Analysis
-
max time kernel
151s -
max time network
181s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
12/10/2023, 07:56
Static task
static1
Behavioral task
behavioral1
Sample
Delivery Advice_pdf.exe
Resource
win7-20230831-en
General
-
Target
Delivery Advice_pdf.exe
-
Size
599KB
-
MD5
6074ee36c8396cb9eb740fd7b17717b4
-
SHA1
54863bae13ae43c648e591bffd462fd21a8ae997
-
SHA256
63f0ca19b1c85d5ff157194089a45b59a76f7405e89eba21741afa81c00575b7
-
SHA512
4108db1c0725f808955705d8cb2edef004556c6cd4024eeb632ece4c05e60203b211f56da0276b161dc0ddd4f079c2f91b16c3abdcfad78f1aafdbf654716737
-
SSDEEP
12288:6dJP+NXCvoqzLEJkb/jcak1Jp18n/MZyxQQvUipjeX+jvv7:6dJPuCvoqLckzjcak778n/MZyGQsmeXq
Malware Config
Extracted
formbook
4.1
ls02
vocabularybot.com
invisalignsmilesolutions.xyz
sleepdisorderinsomnia.com
bern.beauty
ahazmcdris.top
21874960sie8ca1.store
yeitced.xyz
biggerpictureventures.com
alduhagroup.com
itsolutions.biz
0oq6y.com
wildpolis.com
mariobet469.com
brynnwpods.com
tastywin.com
cou2m1.com
newaitrucks.com
puremeans.studio
mitienda-la.com
jujuresorthotel.com
kmjdhq.com
2840vacations.com
recchia-assicura.com
danetresales.com
crashed.boats
canton404.com
bluetilestudio.com
dfcf68333.net
smartplusplatform.online
apotheekgemak.online
arsmassagii.com
keenly-digital.com
uptravelcrm.com
loftybud.com
djfiremangambia.com
dreamydesiresstudio.com
perezzuriagaarquitecto.com
alisseo.com
smnxp.com
dhsgnk.com
ernestveremu.com
e2owaz8zskz.asia
stannesnstyrrellspass.com
delimikrofon.com
commodityrisks.com
ghghhgettt22.top
biggestbasispoints.com
evelmeedical.com
sentrumsnytt.online
kingdom69amp.com
bhphub.com
k5h5v.com
wuliangysh12.cloud
annasutraasource.net
greatairconditioners1.buzz
subpaylive.com
assumablemortgagenetwork.com
flairity.tech
shoutart.com
miy9.icu
nebudali.com
bagishopping.com
baiyeba.com
nycoapartments.com
wisewolftdot.online
Signatures
-
Formbook payload 5 IoCs
resource yara_rule behavioral1/memory/1240-12-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1240-16-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1240-20-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2524-27-0x0000000000080000-0x00000000000AF000-memory.dmp formbook behavioral1/memory/2524-30-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Deletes itself 1 IoCs
pid Process 3020 cmd.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2772 set thread context of 1240 2772 Delivery Advice_pdf.exe 30 PID 1240 set thread context of 1308 1240 Delivery Advice_pdf.exe 15 PID 1240 set thread context of 1308 1240 Delivery Advice_pdf.exe 15 PID 2524 set thread context of 1308 2524 svchost.exe 15 -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 1240 Delivery Advice_pdf.exe 1240 Delivery Advice_pdf.exe 1240 Delivery Advice_pdf.exe 2524 svchost.exe 2524 svchost.exe 2524 svchost.exe 2524 svchost.exe 2524 svchost.exe 2524 svchost.exe 2524 svchost.exe 2524 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1308 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 1240 Delivery Advice_pdf.exe 1240 Delivery Advice_pdf.exe 1240 Delivery Advice_pdf.exe 1240 Delivery Advice_pdf.exe 2524 svchost.exe 2524 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1240 Delivery Advice_pdf.exe Token: SeDebugPrivilege 2524 svchost.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2772 wrote to memory of 1240 2772 Delivery Advice_pdf.exe 30 PID 2772 wrote to memory of 1240 2772 Delivery Advice_pdf.exe 30 PID 2772 wrote to memory of 1240 2772 Delivery Advice_pdf.exe 30 PID 2772 wrote to memory of 1240 2772 Delivery Advice_pdf.exe 30 PID 2772 wrote to memory of 1240 2772 Delivery Advice_pdf.exe 30 PID 2772 wrote to memory of 1240 2772 Delivery Advice_pdf.exe 30 PID 2772 wrote to memory of 1240 2772 Delivery Advice_pdf.exe 30 PID 1240 wrote to memory of 2524 1240 Delivery Advice_pdf.exe 33 PID 1240 wrote to memory of 2524 1240 Delivery Advice_pdf.exe 33 PID 1240 wrote to memory of 2524 1240 Delivery Advice_pdf.exe 33 PID 1240 wrote to memory of 2524 1240 Delivery Advice_pdf.exe 33 PID 1308 wrote to memory of 2516 1308 Explorer.EXE 32 PID 1308 wrote to memory of 2516 1308 Explorer.EXE 32 PID 1308 wrote to memory of 2516 1308 Explorer.EXE 32 PID 1308 wrote to memory of 2516 1308 Explorer.EXE 32 PID 1308 wrote to memory of 2560 1308 Explorer.EXE 31 PID 1308 wrote to memory of 2560 1308 Explorer.EXE 31 PID 1308 wrote to memory of 2560 1308 Explorer.EXE 31 PID 1308 wrote to memory of 2560 1308 Explorer.EXE 31 PID 2524 wrote to memory of 3020 2524 svchost.exe 34 PID 2524 wrote to memory of 3020 2524 svchost.exe 34 PID 2524 wrote to memory of 3020 2524 svchost.exe 34 PID 2524 wrote to memory of 3020 2524 svchost.exe 34
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Users\Admin\AppData\Local\Temp\Delivery Advice_pdf.exe"C:\Users\Admin\AppData\Local\Temp\Delivery Advice_pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Users\Admin\AppData\Local\Temp\Delivery Advice_pdf.exe"C:\Users\Admin\AppData\Local\Temp\Delivery Advice_pdf.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Delivery Advice_pdf.exe"5⤵
- Deletes itself
PID:3020
-
-
-
-
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵PID:2560
-
-
C:\Windows\SysWOW64\wininit.exe"C:\Windows\SysWOW64\wininit.exe"2⤵PID:2516
-