Analysis Overview
SHA256
25e8610d483e74bac4bfc7189060e7fdeed775f6e82cd69b3a36d1a12b4e2af9
Threat Level: Known bad
The file Payment Copy (MT103 _03 _171023)_pdf.exe was found to be: Known bad.
Malicious Activity Summary
Formbook
Formbook payload
Deletes itself
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-10-23 11:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-23 11:33
Reported
2023-10-23 11:35
Platform
win7-20231020-en
Max time kernel
147s
Max time network
138s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2344 set thread context of 2320 | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Copy (MT103 _03 _171023)_pdf.exe | C:\Users\Admin\AppData\Local\Temp\Payment Copy (MT103 _03 _171023)_pdf.exe |
| PID 2320 set thread context of 1216 | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Copy (MT103 _03 _171023)_pdf.exe | C:\Windows\Explorer.EXE |
| PID 2320 set thread context of 1216 | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Copy (MT103 _03 _171023)_pdf.exe | C:\Windows\Explorer.EXE |
| PID 1048 set thread context of 1216 | N/A | C:\Windows\SysWOW64\netsh.exe | C:\Windows\Explorer.EXE |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Copy (MT103 _03 _171023)_pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Copy (MT103 _03 _171023)_pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Copy (MT103 _03 _171023)_pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Copy (MT103 _03 _171023)_pdf.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Copy (MT103 _03 _171023)_pdf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\Payment Copy (MT103 _03 _171023)_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Copy (MT103 _03 _171023)_pdf.exe"
C:\Users\Admin\AppData\Local\Temp\Payment Copy (MT103 _03 _171023)_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Copy (MT103 _03 _171023)_pdf.exe"
C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Payment Copy (MT103 _03 _171023)_pdf.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.needwaterpump.online | udp |
| US | 8.8.8.8:53 | www.eblata.com | udp |
| US | 3.33.130.190:80 | www.eblata.com | tcp |
| US | 8.8.8.8:53 | www.www653f8918344e.com | udp |
| US | 35.241.55.245:80 | www.www653f8918344e.com | tcp |
Files
memory/2344-0-0x0000000000080000-0x000000000011A000-memory.dmp
memory/2344-1-0x0000000074260000-0x000000007494E000-memory.dmp
memory/2344-2-0x00000000009C0000-0x0000000000A00000-memory.dmp
memory/2344-3-0x0000000000480000-0x000000000049C000-memory.dmp
memory/2344-4-0x0000000000430000-0x000000000043C000-memory.dmp
memory/2344-5-0x0000000074260000-0x000000007494E000-memory.dmp
memory/2344-6-0x00000000009C0000-0x0000000000A00000-memory.dmp
memory/2344-7-0x00000000004A0000-0x00000000004B0000-memory.dmp
memory/2344-8-0x0000000005ED0000-0x0000000005F3E000-memory.dmp
memory/2320-9-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2320-10-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2320-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2320-13-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2320-14-0x0000000000AC0000-0x0000000000DC3000-memory.dmp
memory/2320-16-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2320-18-0x0000000000370000-0x0000000000384000-memory.dmp
memory/1216-17-0x0000000000010000-0x0000000000020000-memory.dmp
memory/1216-19-0x0000000006390000-0x00000000064D4000-memory.dmp
memory/2344-20-0x0000000074260000-0x000000007494E000-memory.dmp
memory/2320-22-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2320-23-0x00000000003B0000-0x00000000003C4000-memory.dmp
