Loading ...

Play interactive tourEdit tour

Analysis Report mmexport1602672825062.pdf.exe

Overview

General Information

Sample Name:mmexport1602672825062.pdf.exe
Analysis ID:299678
MD5:d0687d4b59de014b53a9ddf103434230
SHA1:eafdae460f64f50a62a86acf8983fa8611fcf172
SHA256:bfbf73201037462acf28b231212bc311a923ca797168533c3b4d233686f335ef
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Uses ipconfig to lookup or modify the Windows network settings
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • mmexport1602672825062.pdf.exe (PID: 4868 cmdline: 'C:\Users\user\Desktop\mmexport1602672825062.pdf.exe' MD5: D0687D4B59DE014B53A9DDF103434230)
    • mmexport1602672825062.pdf.exe (PID: 5500 cmdline: C:\Users\user\Desktop\mmexport1602672825062.pdf.exe MD5: D0687D4B59DE014B53A9DDF103434230)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • ipconfig.exe (PID: 4832 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)
          • cmd.exe (PID: 6328 cmdline: /c del 'C:\Users\user\Desktop\mmexport1602672825062.pdf.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.489851625.00000000009F0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000004.00000002.489851625.00000000009F0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000004.00000002.489851625.00000000009F0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183f9:$sqlite3step: 68 34 1C 7B E1
    • 0x1850c:$sqlite3step: 68 34 1C 7B E1
    • 0x18428:$sqlite3text: 68 38 2A 90 C5
    • 0x1854d:$sqlite3text: 68 38 2A 90 C5
    • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.226761033.0000000003A69000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.226761033.0000000003A69000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x69198:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x69402:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x957b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x95a22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x74f25:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0xa1545:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x74a11:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0xa1031:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x75027:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0xa1647:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x7519f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa17bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x69e1a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x9643a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x73c8c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa02ac:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x6ab13:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x97133:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x7abc7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0xa71e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x7bbca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.mmexport1602672825062.pdf.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.mmexport1602672825062.pdf.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.mmexport1602672825062.pdf.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x183f9:$sqlite3step: 68 34 1C 7B E1
        • 0x1850c:$sqlite3step: 68 34 1C 7B E1
        • 0x18428:$sqlite3text: 68 38 2A 90 C5
        • 0x1854d:$sqlite3text: 68 38 2A 90 C5
        • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
        1.2.mmexport1602672825062.pdf.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.mmexport1602672825062.pdf.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a517:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b51a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Suspicious Double ExtensionShow sources
          Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: C:\Users\user\Desktop\mmexport1602672825062.pdf.exe, CommandLine: C:\Users\user\Desktop\mmexport1602672825062.pdf.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\mmexport1602672825062.pdf.exe, NewProcessName: C:\Users\user\Desktop\mmexport1602672825062.pdf.exe, OriginalFileName: C:\Users\user\Desktop\mmexport1602672825062.pdf.exe, ParentCommandLine: 'C:\Users\user\Desktop\mmexport1602672825062.pdf.exe' , ParentImage: C:\Users\user\Desktop\mmexport1602672825062.pdf.exe, ParentProcessId: 4868, ProcessCommandLine: C:\Users\user\Desktop\mmexport1602672825062.pdf.exe, ProcessId: 5500

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: mmexport1602672825062.pdf.exeVirustotal: Detection: 21%Perma Link
          Source: mmexport1602672825062.pdf.exeReversingLabs: Detection: 18%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.489851625.00000000009F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.226761033.0000000003A69000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.264393533.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.489191148.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.488231729.0000000000460000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.264651310.0000000001260000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.264978518.0000000001670000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.mmexport1602672825062.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.mmexport1602672825062.pdf.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: mmexport1602672825062.pdf.exeJoe Sandbox ML: detected
          Source: 1.2.mmexport1602672825062.pdf.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 4x nop then pop esi1_2_004172C2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop esi4_2_004772C2

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 23.227.38.64:80 -> 192.168.2.3:49742
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.3:49745
          Source: global trafficHTTP traffic detected: GET /r30/?Y4plHJY0=IJrk1Z9EI/l4p+ycxs8TJ7et7nQiXMAiOs2Pqveobqx+xcEAFHhwh7+F6GITDXg9bCQD&BR=VTjhCL_pLxyDhbY HTTP/1.1Host: www.bestpopmart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /r30/?BR=VTjhCL_pLxyDhbY&Y4plHJY0=cpysOL3gT6l2VFfYZ+vJ3H7CuhzxjRwiymz5eNTAXtZVRlZNgiFjCaSKWmaP0gvDagbx HTTP/1.1Host: www.cnn-babcockranch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /r30/?Y4plHJY0=E0hVFYuHPvvUJ4wbIC0akZtylQfsL9U9cuD0WuIDGgmerGjCSOBzxhin35KJP/r9eqLy&BR=VTjhCL_pLxyDhbY HTTP/1.1Host: www.lodi-smart.cityConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 23.227.38.64 23.227.38.64
          Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
          Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
          Source: global trafficHTTP traffic detected: GET /r30/?Y4plHJY0=IJrk1Z9EI/l4p+ycxs8TJ7et7nQiXMAiOs2Pqveobqx+xcEAFHhwh7+F6GITDXg9bCQD&BR=VTjhCL_pLxyDhbY HTTP/1.1Host: www.bestpopmart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /r30/?BR=VTjhCL_pLxyDhbY&Y4plHJY0=cpysOL3gT6l2VFfYZ+vJ3H7CuhzxjRwiymz5eNTAXtZVRlZNgiFjCaSKWmaP0gvDagbx HTTP/1.1Host: www.cnn-babcockranch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /r30/?Y4plHJY0=E0hVFYuHPvvUJ4wbIC0akZtylQfsL9U9cuD0WuIDGgmerGjCSOBzxhin35KJP/r9eqLy&BR=VTjhCL_pLxyDhbY HTTP/1.1Host: www.lodi-smart.cityConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.cboworkshop.com
          Source: explorer.exe, 00000002.00000000.248108725.000000000F640000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000002.00000000.245408799.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: mmexport1602672825062.pdf.exe, 00000000.00000002.226471273.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000002.00000000.245408799.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000000.245408799.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000000.245408799.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.245408799.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.245408799.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.245408799.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.245408799.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000002.00000000.245408799.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.245408799.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.245408799.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.245408799.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.245408799.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.245408799.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.245408799.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.245408799.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.245408799.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.245408799.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000002.00000000.245408799.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000002.00000000.245408799.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.245408799.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.245408799.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.245408799.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.245408799.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.245408799.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000000.245408799.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: ipconfig.exe, 00000004.00000002.492506872.000000000372F000.00000004.00000001.sdmpString found in binary or memory: https://www.lodi-smart.city/r30/?Y4plHJY0=E0hVFYuHPvvUJ4wbIC0akZtylQfsL9U9cuD0WuIDGgmerGjCSOBzxhin35

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.489851625.00000000009F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.226761033.0000000003A69000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.264393533.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.489191148.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.488231729.0000000000460000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.264651310.0000000001260000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.264978518.0000000001670000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.mmexport1602672825062.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.mmexport1602672825062.pdf.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000004.00000002.489851625.00000000009F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.489851625.00000000009F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.226761033.0000000003A69000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.226761033.0000000003A69000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.264393533.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.264393533.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.489191148.00000000008D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.489191148.00000000008D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.488231729.0000000000460000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.488231729.0000000000460000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.264651310.0000000001260000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.264651310.0000000001260000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.264978518.0000000001670000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.264978518.0000000001670000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.mmexport1602672825062.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.mmexport1602672825062.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.mmexport1602672825062.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.mmexport1602672825062.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: mmexport1602672825062.pdf.exe
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_00419D50 NtCreateFile,1_2_00419D50
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_00419E00 NtReadFile,1_2_00419E00
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_00419E80 NtClose,1_2_00419E80
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_00419F30 NtAllocateVirtualMemory,1_2_00419F30
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_00419D4B NtCreateFile,1_2_00419D4B
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_00419DFA NtReadFile,1_2_00419DFA
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_00419E7C NtClose,1_2_00419E7C
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_01719910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_01719910
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_017199A0 NtCreateSection,LdrInitializeThunk,1_2_017199A0
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_01719860 NtQuerySystemInformation,LdrInitializeThunk,1_2_01719860
