Analysis
-
max time kernel
149s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
29-03-2023 06:28
Static task
static1
Behavioral task
behavioral1
Sample
NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exe
Resource
win7-20230220-en
General
-
Target
NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exe
-
Size
561KB
-
MD5
abb44d8629dbbae4b307b638fa35c921
-
SHA1
91b9b648dfcc9261d3c0135eea5c4a9da4e87985
-
SHA256
55d12f1706d497912ee1c846004edea135577d7e2eb2246e9c439740be365643
-
SHA512
c6226f1c6634e11a48c79668df2229d43476d6dec9351da239bf9da58500751e584dccf3eea2aba77e881b2eb9c8b116843b0cee5a7d2af21db0561c4e1661a2
-
SSDEEP
12288:KTMY1ltUnHhjgUciLJDrLmuychLXK8WEu:KThtejgUci9DvgcM8Wh
Malware Config
Extracted
formbook
4.1
il23
woodlandwoodworking.net
kitchen-deals-69155.com
hiddendia.xyz
xelaxaste.uk
sproutstrive.com
avlulu124.xyz
g-starnetwork.com
a-avdeeva.com
filmart.top
bustime411.com
besyor.xyz
joulex.live
christmastempjobsfinder.life
cxrh-official.com
themuzzy.co.uk
joshisarena.africa
dental4family.com
dietsandsixpacks.co.uk
innovativedigest.com
flyingphoenix.club
millenniumtutors.africa
ctsiholdings.com
1wincasino-online.gives
ficc2china.com
fodtt.africa
kx1339.com
duron.bet
credit-cards-52245.com
bbqdoner.ru
discovrbookings.com
guangoffical.buzz
newmanarts.africa
glamdupspasalon.com
dindaa.online
6n981.com
dovelyshop.com
20gaokk.com
dldlu.xyz
foruna-coachy.net
drsnowden.net
1wzzrr.top
signbyjot.net
bestmein23.com
cd00hui.shop
pasaportenica.net
electrolyte-drinks.site
healthyremedies.africa
creativedesigncompany.online
fhglobal-zhs.com
glasswashbasin.com
browyum.com
bet33080.com
aliceblomst.com
americanpressreleas.com
die-mietbar.com
kiahinternational.com
veganlifetony.com
ityrou.com
bnpbchain.cyou
fastandtrader.com
nerroir.com
galeritoto.com
adaptivetrading.solutions
chumeihome.net
aljaydeguzman.com
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1160-72-0x0000000000400000-0x0000000001462000-memory.dmp formbook behavioral1/memory/1160-80-0x0000000000400000-0x0000000001462000-memory.dmp formbook behavioral1/memory/1500-84-0x0000000000090000-0x00000000000BF000-memory.dmp formbook behavioral1/memory/1500-86-0x0000000000090000-0x00000000000BF000-memory.dmp formbook -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exeNR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2004 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exepid process 1052 NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exepid process 1160 NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exeNR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exepid process 1052 NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exe 1160 NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exeNR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exerundll32.exedescription pid process target process PID 1052 set thread context of 1160 1052 NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exe NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exe PID 1160 set thread context of 1212 1160 NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exe Explorer.EXE PID 1500 set thread context of 1212 1500 rundll32.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exedescription ioc process File opened for modification C:\Windows\resources\0409\Minatories\Araknofili\Expenditrix\Revalorization62.ini NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exerundll32.exepid process 1160 NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exe 1160 NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exe 1500 rundll32.exe 1500 rundll32.exe 1500 rundll32.exe 1500 rundll32.exe 1500 rundll32.exe 1500 rundll32.exe 1500 rundll32.exe 1500 rundll32.