedubd.com
hoibeebu.net
findbesthomesolution.com
dinkdfw.com
alfa-outlet.com
claritybiometrics.video
lewshopok.cfd
crofton77.online
assetzstat.info
indianhillsequine.com
vetsclosetomylocation.com
gfaxtp.xyz
mebssa.net
sherkhanbengals.co.uk
banparatualize.online
eleven-dragons.com
love-shopping.online
bluejetfridayblack.com
wideanglemedia.africa
colegiorayenco.com
fryroq.top
demarcofamilyphotos.com
crownandcushionminley.co.uk
global-investorproject.online
1001tracks.com
arabicbonus.com
bsadchina.com
jadebynite.com
eurotankfarm.com
jestfreedom.info
lesptitesdames.com
incomearound.com
jslindev.com
667527.com
cafejazzperu.com
cakethapap.com
bbyw48600lj2a2.com
youthhero.net
lajdmchaoknsazdrd.com
bereadyballotvote.com
digitalpresident.africa
bhdraftingdesign.company
hbnchallenge.com
fitness4health.club
mosaicmakes.co.uk
aluxayachts.com
141-tactical.com
forcemajeureemporium.com
gedankenmosaik.com
deploymentpickax.com
252315454222.xyz
liliacarriedo.com
disegnofloors.com
avnetts.com
articlesgames.com
emmnet.africa
Signatures
-
Formbook payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1324-68-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1324-74-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1324-80-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/600-85-0x00000000000C0000-0x00000000000EF000-memory.dmp formbook behavioral1/memory/600-87-0x00000000000C0000-0x00000000000EF000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
fyuuneheum.exefyuuneheum.exepid process 2012 fyuuneheum.exe 1324 fyuuneheum.exe -
Loads dropped DLL 3 IoCs
Processes:
E-dekont.pdf.exefyuuneheum.exepid process 832 E-dekont.pdf.exe 832 E-dekont.pdf.exe 2012 fyuuneheum.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
fyuuneheum.exefyuuneheum.exeexplorer.exedescription pid process target process PID 2012 set thread context of 1324 2012 fyuuneheum.exe fyuuneheum.exe PID 1324 set thread context of 1216 1324 fyuuneheum.exe Explorer.EXE PID 1324 set thread context of 1216 1324 fyuuneheum.exe Explorer.EXE PID 600 set thread context of 1216 600 explorer.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
fyuuneheum.exeexplorer.exepid process 1324 fyuuneheum.exe 1324 fyuuneheum.exe 1324 fyuuneheum.exe 600 explorer.exe 600 explorer.exe 600 explorer.exe 600 explorer.exe 600 explorer.exe 600 explorer.exe 600 explorer.exe 600 explorer.exe 600 explorer.exe 600 explorer.exe 600 explorer.exe 600 explorer.exe 600 explorer.exe 600 explorer.exe 600 explorer.exe 600 explorer.exe 600 explorer.exe 600 explorer.exe 600 explorer.exe 600 explorer.exe 600 explorer.exe 600 explorer.exe 600 explorer.exe 600 explorer.exe 600 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1216 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
fyuuneheum.exefyuuneheum.exeexplorer.exepid process 2012 fyuuneheum.exe 1324 fyuuneheum.exe 1324 fyuuneheum.exe 1324 fyuuneheum.exe 1324 fyuuneheum.exe 600 explorer.exe 600 explorer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
fyuuneheum.exeexplorer.exedescription pid process Token: SeDebugPrivilege 1324 fyuuneheum.exe Token: SeDebugPrivilege 600 explorer.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1216 Explorer.EXE 1216 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1216 Explorer.EXE 1216 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 1216 Explorer.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
E-dekont.pdf.exefyuuneheum.exeExplorer.EXEexplorer.exedescription pid process target process PID 832 wrote to memory of 2012 832 E-dekont.pdf.exe fyuuneheum.exe PID 832 wrote to memory of 2012 832 E-dekont.pdf.exe fyuuneheum.exe PID 832 wrote to memory of 2012 832 E-dekont.pdf.exe fyuuneheum.exe PID 832 wrote to memory of 2012 832 E-dekont.pdf.exe fyuuneheum.exe PID 2012 wrote to memory of 1324 2012 fyuuneheum.exe fyuuneheum.exe PID 2012 wrote to memory of 1324 2012 fyuuneheum.exe fyuuneheum.exe PID 2012 wrote to memory of 1324 2012 fyuuneheum.exe fyuuneheum.exe PID 2012 wrote to memory of 1324 2012 fyuuneheum.exe fyuuneheum.exe PID 2012 wrote to memory of 1324 2012 fyuuneheum.exe fyuuneheum.exe PID 1216 wrote to memory of 600 1216 Explorer.EXE explorer.exe PID 1216 wrote to memory of 600 1216 Explorer.EXE explorer.exe PID 1216 wrote to memory of 600 1216 Explorer.EXE explorer.exe PID 1216 wrote to memory of 600 1216 Explorer.EXE explorer.exe PID 600 wrote to memory of 1672 600 explorer.exe cmd.exe PID 600 wrote to memory of 1672 600 explorer.exe cmd.exe PID 600 wrote to memory of 1672 600 explorer.exe cmd.exe PID 600 wrote to memory of 1672 600 explorer.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\E-dekont.pdf.exe"C:\Users\Admin\AppData\Local\Temp\E-dekont.pdf.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fyuuneheum.exe"C:\Users\Admin\AppData\Local\Temp\fyuuneheum.exe" C:\Users\Admin\AppData\Local\Temp\vxnul.fw3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fyuuneheum.exe"C:\Users\Admin\AppData\Local\Temp\fyuuneheum.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\fyuuneheum.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\fyuuneheum.exeFilesize
54KB
MD531e418e9a6165211889edbd232e8d698
SHA1f5e146e02a645e22f673bcd72ae5e2588ab6f5ca
SHA256674515d601d2b10d3716d09aa57d7d8615f31b2725275b1e176fc83523314a17
SHA5129691de64034725aad439314e1ee2aeedf997b9c0ece9654c352e94d5610e081e682005c4046def8be6b63ab09f964be4f6482f6e8314480397ad0d3ab48e2472
-
C:\Users\Admin\AppData\Local\Temp\fyuuneheum.exeFilesize
54KB
MD531e418e9a6165211889edbd232e8d698
SHA1f5e146e02a645e22f673bcd72ae5e2588ab6f5ca
SHA256674515d601d2b10d3716d09aa57d7d8615f31b2725275b1e176fc83523314a17
SHA5129691de64034725aad439314e1ee2aeedf997b9c0ece9654c352e94d5610e081e682005c4046def8be6b63ab09f964be4f6482f6e8314480397ad0d3ab48e2472
-
C:\Users\Admin\AppData\Local\Temp\fyuuneheum.exeFilesize
54KB
MD531e418e9a6165211889edbd232e8d698
SHA1f5e146e02a645e22f673bcd72ae5e2588ab6f5ca
SHA256674515d601d2b10d3716d09aa57d7d8615f31b2725275b1e176fc83523314a17
SHA5129691de64034725aad439314e1ee2aeedf997b9c0ece9654c352e94d5610e081e682005c4046def8be6b63ab09f964be4f6482f6e8314480397ad0d3ab48e2472
-
C:\Users\Admin\AppData\Local\Temp\fyuuneheum.exeFilesize
54KB
MD531e418e9a6165211889edbd232e8d698
SHA1f5e146e02a645e22f673bcd72ae5e2588ab6f5ca
SHA256674515d601d2b10d3716d09aa57d7d8615f31b2725275b1e176fc83523314a17
