Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
23/10/2023, 12:22
Static task
static1
Behavioral task
behavioral1
Sample
Payment Copy (MT103 _03 _171023)_pdf.exe
Resource
win7-20231020-en
General
-
Target
Payment Copy (MT103 _03 _171023)_pdf.exe
-
Size
592KB
-
MD5
a57ad3a116cc0b544c63e7655047570f
-
SHA1
0729e7e1300ab2b0fa9cf60d32cd2a15276a1f87
-
SHA256
25e8610d483e74bac4bfc7189060e7fdeed775f6e82cd69b3a36d1a12b4e2af9
-
SHA512
16af9ccb2a0e59d5c16469b219a2ffba7b3963e83da889a9277b2803714dabe5367b820edf18d9908d2e4f1d28eadd69b0eda1a055e9cf5b10a11eea8d4cb15a
-
SSDEEP
12288:p//s02mvB+6ld9l/5ReV2fqy+/xCEL9HJfC/6afTTpcmUbgR/mZRM+:p//Z2mJ9p2hzhppqDrTpEgkZR5
Malware Config
Extracted
formbook
4.1
eg02
erc20.gold
elainevannmorgan.photography
melbet-el4.top
guvenilir.bet
sesamecsre.com
kevinjaydenwivano.tech
condohotelguru.com
shjcdz.com
innocarta.store
collinstradingpost.com
6om3j4.top
nagtco.xyz
fasist.fit
arkansaspremiertournaments.com
mrscsnowschool.com
ma-group.online
lillyjriley.icu
electric-cars-87253.bond
lila.tools
hollamia.com
snartonlinecheck.work
zaymnokni.online
rapidreviewmd.online
p8m.xyz
crowdhailer.online
needwaterpump.online
vi-apk.com
anenza.com
smarters-iptv.live
yachtfuellife.com
gbconsulting.online
limasise.com
bankir-ru.com
alexanderbonnet.com
bevontrade.com
inovarevending.com
aamrut.com
asalgacor.info
qqdwua.icu
ownableai.com
karoobaar.com
8lode88.vip
eblata.com
foxhouston26.com
www653f8918344e.com
pg290.fun
blacktowhitecuckold.com
lindsaybea.com
tripitour.com
senhormarceneiro.com
blacktowhitecuckold.com
zephyra.bet
seleneexport.com
nfertilityinwomen.com
godestas.com
pickuptruk.com
broadwayscg.com
jordanwatts.link
escuelawakana.com
compreiganhei.site
wolfandthecrow.com
nagoya-naisou-kaitai.com
wiseleadership.net
midowallwet.com
mygeneralmotorsretirement.com
Signatures
-
Formbook payload 4 IoCs
resource yara_rule behavioral1/memory/2760-15-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2760-19-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2600-25-0x0000000000080000-0x00000000000AF000-memory.dmp formbook behavioral1/memory/2600-27-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Deletes itself 1 IoCs
pid Process 2720 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2176 set thread context of 2760 2176 Payment Copy (MT103 _03 _171023)_pdf.exe 30 PID 2760 set thread context of 1264 2760 Payment Copy (MT103 _03 _171023)_pdf.exe 17 PID 2600 set thread context of 1264 2600 chkdsk.exe 17 -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 2760 Payment Copy (MT103 _03 _171023)_pdf.exe 2760 Payment Copy (MT103 _03 _171023)_pdf.exe 2600 chkdsk.exe 2600 chkdsk.exe 2600 chkdsk.exe 2600 chkdsk.exe 2600 chkdsk.exe 2600 chkdsk.exe 2600 chkdsk.exe 2600 chkdsk.exe 2600 chkdsk.exe 2600 chkdsk.exe 2600 chkdsk.exe 2600 chkdsk.exe 2600 chkdsk.exe 2600 chkdsk.exe 2600 chkdsk.exe 2600 chkdsk.exe 2600 chkdsk.exe 2600 chkdsk.exe 2600 chkdsk.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1264 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 2760 Payment Copy (MT103 _03 _171023)_pdf.exe 2760 Payment Copy (MT103 _03 _171023)_pdf.exe 2760 Payment Copy (MT103 _03 _171023)_pdf.exe 2600 chkdsk.exe 2600 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2760 Payment Copy (MT103 _03 _171023)_pdf.exe Token: SeDebugPrivilege 2600 chkdsk.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2176 wrote to memory of 2760 2176 Payment Copy (MT103 _03 _171023)_pdf.exe 30 PID 2176 wrote to memory of 2760 2176 Payment Copy (MT103 _03 _171023)_pdf.exe 30 PID 2176 wrote to memory of 2760 2176 Payment Copy (MT103 _03 _171023)_pdf.exe 30 PID 2176 wrote to memory of 2760 2176 Payment Copy (MT103 _03 _171023)_pdf.exe 30 PID 2176 wrote to memory of 2760 2176 Payment Copy (MT103 _03 _171023)_pdf.exe 30 PID 2176 wrote to memory of 2760 2176 Payment Copy (MT103 _03 _171023)_pdf.exe 30 PID 2176 wrote to memory of 2760 2176 Payment Copy (MT103 _03 _171023)_pdf.exe 30 PID 1264 wrote to memory of 2600 1264 Explorer.EXE 31 PID 1264 wrote to memory of 2600 1264 Explorer.EXE 31 PID 1264 wrote to memory of 2600 1264 Explorer.EXE 31 PID 1264 wrote to memory of 2600 1264 Explorer.EXE 31 PID 2600 wrote to memory of 2720 2600 chkdsk.exe 32 PID 2600 wrote to memory of 2720 2600 chkdsk.exe 32 PID 2600 wrote to memory of 2720 2600 chkdsk.exe 32 PID 2600 wrote to memory of 2720 2600 chkdsk.exe 32
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Users\Admin\AppData\Local\Temp\Payment Copy (MT103 _03 _171023)_pdf.exe"C:\Users\Admin\AppData\Local\Temp\Payment Copy (MT103 _03 _171023)_pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\Payment Copy (MT103 _03 _171023)_pdf.exe"C:\Users\Admin\AppData\Local\Temp\Payment Copy (MT103 _03 _171023)_pdf.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Payment Copy (MT103 _03 _171023)_pdf.exe"3⤵
- Deletes itself
PID:2720
-
-