Overview

overview

10

Static

static

3

Inquiry pdf.exe

windows7-x64

10

Inquiry pdf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    25-08-2024 13:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Inquiry pdf.exe

  • Size

    517KB

  • MD5

    cb03eb5391971119bf6f81acbb84e1bc

  • SHA1

    b5f050d050f9af0b4d937514935854c4e52f3eb6

  • SHA256

    cddf575d340c695e513d03330965f716f8ddf17f5d2fb0929fbb78875653d8b7

  • SHA512

    d654710622e0781d4119f894a9ab6677a72b20ef2c4d3784aeaf4dcd34b47e2861008be15d3a8d474b8b6b82b395a337f14b05ec470433fd8d8d694315b6d8b1

  • SSDEEP

    6144:HBzy0/iei9k8mOalFu027X1mKjlpBFR+HPdroDJ8t3T7UmhCCT3dIPSH6MKghy03:PZi9704x/mHJoyx7Lhr/zDEuua+/o

Score
10/10
formbookbftdiscoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bft

Decoy

edenicities.com

buntingfordhomeservices.com

nuanceproducoes.com

divasinspire.com

capiturn.com

zbjsn.com

thegioicaytrongnha.com

featherventure.com

onbrandtrading.com

sanguoban.com

doorman.pro

ourhomie.net

iwassickonholiday.com

mrcskin.com

reallycoolmask.com

tkrbeautyinstitut.com

keytomiami.com

sesliduybeni.com

asherwebber.com

starkweatherwindows.net

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1192
    • C:\Users\Admin\AppData\Local\Temp\Inquiry pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\Inquiry pdf.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2604
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UpCsvUUWV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3F80.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2984
      • C:\Users\Admin\AppData\Local\Temp\Inquiry pdf.exe
        "C:\Users\Admin\AppData\Local\Temp\Inquiry pdf.exe"
        3⤵
          PID:408
        • C:\Users\Admin\AppData\Local\Temp\Inquiry pdf.exe
          "C:\Users\Admin\AppData\Local\Temp\Inquiry pdf.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1076
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\SysWOW64\msiexec.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2924
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\Inquiry pdf.exe"
          3⤵
          • Deletes itself
          • System Location Discovery: System Language Discovery
          PID:2312

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp3F80.tmp
      Filesize

      1KB

      MD5

      375310f3ba7dd0ab500faaf3fa030965

      SHA1

      a64d83e537aef31cc7e03335cfc9a7cc75315834

      SHA256

      924461dcb87aae4ef0feef000f9cc1d7cc74d98bbf1b8a0cf3bab8f5a83e87fa

      SHA512

      6d52d45006ca340c4b36a91c30da190f5caa33ae99d7405d74eac25040eb6abf455a2dffcd17000b4f7d7d77cda347c208fab7a822339cd69522cee2365d42f0

      Download Submit

    • memory/1076-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1076-28-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1076-29-0x0000000000430000-0x0000000000444000-memory.dmp

      Filesize

      80KB

      Download

    • memory/1076-21-0x0000000000880000-0x0000000000B83000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/1076-23-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1076-24-0x00000000003A0000-0x00000000003B4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/1076-14-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1076-12-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1076-19-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1192-30-0x0000000006400000-0x0000000006545000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1192-31-0x0000000006C50000-0x0000000006DDF000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1192-38-0x0000000003F70000-0x0000000004170000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1192-25-0x0000000004F10000-0x0000000005010000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1192-26-0x0000000006400000-0x0000000006545000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1192-36-0x0000000006C50000-0x0000000006DDF000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2604-2-0x0000000074C90000-0x000000007537E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2604-3-0x0000000000440000-0x000000000044A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2604-0-0x0000000074C9E000-0x0000000074C9F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2604-20-0x0000000074C90000-0x000000007537E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2604-4-0x0000000074C9E000-0x0000000074C9F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2604-1-0x0000000000010000-0x0000000000098000-memory.dmp

      Filesize

      544KB

      Download

    • memory/2604-5-0x0000000074C90000-0x000000007537E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2604-6-0x00000000048E0000-0x0000000004942000-memory.dmp

      Filesize

      392KB

      Download

    • memory/2924-32-0x0000000000730000-0x0000000000744000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2924-33-0x0000000000730000-0x0000000000744000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2924-35-0x0000000000730000-0x0000000000744000-memory.dmp

      Filesize

      80KB

      Download