Analysis
-
max time kernel
147s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
23/10/2023, 11:33
Static task
static1
Behavioral task
behavioral1
Sample
Payment Copy (MT103 _03 _171023)_pdf.exe
Resource
win7-20231020-en
General
-
Target
Payment Copy (MT103 _03 _171023)_pdf.exe
-
Size
592KB
-
MD5
a57ad3a116cc0b544c63e7655047570f
-
SHA1
0729e7e1300ab2b0fa9cf60d32cd2a15276a1f87
-
SHA256
25e8610d483e74bac4bfc7189060e7fdeed775f6e82cd69b3a36d1a12b4e2af9
-
SHA512
16af9ccb2a0e59d5c16469b219a2ffba7b3963e83da889a9277b2803714dabe5367b820edf18d9908d2e4f1d28eadd69b0eda1a055e9cf5b10a11eea8d4cb15a
-
SSDEEP
12288:p//s02mvB+6ld9l/5ReV2fqy+/xCEL9HJfC/6afTTpcmUbgR/mZRM+:p//Z2mJ9p2hzhppqDrTpEgkZR5
Malware Config
Extracted
formbook
4.1
eg02
erc20.gold
elainevannmorgan.photography
melbet-el4.top
guvenilir.bet
sesamecsre.com
kevinjaydenwivano.tech
condohotelguru.com
shjcdz.com
innocarta.store
collinstradingpost.com
6om3j4.top
nagtco.xyz
fasist.fit
arkansaspremiertournaments.com
mrscsnowschool.com
ma-group.online
lillyjriley.icu
electric-cars-87253.bond
lila.tools
hollamia.com
snartonlinecheck.work
zaymnokni.online
rapidreviewmd.online
p8m.xyz
crowdhailer.online
needwaterpump.online
vi-apk.com
anenza.com
smarters-iptv.live
yachtfuellife.com
gbconsulting.online
limasise.com
bankir-ru.com
alexanderbonnet.com
bevontrade.com
inovarevending.com
aamrut.com
asalgacor.info
qqdwua.icu
ownableai.com
karoobaar.com
8lode88.vip
eblata.com
foxhouston26.com
www653f8918344e.com
pg290.fun
blacktowhitecuckold.com
lindsaybea.com
tripitour.com
senhormarceneiro.com
blacktowhitecuckold.com
zephyra.bet
seleneexport.com
nfertilityinwomen.com
godestas.com
pickuptruk.com
broadwayscg.com
jordanwatts.link
escuelawakana.com
compreiganhei.site
wolfandthecrow.com
nagoya-naisou-kaitai.com
wiseleadership.net
midowallwet.com
mygeneralmotorsretirement.com
Signatures
-
Formbook payload 5 IoCs
resource yara_rule behavioral1/memory/2320-13-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2320-16-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2320-22-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1048-29-0x0000000000080000-0x00000000000AF000-memory.dmp formbook behavioral1/memory/1048-31-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Deletes itself 1 IoCs
pid Process 2604 cmd.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2344 set thread context of 2320 2344 Payment Copy (MT103 _03 _171023)_pdf.exe 30 PID 2320 set thread context of 1216 2320 Payment Copy (MT103 _03 _171023)_pdf.exe 12 PID 2320 set thread context of 1216 2320 Payment Copy (MT103 _03 _171023)_pdf.exe 12 PID 1048 set thread context of 1216 1048 netsh.exe 12 -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 2320 Payment Copy (MT103 _03 _171023)_pdf.exe 2320 Payment Copy (MT103 _03 _171023)_pdf.exe 2320 Payment Copy (MT103 _03 _171023)_pdf.exe 1048 netsh.exe 1048 netsh.exe 1048 netsh.exe 1048 netsh.exe 1048 netsh.exe 1048 netsh.exe 1048 netsh.exe 1048 netsh.exe 1048 netsh.exe 1048 netsh.exe 1048 netsh.exe 1048 netsh.exe 1048 netsh.exe 1048 netsh.exe 1048 netsh.exe 1048 netsh.exe 1048 netsh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1216 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 2320 Payment Copy (MT103 _03 _171023)_pdf.exe 2320 Payment Copy (MT103 _03 _171023)_pdf.exe 2320 Payment Copy (MT103 _03 _171023)_pdf.exe 2320 Payment Copy (MT103 _03 _171023)_pdf.exe 1048 netsh.exe 1048 netsh.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2320 Payment Copy (MT103 _03 _171023)_pdf.exe Token: SeDebugPrivilege 1048 netsh.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2344 wrote to memory of 2320 2344 Payment Copy (MT103 _03 _171023)_pdf.exe 30 PID 2344 wrote to memory of 2320 2344 Payment Copy (MT103 _03 _171023)_pdf.exe 30 PID 2344 wrote to memory of 2320 2344 Payment Copy (MT103 _03 _171023)_pdf.exe 30 PID 2344 wrote to memory of 2320 2344 Payment Copy (MT103 _03 _171023)_pdf.exe 30 PID 2344 wrote to memory of 2320 2344 Payment Copy (MT103 _03 _171023)_pdf.exe 30 PID 2344 wrote to memory of 2320 2344 Payment Copy (MT103 _03 _171023)_pdf.exe 30 PID 2344 wrote to memory of 2320 2344 Payment Copy (MT103 _03 _171023)_pdf.exe 30 PID 1216 wrote to memory of 1048 1216 Explorer.EXE 33 PID 1216 wrote to memory of 1048 1216 Explorer.EXE 33 PID 1216 wrote to memory of 1048 1216 Explorer.EXE 33 PID 1216 wrote to memory of 1048 1216 Explorer.EXE 33 PID 1216 wrote to memory of 2732 1216 Explorer.EXE 32 PID 1216 wrote to memory of 2732 1216 Explorer.EXE 32 PID 1216 wrote to memory of 2732 1216 Explorer.EXE 32 PID 1216 wrote to memory of 2732 1216 Explorer.EXE 32 PID 1048 wrote to memory of 2604 1048 netsh.exe 34 PID 1048 wrote to memory of 2604 1048 netsh.exe 34 PID 1048 wrote to memory of 2604 1048 netsh.exe 34 PID 1048 wrote to memory of 2604 1048 netsh.exe 34
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Users\Admin\AppData\Local\Temp\Payment Copy (MT103 _03 _171023)_pdf.exe"C:\Users\Admin\AppData\Local\Temp\Payment Copy (MT103 _03 _171023)_pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Users\Admin\AppData\Local\Temp\Payment Copy (MT103 _03 _171023)_pdf.exe"C:\Users\Admin\AppData\Local\Temp\Payment Copy (MT103 _03 _171023)_pdf.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2320
-
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:2908
-
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵PID:2732
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Payment Copy (MT103 _03 _171023)_pdf.exe"3⤵
- Deletes itself
PID:2604
-
-