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exeNR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exerundll32.exepid process 1052 NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exe 1160 NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exe 1160 NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exe 1160 NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exe 1500 rundll32.exe 1500 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exeExplorer.EXErundll32.exedescription pid process Token: SeDebugPrivilege 1160 NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exe Token: SeShutdownPrivilege 1212 Explorer.EXE Token: SeDebugPrivilege 1500 rundll32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exeExplorer.EXErundll32.exedescription pid process target process PID 1052 wrote to memory of 1160 1052 NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exe NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exe PID 1052 wrote to memory of 1160 1052 NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exe NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exe PID 1052 wrote to memory of 1160 1052 NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exe NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exe PID 1052 wrote to memory of 1160 1052 NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exe NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exe PID 1052 wrote to memory of 1160 1052 NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exe NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exe PID 1212 wrote to memory of 1500 1212 Explorer.EXE rundll32.exe PID 1212 wrote to memory of 1500 1212 Explorer.EXE rundll32.exe PID 1212 wrote to memory of 1500 1212 Explorer.EXE rundll32.exe PID 1212 wrote to memory of 1500 1212 Explorer.EXE rundll32.exe PID 1212 wrote to memory of 1500 1212 Explorer.EXE rundll32.exe PID 1212 wrote to memory of 1500 1212 Explorer.EXE rundll32.exe PID 1212 wrote to memory of 1500 1212 Explorer.EXE rundll32.exe PID 1500 wrote to memory of 2004 1500 rundll32.exe cmd.exe PID 1500 wrote to memory of 2004 1500 rundll32.exe cmd.exe PID 1500 wrote to memory of 2004 1500 rundll32.exe cmd.exe PID 1500 wrote to memory of 2004 1500 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exe"C:\Users\Admin\AppData\Local\Temp\NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exe"2⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exe"C:\Users\Admin\AppData\Local\Temp\NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exe"3⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Music\krammets.lnkFilesize
1KB
MD546deb8456dd0f1e1ea3a11fa60a54fa7
SHA156bbb6a41ab512379bd30ece0846a6f22f79c935
SHA256b722fce651df53c145b9b39a9f391b8633c654ea2afd5ddf70211dc3e35d62c2
SHA5125df6c6d3f798fc44dc746f9490c42b9a234096313c71c80e60fc6d2b1e525fcc982813c6135b0946f293ad04370be1aaf9da1cb9a00f2446647c899d6132535b
-
\Users\Admin\AppData\Local\Temp\nst1F36.tmp\System.dllFilesize
12KB
MD5a1da6788aeaf78ca4ae1dece8019e49d
SHA1d770155e6e9aa69223be198c44a8da26a1756d89
SHA256b7823a15e7b1866ba3d77248f750b66505859d264cfc39d8c8c5e812f8ae4a81
SHA512eada9c1528563ddfe3d4d8ed5dbc52b85a9190765535b68da90e6d623288bf0090adac5118e1ed6e3cb3e0abb9af025d3a2a73121413a4471a90fd04bc861e18
-
memory/1160-77-0x0000000001470000-0x0000000004885000-memory.dmpFilesize
52.1MB
-
memory/1160-72-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1160-73-0x0000000001470000-0x0000000004885000-memory.dmpFilesize
52.1MB
-
memory/1160-74-0x0000000034A80000-0x0000000034D83000-memory.dmpFilesize
3.0MB
-
memory/1160-75-0x00000000348D0000-0x00000000348E4000-memory.dmpFilesize
80KB
-
memory/1160-69-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1160-70-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1160-80-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1212-88-0x00000000001F0000-0x00000000002F0000-memory.dmpFilesize
1024KB
-
memory/1212-76-0x0000000003BF0000-0x0000000003CC0000-memory.dmpFilesize
832KB
-
memory/1212-94-0x0000000004B70000-0x0000000004C07000-memory.dmpFilesize
604KB
-
memory/1212-91-0x0000000004B70000-0x0000000004C07000-memory.dmpFilesize
604KB
-
memory/1212-90-0x0000000004B70000-0x0000000004C07000-memory.dmpFilesize
604KB
-
memory/1500-79-0x00000000005C0000-0x00000000005CE000-memory.dmpFilesize
56KB
-
memory/1500-86-0x0000000000090000-0x00000000000BF000-memory.dmpFilesize
188KB
-
memory/1500-89-0x0000000000990000-0x0000000000A23000-memory.dmpFilesize
588KB
-
memory/1500-85-0x0000000002110000-0x0000000002413000-memory.dmpFilesize
3.0MB
-
memory/1500-84-0x0000000000090000-0x00000000000BF000-memory.dmpFilesize
188KB
-
memory/1500-83-0x00000000005C0000-0x00000000005CE000-memory.dmpFilesize
56KB
-
memory/1500-78-0x00000000005C0000-0x00000000005CE000-memory.dmpFilesize
56KB