Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:59
Static task
static1
Behavioral task
behavioral1
Sample
flWhrV1J6MAi1kS.exe
Resource
win7v20201028
General
-
Target
flWhrV1J6MAi1kS.exe
-
Size
345KB
-
MD5
61a281d6005afdcb7b9f25b16e71bff3
-
SHA1
a380e614531478c3adf122e78568308e8a46f5c5
-
SHA256
9148c87726f97b18e044b9059a608a3b809ae02a795d44c1609bff24232c45ac
-
SHA512
bc174c366bfefc2acabdaa9b7548a726db82ff408cc145d85d5d7b0400e129d6688aa07928e0dd0a0bdcb9e0598ce86f48c77f7fc2607bdbe440014463eb0f9f
Malware Config
Extracted
formbook
http://www.spatren.com/k0f/
uao2o.info
hehe2.net
beautyqueenstores.com
chataan.com
brazzers-shop.biz
evolutionareligion.com
laysusannausboko.com
idewweddings.com
superwebox.com
moviesfan.net
deal-mix.com
infrarotgrilltest.info
corelesseposrolls.com
mpbrandl-finetrade-gamma.com
statement-log-in.info
romita4harrison.com
cpateamconsultant.com
gxdiaoyu.com
motocenterlaba.com
mlrs1314.com
theartistgym.com
44000163.com
autismtherapycareers.com
southern120.com
florartist.com
bulkingsteroidscycles.com
marcasfashion.com
luga.ltd
amfeicai.com
wolfzh.com
njartiuedu.com
theblacksheepmalta.com
gringouno.com
mercadocorrea.com
member-suport-appld.com
noticiasparaeldia.com
noflamecooker.com
thorpedomains.com
zenmeting.com
hamaridharohar.com
fastestgrowingtechnology.com
mkdcollege.com
ecowastribune.com
financialplanner.cloud
capetown360.net
uzkbpcbhdggp.site
safetwater.com
t-online-de.biz
pinnaclepalmsprings.com
ambconstructioninc.com
printpeacock.biz
fattireflights.com
adultsgetnaughty.com
karavango.com
jasonmildwaters.com
aliveness.online
zepolauto.com
connectowork.com
0p3nine.loan
xn--bb0bw4m92e.com
pratalaw.com
kutuk.online
jsh-tech.com
sptor.net
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3408-8-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral2/memory/3408-9-0x000000000041E320-mapping.dmp formbook behavioral2/memory/580-10-0x0000000000000000-mapping.dmp formbook -
Processes:
resource yara_rule behavioral2/memory/4800-6-0x0000000005760000-0x0000000005794000-memory.dmp rezer0 -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
systray.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run systray.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\CBMH5XPXTB = "C:\\Program Files (x86)\\Hanzxan\\jtd0ypspw.exe" systray.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
flWhrV1J6MAi1kS.exeflWhrV1J6MAi1kS.exesystray.exedescription pid process target process PID 4800 set thread context of 3408 4800 flWhrV1J6MAi1kS.exe flWhrV1J6MAi1kS.exe PID 3408 set thread context of 3152 3408 flWhrV1J6MAi1kS.exe Explorer.EXE PID 580 set thread context of 3152 580 systray.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
systray.exedescription ioc process File opened for modification C:\Program Files (x86)\Hanzxan\jtd0ypspw.exe systray.exe -
Processes:
systray.exedescription ioc process Key created \Registry\User\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 systray.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
Processes:
flWhrV1J6MAi1kS.exesystray.exepid process 3408 flWhrV1J6MAi1kS.exe 3408 flWhrV1J6MAi1kS.exe 3408 flWhrV1J6MAi1kS.exe 3408 flWhrV1J6MAi1kS.exe 580 systray.exe 580 systray.exe 580 systray.exe 580 systray.exe 580 systray.exe 580 systray.exe 580 systray.exe 580 systray.exe 580 systray.exe 580 systray.exe 580 systray.exe 580 systray.exe 580 systray.exe 580 systray.exe 580 systray.exe 580 systray.exe 580 systray.exe 580 systray.exe 580 systray.exe 580 systray.exe 580 systray.exe 580 systray.exe 580 systray.exe 580 systray.exe 580 systray.exe 580 systray.exe 580 systray.exe 580 systray.exe 580 systray.exe 580 systray.exe 580 systray.exe 580 systray.exe 580 systray.exe 580 systray.exe 580 systray.exe 580 systray.exe 580 systray.exe 580 systray.exe 580 systray.exe 580 systray.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
flWhrV1J6MAi1kS.exesystray.exepid process 3408 flWhrV1J6MAi1kS.exe 3408 flWhrV1J6MAi1kS.exe 3408 flWhrV1J6MAi1kS.exe 580 systray.exe 580 systray.exe 580 systray.exe 580 systray.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