memory/1216-24-0x0000000004170000-0x0000000004370000-memory.dmp
memory/1216-25-0x0000000006870000-0x000000000694C000-memory.dmp
memory/1216-26-0x0000000006390000-0x00000000064D4000-memory.dmp
memory/1048-27-0x00000000013E0000-0x00000000013FB000-memory.dmp
memory/1048-28-0x00000000013E0000-0x00000000013FB000-memory.dmp
memory/1048-29-0x0000000000080000-0x00000000000AF000-memory.dmp
memory/1048-30-0x0000000000B70000-0x0000000000E73000-memory.dmp
memory/1048-31-0x0000000000080000-0x00000000000AF000-memory.dmp
memory/1216-32-0x0000000006870000-0x000000000694C000-memory.dmp
memory/1048-34-0x0000000000AD0000-0x0000000000B63000-memory.dmp
memory/1216-35-0x00000000073B0000-0x00000000074E8000-memory.dmp
memory/1216-36-0x00000000073B0000-0x00000000074E8000-memory.dmp
memory/1216-38-0x00000000073B0000-0x00000000074E8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-23 11:33
Reported
2023-10-23 11:35
Platform
win10v2004-20231020-en
Max time kernel
150s
Max time network
158s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3136 set thread context of 4660 | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Copy (MT103 _03 _171023)_pdf.exe | C:\Users\Admin\AppData\Local\Temp\Payment Copy (MT103 _03 _171023)_pdf.exe |
| PID 4660 set thread context of 3268 | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Copy (MT103 _03 _171023)_pdf.exe | C:\Windows\Explorer.EXE |
| PID 3296 set thread context of 3268 | N/A | C:\Windows\SysWOW64\help.exe | C:\Windows\Explorer.EXE |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Copy (MT103 _03 _171023)_pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Copy (MT103 _03 _171023)_pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Copy (MT103 _03 _171023)_pdf.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Copy (MT103 _03 _171023)_pdf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Copy (MT103 _03 _171023)_pdf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\Payment Copy (MT103 _03 _171023)_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Copy (MT103 _03 _171023)_pdf.exe"
C:\Users\Admin\AppData\Local\Temp\Payment Copy (MT103 _03 _171023)_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Copy (MT103 _03 _171023)_pdf.exe"
C:\Users\Admin\AppData\Local\Temp\Payment Copy (MT103 _03 _171023)_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Copy (MT103 _03 _171023)_pdf.exe"
C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Payment Copy (MT103 _03 _171023)_pdf.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.50.123.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 52.111.229.19:443 | tcp | |
| US | 8.8.8.8:53 | www.shjcdz.com | udp |
| HK | 38.239.22.4:80 | www.shjcdz.com | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.22.239.38.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.godestas.com | udp |
| US | 3.33.130.190:80 | www.godestas.com | tcp |
| US | 8.8.8.8:53 | 190.130.33.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.guvenilir.bet | udp |
| TR | 212.64.215.48:80 | www.guvenilir.bet | tcp |
| US | 8.8.8.8:53 | 48.215.64.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.collinstradingpost.com | udp |
| US | 44.230.85.241:80 | www.collinstradingpost.com | tcp |
| US | 8.8.8.8:53 | 241.85.230.44.in-addr.arpa | udp |
Files
memory/3136-0-0x0000000000BA0000-0x0000000000C3A000-memory.dmp
memory/3136-1-0x0000000075130000-0x00000000758E0000-memory.dmp
memory/3136-2-0x0000000005B80000-0x0000000006124000-memory.dmp
memory/3136-3-0x0000000005670000-0x0000000005702000-memory.dmp