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_01719840 NtDelayExecution,LdrInitializeThunk,1_2_01719840
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_017198F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_017198F0
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_01719A50 NtCreateFile,LdrInitializeThunk,1_2_01719A50
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_01719A20 NtResumeThread,LdrInitializeThunk,1_2_01719A20
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_01719A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_01719A00
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_01719540 NtReadFile,LdrInitializeThunk,1_2_01719540
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_017195D0 NtClose,LdrInitializeThunk,1_2_017195D0
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_01719710 NtQueryInformationToken,LdrInitializeThunk,1_2_01719710
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_017197A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_017197A0
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_01719780 NtMapViewOfSection,LdrInitializeThunk,1_2_01719780
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_01719660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_01719660
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_017196E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_017196E0
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_01719950 NtQueueApcThread,1_2_01719950
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_017199D0 NtCreateProcessEx,1_2_017199D0
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_0171B040 NtSuspendThread,1_2_0171B040
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_01719820 NtEnumerateKey,1_2_01719820
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_017198A0 NtWriteVirtualMemory,1_2_017198A0
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_01719B00 NtSetValueKey,1_2_01719B00
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_0171A3B0 NtGetContextThread,1_2_0171A3B0
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_01719A10 NtQuerySection,1_2_01719A10
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_01719A80 NtOpenDirectoryObject,1_2_01719A80
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_01719560 NtWriteFile,1_2_01719560
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_0171AD30 NtSetContextThread,1_2_0171AD30
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_01719520 NtWaitForSingleObject,1_2_01719520
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_017195F0 NtQueryInformationFile,1_2_017195F0
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_0171A770 NtOpenThread,1_2_0171A770
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_01719770 NtSetInformationFile,1_2_01719770
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_01719760 NtOpenProcess,1_2_01719760
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_01719730 NtQueryVirtualMemory,1_2_01719730
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_0171A710 NtOpenProcessToken,1_2_0171A710
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_01719FE0 NtCreateMutant,1_2_01719FE0
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_01719670 NtQueryInformationProcess,1_2_01719670
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_01719650 NtQueryValueKey,1_2_01719650
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_01719610 NtEnumerateValueKey,1_2_01719610
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_017196D0 NtCreateKey,1_2_017196D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D79A50 NtCreateFile,LdrInitializeThunk,4_2_02D79A50
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D79840 NtDelayExecution,LdrInitializeThunk,4_2_02D79840
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D79860 NtQuerySystemInformation,LdrInitializeThunk,4_2_02D79860
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D799A0 NtCreateSection,LdrInitializeThunk,4_2_02D799A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D79910 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_02D79910
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D796D0 NtCreateKey,LdrInitializeThunk,4_2_02D796D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D796E0 NtFreeVirtualMemory,LdrInitializeThunk,4_2_02D796E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D79FE0 NtCreateMutant,LdrInitializeThunk,4_2_02D79FE0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D79780 NtMapViewOfSection,LdrInitializeThunk,4_2_02D79780
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D79710 NtQueryInformationToken,LdrInitializeThunk,4_2_02D79710
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D795D0 NtClose,LdrInitializeThunk,4_2_02D795D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D79540 NtReadFile,LdrInitializeThunk,4_2_02D79540
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D79A80 NtOpenDirectoryObject,4_2_02D79A80
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D79A10 NtQuerySection,4_2_02D79A10
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D79A00 NtProtectVirtualMemory,4_2_02D79A00
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D79A20 NtResumeThread,4_2_02D79A20
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D7A3B0 NtGetContextThread,4_2_02D7A3B0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D79B00 NtSetValueKey,4_2_02D79B00
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D798F0 NtReadVirtualMemory,4_2_02D798F0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D798A0 NtWriteVirtualMemory,4_2_02D798A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D7B040 NtSuspendThread,4_2_02D7B040
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D79820 NtEnumerateKey,4_2_02D79820
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D799D0 NtCreateProcessEx,4_2_02D799D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D79950 NtQueueApcThread,4_2_02D79950
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D79650 NtQueryValueKey,4_2_02D79650
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D79670 NtQueryInformationProcess,4_2_02D79670
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D79660 NtAllocateVirtualMemory,4_2_02D79660