SHA5129691de64034725aad439314e1ee2aeedf997b9c0ece9654c352e94d5610e081e682005c4046def8be6b63ab09f964be4f6482f6e8314480397ad0d3ab48e2472
-
C:\Users\Admin\AppData\Local\Temp\hzmiwq.rFilesize
205KB
MD50d4ca49288cb5a35b789b797de75bbe1
SHA113d034db8af8bbf9b25d34a6b21c5555a1546438
SHA2564996d443fc9d26e0e6ca3b759fe6da99f29b7308bdf6bd17cd9101447ce09927
SHA512ebbf829ce8e0ed59d56924675702af04e56fff68da9f10d1fe5acaeb8039767ba39c7bf83b6346b82b874bb3418af69ef56373a16d276b1adaac8aebc44b70f7
-
C:\Users\Admin\AppData\Local\Temp\vxnul.fwFilesize
5KB
MD5a1b70397f5f23f822208118e5efd3d5c
SHA1b03433b5d2c9f22d3b7f3c19153608401f5b73e9
SHA256cdece9b32b8c0cd61fe6e4b369b04e54f6345e147764d28a3d36750d57862141
SHA512bf8c48f18377d7a67dcd9f1833bba341b380dedbdc4058a60f13cd504e0a27cd14bd8fecbd3aa939173a959ecf6f1df3c5108a5265a680ed52d0b3fa3b83fd07
-
\Users\Admin\AppData\Local\Temp\fyuuneheum.exeFilesize
54KB
MD531e418e9a6165211889edbd232e8d698
SHA1f5e146e02a645e22f673bcd72ae5e2588ab6f5ca
SHA256674515d601d2b10d3716d09aa57d7d8615f31b2725275b1e176fc83523314a17
SHA5129691de64034725aad439314e1ee2aeedf997b9c0ece9654c352e94d5610e081e682005c4046def8be6b63ab09f964be4f6482f6e8314480397ad0d3ab48e2472
-
\Users\Admin\AppData\Local\Temp\fyuuneheum.exeFilesize
54KB
MD531e418e9a6165211889edbd232e8d698
SHA1f5e146e02a645e22f673bcd72ae5e2588ab6f5ca
SHA256674515d601d2b10d3716d09aa57d7d8615f31b2725275b1e176fc83523314a17
SHA5129691de64034725aad439314e1ee2aeedf997b9c0ece9654c352e94d5610e081e682005c4046def8be6b63ab09f964be4f6482f6e8314480397ad0d3ab48e2472
-
\Users\Admin\AppData\Local\Temp\fyuuneheum.exeFilesize
54KB
MD531e418e9a6165211889edbd232e8d698
SHA1f5e146e02a645e22f673bcd72ae5e2588ab6f5ca
SHA256674515d601d2b10d3716d09aa57d7d8615f31b2725275b1e176fc83523314a17
SHA5129691de64034725aad439314e1ee2aeedf997b9c0ece9654c352e94d5610e081e682005c4046def8be6b63ab09f964be4f6482f6e8314480397ad0d3ab48e2472
-
memory/600-81-0x0000000000500000-0x0000000000781000-memory.dmpFilesize
2.5MB
-
memory/600-84-0x0000000000500000-0x0000000000781000-memory.dmpFilesize
2.5MB
-
memory/600-90-0x0000000000A90000-0x0000000000B23000-memory.dmpFilesize
588KB
-
memory/600-87-0x00000000000C0000-0x00000000000EF000-memory.dmpFilesize
188KB
-
memory/600-86-0x0000000002430000-0x0000000002733000-memory.dmpFilesize
3.0MB
-
memory/600-85-0x00000000000C0000-0x00000000000EF000-memory.dmpFilesize
188KB
-
memory/1216-76-0x0000000004AB0000-0x0000000004BFD000-memory.dmpFilesize
1.3MB
-
memory/1216-79-0x0000000004D00000-0x0000000004E69000-memory.dmpFilesize
1.4MB
-
memory/1216-72-0x00000000039A0000-0x0000000003AA0000-memory.dmpFilesize
1024KB
-
memory/1216-91-0x0000000004100000-0x00000000041EC000-memory.dmpFilesize
944KB
-
memory/1216-92-0x0000000004100000-0x00000000041EC000-memory.dmpFilesize
944KB
-
memory/1216-94-0x0000000004100000-0x00000000041EC000-memory.dmpFilesize
944KB
-
memory/1324-80-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1324-68-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1324-78-0x0000000000390000-0x00000000003A4000-memory.dmpFilesize
80KB
-
memory/1324-75-0x0000000000290000-0x00000000002A4000-memory.dmpFilesize
80KB
-
memory/1324-74-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1324-73-0x0000000000900000-0x0000000000C03000-memory.dmpFilesize
3.0MB