Overview

overview

10

Static

static

1

E-dekont.pdf.exe

windows7-x64

10

E-dekont.pdf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    23-03-2023 07:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    E-dekont.pdf.exe

  • Size

    259KB

  • MD5

    d40c752afda958acd686a4cdc7d6ae9f

  • SHA1

    026b08860087225aef946bf2d57659c9fb839287

  • SHA256

    60d85cc9cdf5ea1c43d698843974eb8ed2a5acb05443ab1a0d24e237438a5b7b

  • SHA512

    eb22b3267fe94bfb866a5293877a4100e7f4dd5825cec2ad1875b33e5d711eb4a4258e27ae73e7df28d38a687e372163013c6a41437f7b2e5ae676aa2569e811

  • SSDEEP

    6144:PYa6FB67K+gdNGetVdBOrpZWcTUDMDJ+p5lAlnTnc4gexmTnQvx:PYPBKK+ylrCpZWdADJYalTxx

Score
10/10
formbookme29ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

me29

Decoy

borne-selfie-valence.com

erccore.com

fontebono.com

58619.se

smartmetersystems.co.uk

defrag.team

az-architecture.com

healingthehoard.com

eqde.ru

kingsedubd.com

hoibeebu.net

findbesthomesolution.com

dinkdfw.com

alfa-outlet.com

claritybiometrics.video

lewshopok.cfd

crofton77.online

assetzstat.info

indianhillsequine.com

vetsclosetomylocation.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 5 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1216
    • C:\Users\Admin\AppData\Local\Temp\E-dekont.pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\E-dekont.pdf.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:832
      • C:\Users\Admin\AppData\Local\Temp\fyuuneheum.exe
        "C:\Users\Admin\AppData\Local\Temp\fyuuneheum.exe" C:\Users\Admin\AppData\Local\Temp\vxnul.fw
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2012
        • C:\Users\Admin\AppData\Local\Temp\fyuuneheum.exe
          "C:\Users\Admin\AppData\Local\Temp\fyuuneheum.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1324
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:600
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\fyuuneheum.exe"
        3⤵
          PID:1672

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\fyuuneheum.exe
      Filesize

      54KB

      MD5

      31e418e9a6165211889edbd232e8d698

      SHA1

      f5e146e02a645e22f673bcd72ae5e2588ab6f5ca

      SHA256

      674515d601d2b10d3716d09aa57d7d8615f31b2725275b1e176fc83523314a17

      SHA512

      9691de64034725aad439314e1ee2aeedf997b9c0ece9654c352e94d5610e081e682005c4046def8be6b63ab09f964be4f6482f6e8314480397ad0d3ab48e2472

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\fyuuneheum.exe
      Filesize

      54KB

      MD5

      31e418e9a6165211889edbd232e8d698

      SHA1

      f5e146e02a645e22f673bcd72ae5e2588ab6f5ca

      SHA256

      674515d601d2b10d3716d09aa57d7d8615f31b2725275b1e176fc83523314a17

      SHA512

      9691de64034725aad439314e1ee2aeedf997b9c0ece9654c352e94d5610e081e682005c4046def8be6b63ab09f964be4f6482f6e8314480397ad0d3ab48e2472

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\fyuuneheum.exe
      Filesize

      54KB

      MD5

      31e418e9a6165211889edbd232e8d698

      SHA1

      f5e146e02a645e22f673bcd72ae5e2588ab6f5ca

      SHA256

      674515d601d2b10d3716d09aa57d7d8615f31b2725275b1e176fc83523314a17

      SHA512

      9691de64034725aad439314e1ee2aeedf997b9c0ece9654c352e94d5610e081e682005c4046def8be6b63ab09f964be4f6482f6e8314480397ad0d3ab48e2472

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\fyuuneheum.exe
      Filesize

      54KB

      MD5

      31e418e9a6165211889edbd232e8d698

      SHA1

      f5e146e02a645e22f673bcd72ae5e2588ab6f5ca

      SHA256

      674515d601d2b10d3716d09aa57d7d8615f31b2725275b1e176fc83523314a17

      SHA512

      9691de64034725aad439314e1ee2aeedf997b9c0ece9654c352e94d5610e081e682005c4046def8be6b63ab09f964be4f6482f6e8314480397ad0d3ab48e2472

