Overview

overview

10

Static

static

1

Perfil de ...df.exe

windows7-x64

10

Perfil de ...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-04-2023 08:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Perfil de empresa y solicitud de pedido-pdf.exe

  • Size

    817KB

  • MD5

    934b4aa04d107f3f1e4df18c1f4602c0

  • SHA1

    78fd7a3ff4d72fc10dc2580ed51107d378a3917b

  • SHA256

    be2d13c0a69ec836fb9e404b03dbfa04d7adb067ff00bda1375182dcc6bffa6f

  • SHA512

    3071bea94409178dfc0a4d2107f435403bd1842ad6d899e933fbd8642aaa6f65d03fd6d4c0b0263b8c95ab4a42c594e9e5c4e1f72c26855529dd89feb4ebdc04

  • SSDEEP

    24576:NuxnYfyuqYOEzbPDzse2IWZDNjpg2IRezTZ:Qh+yuOI0z9lNjp8RkZ

Score
10/10
formbookguloaderil23discoverydownloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

il23

Decoy

woodlandwoodworking.net

kitchen-deals-69155.com

hiddendia.xyz

xelaxaste.uk

sproutstrive.com

avlulu124.xyz

g-starnetwork.com

a-avdeeva.com

filmart.top

bustime411.com

besyor.xyz

joulex.live

christmastempjobsfinder.life

cxrh-official.com

themuzzy.co.uk

joshisarena.africa

dental4family.com

dietsandsixpacks.co.uk

innovativedigest.com

flyingphoenix.club

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Formbook payload 4 IoCs
    rat
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3132
    • C:\Users\Admin\AppData\Local\Temp\Perfil de empresa y solicitud de pedido-pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\Perfil de empresa y solicitud de pedido-pdf.exe"
      2⤵
      • Checks QEMU agent file
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3848
      • C:\Users\Admin\AppData\Local\Temp\Perfil de empresa y solicitud de pedido-pdf.exe
        "C:\Users\Admin\AppData\Local\Temp\Perfil de empresa y solicitud de pedido-pdf.exe"
        3⤵
        • Checks QEMU agent file
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:4356
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\SysWOW64\svchost.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3968
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Perfil de empresa y solicitud de pedido-pdf.exe"
        3⤵
          PID:2632

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\nsiE9C9.tmp\System.dll
      Filesize

      11KB

      MD5

      75ed96254fbf894e42058062b4b4f0d1

      SHA1

      996503f1383b49021eb3427bc28d13b5bbd11977

      SHA256

      a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

      SHA512

      58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

      Download Submit
    • memory/3132-152-0x0000000008650000-0x000000000873D000-memory.dmp
      Filesize

      948KB

      Download
    • memory/3848-142-0x00000000041A0000-0x000000000636D000-memory.dmp
      Filesize

      33.8MB

      Download
    • memory/3848-143-0x00000000041A0000-0x000000000636D000-memory.dmp
      Filesize

      33.8MB

      Download
    • memory/3968-160-0x00000000012A0000-0x00000000012CF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/3968-159-0x0000000001D00000-0x000000000204A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/3968-157-0x00000000012A0000-0x00000000012CF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/3968-156-0x0000000000290000-0x000000000029E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/3968-153-0x0000000000290000-0x000000000029E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/4356-145-0x0000000001660000-0x000000000382D000-memory.dmp
      Filesize

      33.8MB

      Download
    • memory/4356-151-0x0000000033A70000-0x0000000033A84000-memory.dmp
      Filesize

      80KB

      Download
    • memory/4356-150-0x0000000001660000-0x000000000382D000-memory.dmp
      Filesize

      33.8MB

      Download
    • memory/4356-149-0x0000000033C70000-0x0000000033FBA000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4356-147-0x0000000001660000-0x000000000382D000-memory.dmp
      Filesize

      33.8MB

      Download
    • memory/4356-155-0x0000000001660000-0x000000000382D000-memory.dmp
      Filesize

      33.8MB

      Download
    • memory/4356-158-0x0000000000400000-0x0000000001654000-memory.dmp
      Filesize

      18.3MB

      Download
    • memory/4356-146-0x0000000000400000-0x0000000001654000-memory.dmp
      Filesize

      18.3MB

      Download
    • memory/4356-144-0x0000000000400000-0x0000000001654000-memory.dmp
      Filesize

      18.3MB

      Download