Overview

overview

10

Static

static

1

Perfil de ...df.exe

windows7-x64

10

Perfil de ...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    02-04-2023 08:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Perfil de empresa y solicitud de pedido-pdf.exe

  • Size

    817KB

  • MD5

    934b4aa04d107f3f1e4df18c1f4602c0

  • SHA1

    78fd7a3ff4d72fc10dc2580ed51107d378a3917b

  • SHA256

    be2d13c0a69ec836fb9e404b03dbfa04d7adb067ff00bda1375182dcc6bffa6f

  • SHA512

    3071bea94409178dfc0a4d2107f435403bd1842ad6d899e933fbd8642aaa6f65d03fd6d4c0b0263b8c95ab4a42c594e9e5c4e1f72c26855529dd89feb4ebdc04

  • SSDEEP

    24576:NuxnYfyuqYOEzbPDzse2IWZDNjpg2IRezTZ:Qh+yuOI0z9lNjp8RkZ

Score
10/10
formbookguloaderil23discoverydownloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

il23

Decoy

woodlandwoodworking.net

kitchen-deals-69155.com

hiddendia.xyz

xelaxaste.uk

sproutstrive.com

avlulu124.xyz

g-starnetwork.com

a-avdeeva.com

filmart.top

bustime411.com

besyor.xyz

joulex.live

christmastempjobsfinder.life

cxrh-official.com

themuzzy.co.uk

joshisarena.africa

dental4family.com

dietsandsixpacks.co.uk

innovativedigest.com

flyingphoenix.club

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Formbook payload 4 IoCs
    rat
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Perfil de empresa y solicitud de pedido-pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Perfil de empresa y solicitud de pedido-pdf.exe"
    1⤵
    • Checks QEMU agent file
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Users\Admin\AppData\Local\Temp\Perfil de empresa y solicitud de pedido-pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\Perfil de empresa y solicitud de pedido-pdf.exe"
      2⤵
      • Checks QEMU agent file
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      PID:668
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1252
    • C:\Windows\SysWOW64\raserver.exe
      "C:\Windows\SysWOW64\raserver.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1360
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Perfil de empresa y solicitud de pedido-pdf.exe"
        3⤵
        • Deletes itself
        PID:1304

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nst2B66.tmp\System.dll
    Filesize

    11KB

    MD5

    75ed96254fbf894e42058062b4b4f0d1

    SHA1

    996503f1383b49021eb3427bc28d13b5bbd11977

    SHA256

    a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

    SHA512

    58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

    Download Submit
  • memory/668-75-0x0000000001470000-0x000000000363D000-memory.dmp
    Filesize

    33.8MB

    Download
  • memory/668-78-0x0000000000400000-0x0000000001462000-memory.dmp
    Filesize

    16.4MB

    Download
  • memory/668-76-0x0000000001470000-0x000000000363D000-memory.dmp
    Filesize

    33.8MB

    Download
  • memory/668-66-0x0000000000400000-0x0000000001462000-memory.dmp
    Filesize

    16.4MB

    Download
  • memory/668-67-0x0000000001470000-0x000000000363D000-memory.dmp
    Filesize

    33.8MB

    Download
  • memory/668-68-0x0000000000400000-0x0000000001462000-memory.dmp
    Filesize

    16.4MB

    Download
  • memory/668-70-0x0000000000400000-0x0000000001462000-memory.dmp
    Filesize

    16.4MB

    Download
  • memory/668-71-0x0000000001470000-0x000000000363D000-memory.dmp
    Filesize

    33.8MB

    Download
  • memory/668-72-0x0000000033870000-0x0000000033B73000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/668-73-0x0000000033770000-0x0000000033784000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1252-74-0x0000000006AE0000-0x0000000006C83000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1252-86-0x0000000007210000-0x0000000007375000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/1252-87-0x0000000007210000-0x0000000007375000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/1252-90-0x0000000007210000-0x0000000007375000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/1360-77-0x0000000000510000-0x000000000052C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/1360-80-0x0000000000510000-0x000000000052C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/1360-81-0x0000000000080000-0x00000000000AF000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1360-82-0x00000000020A0000-0x00000000023A3000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1360-83-0x0000000000080000-0x00000000000AF000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1360-85-0x0000000000530000-0x00000000005C3000-memory.dmp
    Filesize

    588KB

    Download
  • memory/2000-65-0x0000000003060000-0x000000000522D000-memory.dmp
    Filesize

    33.8MB

    Download
  • memory/2000-64-0x0000000003060000-0x000000000522D000-memory.dmp
    Filesize

    33.8MB

    Download