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D79610 NtEnumerateValueKey,4_2_02D79610
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D797A0 NtUnmapViewOfSection,4_2_02D797A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D7A770 NtOpenThread,4_2_02D7A770
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D79770 NtSetInformationFile,4_2_02D79770
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D79760 NtOpenProcess,4_2_02D79760
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D7A710 NtOpenProcessToken,4_2_02D7A710
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D79730 NtQueryVirtualMemory,4_2_02D79730
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D795F0 NtQueryInformationFile,4_2_02D795F0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D79560 NtWriteFile,4_2_02D79560
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D7AD30 NtSetContextThread,4_2_02D7AD30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D79520 NtWaitForSingleObject,4_2_02D79520
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_00479D50 NtCreateFile,4_2_00479D50
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_00479E00 NtReadFile,4_2_00479E00
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_00479E80 NtClose,4_2_00479E80
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_00479D4B NtCreateFile,4_2_00479D4B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_00479DFA NtReadFile,4_2_00479DFA
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_00479E7C NtClose,4_2_00479E7C
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 0_2_01159F280_2_01159F28
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 0_2_011568580_2_01156858
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 0_2_011568470_2_01156847
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 0_2_0115CCD00_2_0115CCD0
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 0_2_01159B4C0_2_01159B4C
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 0_2_0502A2180_2_0502A218
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 0_2_0502DCA00_2_0502DCA0
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 0_2_05F1BDE00_2_05F1BDE0
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 0_2_05F15D000_2_05F15D00
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_0041DAB41_2_0041DAB4
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_0041BDDC1_2_0041BDDC
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_00402D871_2_00402D87
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_00409E301_2_00409E30
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_0041CF931_2_0041CF93
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_016F41201_2_016F4120
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_016DF9001_2_016DF900
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_017AE8241_2_017AE824
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_017910021_2_01791002
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_017A28EC1_2_017A28EC
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_017020A01_2_017020A0
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_017A20A81_2_017A20A8
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_016EB0901_2_016EB090
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_017A2B281_2_017A2B28
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_017903DA1_2_017903DA
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_0179DBD21_2_0179DBD2
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_0170EBB01_2_0170EBB0
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_017A22AE1_2_017A22AE
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_017A1D551_2_017A1D55
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_016D0D201_2_016D0D20
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_017A2D071_2_017A2D07
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_016ED5E01_2_016ED5E0
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_017A25DD1_2_017A25DD
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_017025811_2_01702581
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_0179D4661_2_0179D466
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_016E841F1_2_016E841F
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_017A1FF11_2_017A1FF1
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_017ADFCE1_2_017ADFCE
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_016F6E301_2_016F6E30
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_0179D6161_2_0179D616
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_017A2EF71_2_017A2EF7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02DF4AEF4_2_02DF4AEF
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02E022AE4_2_02E022AE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02DEFA2B4_2_02DEFA2B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02DF03DA4_2_02DF03DA
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02DFDBD24_2_02DFDBD2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D6ABD84_2_02D6ABD8
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02DE23E34_2_02DE23E3
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D6EBB04_2_02D6EBB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D5AB404_2_02D5AB40
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02E02B284_2_02E02B28
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D5A3094_2_02D5A309
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02E028EC4_2_02E028EC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D4B0904_2_02D4B090
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02E020A84_2_02E020A8
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D620A04_2_02D620A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02E0E8244_2_02E0E824
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02DF10024_2_02DF1002
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D5A8304_2_02D5A830
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D599BF4_2_02D599BF
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D3F9004_2_02D3F900
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D541204_2_02D54120
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02E02EF74_2_02E02EF7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02DFD6164_2_02DFD616