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\hzmiwq.r
      Filesize

      205KB

      MD5

      0d4ca49288cb5a35b789b797de75bbe1

      SHA1

      13d034db8af8bbf9b25d34a6b21c5555a1546438

      SHA256

      4996d443fc9d26e0e6ca3b759fe6da99f29b7308bdf6bd17cd9101447ce09927

      SHA512

      ebbf829ce8e0ed59d56924675702af04e56fff68da9f10d1fe5acaeb8039767ba39c7bf83b6346b82b874bb3418af69ef56373a16d276b1adaac8aebc44b70f7

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\vxnul.fw
      Filesize

      5KB

      MD5

      a1b70397f5f23f822208118e5efd3d5c

      SHA1

      b03433b5d2c9f22d3b7f3c19153608401f5b73e9

      SHA256

      cdece9b32b8c0cd61fe6e4b369b04e54f6345e147764d28a3d36750d57862141

      SHA512

      bf8c48f18377d7a67dcd9f1833bba341b380dedbdc4058a60f13cd504e0a27cd14bd8fecbd3aa939173a959ecf6f1df3c5108a5265a680ed52d0b3fa3b83fd07

      Download Submit
    • \Users\Admin\AppData\Local\Temp\fyuuneheum.exe
      Filesize

      54KB

      MD5

      31e418e9a6165211889edbd232e8d698

      SHA1

      f5e146e02a645e22f673bcd72ae5e2588ab6f5ca

      SHA256

      674515d601d2b10d3716d09aa57d7d8615f31b2725275b1e176fc83523314a17

      SHA512

      9691de64034725aad439314e1ee2aeedf997b9c0ece9654c352e94d5610e081e682005c4046def8be6b63ab09f964be4f6482f6e8314480397ad0d3ab48e2472

      Download Submit
    • \Users\Admin\AppData\Local\Temp\fyuuneheum.exe
      Filesize

      54KB

      MD5

      31e418e9a6165211889edbd232e8d698

      SHA1

      f5e146e02a645e22f673bcd72ae5e2588ab6f5ca

      SHA256

      674515d601d2b10d3716d09aa57d7d8615f31b2725275b1e176fc83523314a17

      SHA512

      9691de64034725aad439314e1ee2aeedf997b9c0ece9654c352e94d5610e081e682005c4046def8be6b63ab09f964be4f6482f6e8314480397ad0d3ab48e2472

      Download Submit
    • \Users\Admin\AppData\Local\Temp\fyuuneheum.exe
      Filesize

      54KB

      MD5

      31e418e9a6165211889edbd232e8d698

      SHA1

      f5e146e02a645e22f673bcd72ae5e2588ab6f5ca

      SHA256

      674515d601d2b10d3716d09aa57d7d8615f31b2725275b1e176fc83523314a17

      SHA512

      9691de64034725aad439314e1ee2aeedf997b9c0ece9654c352e94d5610e081e682005c4046def8be6b63ab09f964be4f6482f6e8314480397ad0d3ab48e2472

      Download Submit
    • memory/600-81-0x0000000000500000-0x0000000000781000-memory.dmp
      Filesize

      2.5MB

      Download
    • memory/600-84-0x0000000000500000-0x0000000000781000-memory.dmp
      Filesize

      2.5MB

      Download
    • memory/600-90-0x0000000000A90000-0x0000000000B23000-memory.dmp
      Filesize

      588KB

      Download
    • memory/600-87-0x00000000000C0000-0x00000000000EF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/600-86-0x0000000002430000-0x0000000002733000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/600-85-0x00000000000C0000-0x00000000000EF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1216-76-0x0000000004AB0000-0x0000000004BFD000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1216-79-0x0000000004D00000-0x0000000004E69000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1216-72-0x00000000039A0000-0x0000000003AA0000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/1216-91-0x0000000004100000-0x00000000041EC000-memory.dmp
      Filesize

      944KB

      Download
    • memory/1216-92-0x0000000004100000-0x00000000041EC000-memory.dmp
      Filesize

      944KB

      Download
    • memory/1216-94-0x0000000004100000-0x00000000041EC000-memory.dmp
      Filesize

      944KB

      Download
    • memory/1324-80-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1324-68-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1324-78-0x0000000000390000-0x00000000003A4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1324-75-0x0000000000290000-0x00000000002A4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1324-74-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1324-73-0x0000000000900000-0x0000000000C03000-memory.dmp
      Filesize

      3.0MB

      Download