memory/3136-4-0x0000000005660000-0x0000000005670000-memory.dmp
memory/3136-5-0x0000000005640000-0x000000000564A000-memory.dmp
memory/3136-6-0x0000000008310000-0x000000000832C000-memory.dmp
memory/3136-7-0x0000000006B40000-0x0000000006B4C000-memory.dmp
memory/3136-8-0x0000000075130000-0x00000000758E0000-memory.dmp
memory/3136-9-0x0000000005660000-0x0000000005670000-memory.dmp
memory/3136-10-0x0000000003070000-0x0000000003080000-memory.dmp
memory/3136-11-0x0000000008670000-0x00000000086DE000-memory.dmp
memory/3136-12-0x0000000009780000-0x000000000981C000-memory.dmp
memory/4660-13-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3136-15-0x0000000075130000-0x00000000758E0000-memory.dmp
memory/4660-16-0x0000000001480000-0x00000000017CA000-memory.dmp
memory/4660-18-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4660-19-0x0000000001340000-0x0000000001354000-memory.dmp
memory/3268-20-0x0000000008FF0000-0x0000000009168000-memory.dmp
memory/3296-21-0x0000000000AA0000-0x0000000000AA7000-memory.dmp
memory/3296-22-0x0000000000AA0000-0x0000000000AA7000-memory.dmp
memory/3296-23-0x0000000001270000-0x000000000129F000-memory.dmp
memory/3296-24-0x00000000018B0000-0x0000000001BFA000-memory.dmp
memory/3268-25-0x0000000008FF0000-0x0000000009168000-memory.dmp
memory/3296-26-0x0000000001270000-0x000000000129F000-memory.dmp
memory/3296-28-0x0000000001C00000-0x0000000001C93000-memory.dmp
memory/3268-29-0x0000000009180000-0x00000000092DE000-memory.dmp
memory/3268-30-0x0000000009180000-0x00000000092DE000-memory.dmp
memory/3268-32-0x0000000009180000-0x00000000092DE000-memory.dmp
memory/3268-36-0x0000000002E80000-0x0000000002E90000-memory.dmp
memory/3268-37-0x0000000002E80000-0x0000000002E90000-memory.dmp
memory/3268-38-0x0000000002EA0000-0x0000000002EB0000-memory.dmp
memory/3268-39-0x0000000002E80000-0x0000000002E90000-memory.dmp
memory/3268-40-0x0000000002E80000-0x0000000002E90000-memory.dmp
memory/3268-41-0x0000000002E80000-0x0000000002E90000-memory.dmp
memory/3268-42-0x0000000002E80000-0x0000000002E90000-memory.dmp
memory/3268-45-0x0000000002E80000-0x0000000002E90000-memory.dmp
memory/3268-44-0x0000000002E80000-0x0000000002E90000-memory.dmp
memory/3268-43-0x0000000002E80000-0x0000000002E90000-memory.dmp
memory/3268-47-0x0000000002E80000-0x0000000002E90000-memory.dmp
memory/3268-48-0x0000000002E80000-0x0000000002E90000-memory.dmp
memory/3268-49-0x0000000002EB0000-0x0000000002EC0000-memory.dmp
memory/3268-50-0x0000000002E80000-0x0000000002E90000-memory.dmp
memory/3268-51-0x0000000002E80000-0x0000000002E90000-memory.dmp
memory/3268-55-0x0000000002E80000-0x0000000002E90000-memory.dmp
memory/3268-53-0x0000000002E80000-0x0000000002E90000-memory.dmp
memory/3268-52-0x0000000002EB0000-0x0000000002EC0000-memory.dmp
memory/3268-57-0x0000000002E80000-0x0000000002E90000-memory.dmp
memory/3268-59-0x0000000002E80000-0x0000000002E90000-memory.dmp
memory/3268-61-0x0000000002E80000-0x0000000002E90000-memory.dmp
memory/3268-62-0x0000000002E80000-0x0000000002E90000-memory.dmp
memory/3268-63-0x0000000002EB0000-0x0000000002EC0000-memory.dmp
memory/3268-64-0x0000000002E80000-0x0000000002E90000-memory.dmp
memory/3268-67-0x0000000002E80000-0x0000000002E90000-memory.dmp
memory/3268-65-0x0000000002E80000-0x0000000002E90000-memory.dmp
memory/3268-66-0x0000000002E80000-0x0000000002E90000-memory.dmp
memory/3268-68-0x0000000002E80000-0x0000000002E90000-memory.dmp
memory/3268-70-0x0000000002E80000-0x0000000002E90000-memory.dmp
memory/3268-71-0x0000000002E80000-0x0000000002E90000-memory.dmp