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D56E304_2_02D56E30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02E01FF14_2_02E01FF1
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02E0DFCE4_2_02E0DFCE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02DF44964_2_02DF4496
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02DFD4664_2_02DFD466
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D4841F4_2_02D4841F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D4D5E04_2_02D4D5E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02E025DD4_2_02E025DD
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D625814_2_02D62581
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02DF2D824_2_02DF2D82
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02E01D554_2_02E01D55
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02E02D074_2_02E02D07
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D30D204_2_02D30D20
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0047DAB44_2_0047DAB4
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0047BDDC4_2_0047BDDC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_00462D874_2_00462D87
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_00462D904_2_00462D90
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_00469E304_2_00469E30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0047CF934_2_0047CF93
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_00462FB04_2_00462FB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 02D3B150 appears 133 times
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: String function: 016DB150 appears 45 times
          Source: mmexport1602672825062.pdf.exeBinary or memory string: OriginalFilename vs mmexport1602672825062.pdf.exe
          Source: mmexport1602672825062.pdf.exe, 00000000.00000002.230267837.0000000005C50000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKedermister.dllT vs mmexport1602672825062.pdf.exe
          Source: mmexport1602672825062.pdf.exe, 00000000.00000002.226512385.0000000002AAB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameexag vs mmexport1602672825062.pdf.exe
          Source: mmexport1602672825062.pdf.exe, 00000000.00000002.225285535.00000000006C2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamenNtm.exe: vs mmexport1602672825062.pdf.exe
          Source: mmexport1602672825062.pdf.exeBinary or memory string: OriginalFilename vs mmexport1602672825062.pdf.exe
          Source: mmexport1602672825062.pdf.exe, 00000001.00000000.224407088.0000000000BF2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamenNtm.exe: vs mmexport1602672825062.pdf.exe
          Source: mmexport1602672825062.pdf.exe, 00000001.00000002.265689276.00000000017CF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs mmexport1602672825062.pdf.exe
          Source: mmexport1602672825062.pdf.exe, 00000001.00000002.265069682.00000000016A7000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameipconfig.exej% vs mmexport1602672825062.pdf.exe
          Source: mmexport1602672825062.pdf.exeBinary or memory string: OriginalFilenamenNtm.exe: vs mmexport1602672825062.pdf.exe
          Source: 00000004.00000002.489851625.00000000009F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.489851625.00000000009F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.226761033.0000000003A69000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.226761033.0000000003A69000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.264393533.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.264393533.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.489191148.00000000008D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.489191148.00000000008D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.488231729.0000000000460000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.488231729.0000000000460000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.264651310.0000000001260000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.264651310.0000000001260000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.264978518.0000000001670000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.264978518.0000000001670000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.mmexport1602672825062.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.mmexport1602672825062.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.mmexport1602672825062.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.mmexport1602672825062.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: mmexport1602672825062.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@4/3
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\mmexport1602672825062.pdf.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6360:120:WilError_01
          Source: mmexport1602672825062.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: mmexport1602672825062.pdf.exeBinary or memory string: select Insurance_Details_ID from insurance_details order by Insurance_Details_ID desc limit 1;
          Source: mmexport1602672825062.pdf.exeVirustotal: Detection: 21%
          Source: mmexport1602672825062.pdf.exeReversingLabs: Detection: 18%
          Source: unknownProcess created: C:\Users\user\Desktop\mmexport1602672825062.pdf.exe 'C:\Users\user\Desktop\mmexport1602672825062.pdf.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\mmexport1602672825062.pdf.exe C:\Users\user\Desktop\mmexport1602672825062.pdf.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\mmexport1602672825062.pdf.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeProcess created: C:\Users\user\Desktop\mmexport1602672825062.pdf.exe C:\Users\user\Desktop\mmexport1602672825062.pdf.exeJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\mmexport1602672825062.pdf.exe'Jump to behavior
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: mmexport1602672825062.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: mmexport1602672825062.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: ipconfig.pdb source: mmexport1602672825062.pdf.exe, 00000001.00000002.265049352.00000000016A0000.00000040.00000001.sdmp
          Source: Binary string: ipconfig.pdbGCTL source: mmexport1602672825062.pdf.exe, 00000001.00000002.265049352.00000000016A0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: mmexport1602672825062.pdf.exe, 00000001.00000002.265079519.00000000016B0000.00000040.00000001.sdmp, ipconfig.exe, 00000004.00000002.490507915.0000000002D10000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: mmexport1602672825062.pdf.exe, ipconfig.exe
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 0_2_0502B768 push 3800025Eh; iretd 0_2_0502B789
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_00416947 push ebx; iretd 1_2_00416952
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_0041EAC3 push dword ptr [7594422Ch]; ret 1_2_0041EB3D
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_00417289 pushad ; iretd 1_2_0041728C
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_0041E444 push edi; ret 1_2_0041E564
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_0041E565 push edi; ret 1_2_0041E564
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_00416624 push ebp; ret 1_2_004166B7
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_004166ED push ebp; ret 1_2_004166B7
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_0041CEF2 push eax; ret 1_2_0041CEF8
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_0041CEFB push eax; ret 1_2_0041CF62
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_0041CEA5 push eax; ret 1_2_0041CEF8
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_0041CF5C push eax; ret 1_2_0041CF62
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_0172D0D1 push ecx; ret 1_2_0172D0E4
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D8D0D1 push ecx; ret 4_2_02D8D0E4
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_00476947 push ebx; iretd 4_2_00476952
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0047EAC3 push dword ptr [7594422Ch]; ret 4_2_0047EB3D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_00477289 pushad ; iretd 4_2_0047728C
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0047E444 push edi; ret 4_2_0047E564
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0047E565 push edi; ret 4_2_0047E564
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_00476624 push ebp; ret 4_2_004766B7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_004766ED push ebp; ret 4_2_004766B7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0047CEF2 push eax; ret 4_2_0047CEF8
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0047CEFB push eax; ret 4_2_0047CF62
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0047CEA5 push eax; ret 4_2_0047CEF8
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0047CF5C push eax; ret 4_2_0047CF62
          Source: initial sampleStatic PE information: section name: .text entropy: 7.54118239702

          Persistence and Installation Behavior:

          barindex
          Uses ipconfig to lookup or modify the Windows network settingsShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x80 0x0E 0xE3
          Uses an obfuscated file name to hide its real file extension (double extension)Show sources
          Source: Possible double extension: pdf.exeStatic PE information: mmexport1602672825062.pdf.exe
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: 00000000.00000002.226512385.0000000002AAB000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.226471273.0000000002A61000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: mmexport1602672825062.pdf.exe PID: 4868, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: mmexport1602672825062.pdf.exe, 00000000.00000002.226512385.0000000002AAB000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: mmexport1602672825062.pdf.exe, 00000000.00000002.226512385.0000000002AAB000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeRDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 00000000004698E4 second address: 00000000004698EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 0000000000469B4E second address: 0000000000469B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeCode function: 1_2_00409A80 rdtsc 1_2_00409A80
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exe TID: 6004Thread sleep time: -53147s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\mmexport1602672825062.pdf.exe TID: 5660Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 6976Thread sleep count: 38 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 6976Thread sleep time: -76000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exe TID: 4724Thread sleep time: -70000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: explorer.exe, 00000002.00000000.244492260.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000002.00000000.244492260.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
          Source: explorer.exe, 00000002.00000000.245063237.00000000088C3000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: mmexport1602672825062.pdf.exe, 00000000.00000002.226512385.0000000002AAB000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000002.00000000.244064049.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000002.00000000.244327668.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: mmexport1602672825062.pdf.exe, 00000000.00000002.226512385.0000000002AAB000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: mmexport1602672825062.pdf.exe, 00000000.00000002.226512385.0000000002AAB000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II|update users set password = @password where user_id = @user_id
          Source: explorer.exe, 00000002.00000000.238935691.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
          Source: explorer.exe, 00000002.00000000.244492260.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
          Source: explorer.exe, 00000002.00000000.244492260.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000002.00000000.244554546.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
          Source: explorer.exe, 00000002.00000000.238985581.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: explorer.exe, 00000002.00000000.244064049.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000002.00000000.244064049.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: mmexport1602672825062.pdf.exe, 00000000.00000002.226512385.0000000002AAB000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000002.00000000.244064049.0000000008220000.00000002.00