flWhrV1J6MAi1kS.exesystray.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 3408 flWhrV1J6MAi1kS.exe Token: SeDebugPrivilege 580 systray.exe Token: SeShutdownPrivilege 3152 Explorer.EXE Token: SeCreatePagefilePrivilege 3152 Explorer.EXE Token: SeShutdownPrivilege 3152 Explorer.EXE Token: SeCreatePagefilePrivilege 3152 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3152 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
flWhrV1J6MAi1kS.exeExplorer.EXEsystray.exedescription pid process target process PID 4800 wrote to memory of 3408 4800 flWhrV1J6MAi1kS.exe flWhrV1J6MAi1kS.exe PID 4800 wrote to memory of 3408 4800 flWhrV1J6MAi1kS.exe flWhrV1J6MAi1kS.exe PID 4800 wrote to memory of 3408 4800 flWhrV1J6MAi1kS.exe flWhrV1J6MAi1kS.exe PID 4800 wrote to memory of 3408 4800 flWhrV1J6MAi1kS.exe flWhrV1J6MAi1kS.exe PID 4800 wrote to memory of 3408 4800 flWhrV1J6MAi1kS.exe flWhrV1J6MAi1kS.exe PID 4800 wrote to memory of 3408 4800 flWhrV1J6MAi1kS.exe flWhrV1J6MAi1kS.exe PID 3152 wrote to memory of 580 3152 Explorer.EXE systray.exe PID 3152 wrote to memory of 580 3152 Explorer.EXE systray.exe PID 3152 wrote to memory of 580 3152 Explorer.EXE systray.exe PID 580 wrote to memory of 844 580 systray.exe cmd.exe PID 580 wrote to memory of 844 580 systray.exe cmd.exe PID 580 wrote to memory of 844 580 systray.exe cmd.exe PID 580 wrote to memory of 1184 580 systray.exe Firefox.exe PID 580 wrote to memory of 1184 580 systray.exe Firefox.exe PID 580 wrote to memory of 1184 580 systray.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\flWhrV1J6MAi1kS.exe"C:\Users\Admin\AppData\Local\Temp\flWhrV1J6MAi1kS.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\flWhrV1J6MAi1kS.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\flWhrV1J6MAi1kS.exe"3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\8Q760--R\8Q7logim.jpegMD5
5eb85fc03e1eba1fdc2262321ff2e43c
SHA1c6a84314c9ffbaed143f569c444b8a9b3c04f5a2
SHA256496d47789638cb04422cc0ea52b6f5e6e3c76393031f9a6d5cb24241305acd27
SHA5124fe0ce889914c81701b3e04e011c9e4763c08a392e08268472b9d889a09b90688fae5464b0f3c1e152c56715286fd86356275d40f37b22e6afbd05246c6dad3c
-
C:\Users\Admin\AppData\Roaming\8Q760--R\8Q7logrf.iniMD5
2f245469795b865bdd1b956c23d7893d
SHA16ad80b974d3808f5a20ea1e766c7d2f88b9e5895
SHA2561662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361
SHA512909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f
-
C:\Users\Admin\AppData\Roaming\8Q760--R\8Q7logri.iniMD5
d63a82e5d81e02e399090af26db0b9cb
SHA191d0014c8f54743bba141fd60c9d963f869d76c9
SHA256eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA51238afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad
-
C:\Users\Admin\AppData\Roaming\8Q760--R\8Q7logrv.iniMD5
bbc41c78bae6c71e63cb544a6a284d94
SHA133f2c1d9fa0e9c99b80bc2500621e95af38b1f9a
SHA256ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb
SHA5120aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4
-
memory/580-11-0x0000000000390000-0x0000000000396000-memory.dmpFilesize
24KB
-
memory/580-15-0x00000000061C0000-0x00000000062DD000-memory.dmpFilesize
1.1MB
-
memory/580-14-0x0000000005570000-0x00000000056D2000-memory.dmpFilesize
1.4MB
-
memory/580-12-0x0000000000390000-0x0000000000396000-memory.dmpFilesize
24KB
-
memory/580-10-0x0000000000000000-mapping.dmp
-
memory/844-13-0x0000000000000000-mapping.dmp
-
memory/1184-17-0x00007FF6642D0000-0x00007FF664363000-memory.dmpFilesize
588KB
-
memory/1184-16-0x0000000000000000-mapping.dmp
-
memory/1184-18-0x00007FF6642D0000-0x00007FF664363000-memory.dmpFilesize
588KB
-
memory/1184-19-0x00007FF6642D0000-0x00007FF664363000-memory.dmpFilesize
588KB
-
memory/3408-9-0x000000000041E320-mapping.dmp
-
memory/3408-8-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/4800-7-0x0000000005CB0000-0x0000000005CB1000-memory.dmpFilesize
4KB
-
memory/4800-6-0x0000000005760000-0x0000000005794000-memory.dmpFilesize
208KB
-
memory/4800-0-0x00000000739D0000-0x00000000740BE000-memory.dmpFilesize
6.9MB
-
memory/4800-5-0x00000000054E0000-0x00000000054E1000-memory.dmpFilesize
4KB
-
memory/4800-4-0x0000000001140000-0x000000000114F000-memory.dmpFilesize
60KB
-
memory/4800-3-0x0000000005110000-0x0000000005111000-memory.dmpFilesize
4KB
-
memory/4800-1-0x00000000008D0000-0x00000000008D1000-memory.dmpFilesize
4KB