Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
17-07-2024 07:38
Static task
static1
Behavioral task
behavioral1
Sample
PO-2024151-pdf.exe
Resource
win7-20240705-en
General
-
Target
PO-2024151-pdf.exe
-
Size
519KB
-
MD5
a7350ccb586d53c4f28bdc8db696b6a9
-
SHA1
c8cd7d3c0aa6233109b92c3976bb8a9a680b7397
-
SHA256
a94ee8ea98674e1714740123c2564eeac148992b5a1596972ace096bc8d9aa4a
-
SHA512
b29d7c9a0a24bfd2ecbe21efe7a8594fdb5a757e666b43deae0d68130eb10143c55e6fe9306a55a44e7aa24c03b914a87e651aa65bdda309c358931cdf5fbe44
-
SSDEEP
6144:OCent7w+F+HhCsLQcS7xI4KhwoGrC+skf8vKutKpfCLJHT6c:OCS9w+F+HgfHKhwoG2EEvK9ELJHT6c
Malware Config
Extracted
formbook
4.1
mu94
thenextamendment.net
automatiza.xyz
psikologhazelgungor.com
90857.net
robertoblondetrealtor.site
rv0awy.rest
74657.ooo
adigidea.com
world-healing.online
health4world.com
shyan.fun
anviltotable.com
vinger.online
juizltd.com
twmk.asia
cakescrushbyruby.com
listxtreme.com
00050026.xyz
finessedesignhouse.com
jsmm-27.xyz
privet128.band
wyhl668.top
crystalcornerdesignn.com
kameltoe2024.xyz
mwquas.xyz
bt365860.com
c2r2h.xyz
bregylzj.xyz
dxlhu.asia
mythandbody.com
7y-sorte.net
gameogem.com
yourhug.xyz
reviewfreak.net
langitwin.lol
jkku2.rest
het789.com
cn00417984.shop
ry5ls1e02ai.top
cathedrals.shop
kaaatooni.com
ctventure.net
50732650.com
699519f.xyz
sailors.solutions
couples-therapy-39471.bond
eco-liga.com
youngtv.net
31hum.com
cocaincoutre.com
kzliw.xyz
online-business-70709.bond
cleliasfamilychildcare.com
commonhype.dev
tufabricadefiestas.com
playstayaussie.com
best-precious.com
kbk99.fun
cprcertificationcoach.com
mysleepfriend.shop
bt365437.com
rajasusu.pics
youtuberjumpstart.com
bfgj46578456454.vip
dmvdrivingpermit.com
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2400-14-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2400-17-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/5012-24-0x0000000000DA0000-0x0000000000DCF000-memory.dmp formbook -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 76 5012 rundll32.exe 84 5012 rundll32.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
PO-2024151-pdf.exeMSBuild.exerundll32.exedescription pid process target process PID 1156 set thread context of 2400 1156 PO-2024151-pdf.exe MSBuild.exe PID 2400 set thread context of 3496 2400 MSBuild.exe Explorer.EXE PID 5012 set thread context of 3496 5012 rundll32.exe Explorer.EXE -
Modifies registry class 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
MSBuild.exerundll32.exepid process 2400 MSBuild.exe 2400 MSBuild.exe 2400 MSBuild.exe 2400 MSBuild.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe 5012 rundll32.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
MSBuild.exerundll32.exepid process 2400 MSBuild.exe 2400 MSBuild.exe 2400 MSBuild.exe 5012 rundll32.exe 5012 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
MSBuild.exeExplorer.EXErundll32.exedescription pid process Token: SeDebugPrivilege 2400 MSBuild.exe Token: SeShutdownPrivilege 3496 Explorer.EXE Token: SeCreatePagefilePrivilege 3496 Explorer.EXE Token: SeDebugPrivilege 5012 rundll32.exe Token: SeShutdownPrivilege 3496 Explorer.EXE Token: SeCreatePagefilePrivilege 3496 Explorer.EXE Token: SeShutdownPrivilege 3496 Explorer.EXE Token: SeCreatePagefilePrivilege 3496 Explorer.EXE Token: SeShutdownPrivilege 3496 Explorer.EXE Token: SeCreatePagefilePrivilege 3496 Explorer.EXE Token: SeShutdownPrivilege 3496 Explorer.EXE Token: SeCreatePagefilePrivilege 3496 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3496 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
PO-2024151-pdf.exeExplorer.EXErundll32.exedescription pid process target process PID 1156 wrote to memory of 2400 1156 PO-2024151-pdf.exe MSBuild.exe PID 1156 wrote to memory of 2400 1156 PO-2024151-pdf.exe MSBuild.exe PID 1156 wrote to memory of 2400 1156 PO-2024151-pdf.exe MSBuild.exe PID 1156 wrote to memory of 2400 1156 PO-2024151-pdf.exe MSBuild.exe PID 1156 wrote to memory of 2400 1156 PO-2024151-pdf.exe MSBuild.exe PID 1156 wrote to memory of 2400 1156 PO-2024151-pdf.exe MSBuild.exe PID 3496 wrote to memory of 5012 3496 Explorer.EXE rundll32.exe PID 3496 wrote to memory of 5012 3496 Explorer.EXE rundll32.exe PID 3496 wrote to memory of 5012 3496 Explorer.EXE rundll32.exe PID 5012 wrote to memory of 1984 5012 rundll32.exe cmd.exe PID 5012 wrote to memory of 1984 5012 rundll32.exe cmd.exe PID 5012 wrote to memory of 1984 5012 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Users\Admin\AppData\Local\Temp\PO-2024151-pdf.exe"C:\Users\Admin\AppData\Local\Temp\PO-2024151-pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2400 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵PID:1984