Analysis
-
max time kernel
146s -
max time network
9s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
25-11-2020 14:08
Static task
static1
Behavioral task
behavioral1
Sample
new po775.exe
Resource
win7v20201028
General
-
Target
new po775.exe
-
Size
742KB
-
MD5
e5c21682444f59793a1c2704d90ead6d
-
SHA1
76b0a20b9b86057e42df99e5f5f30be57a06f320
-
SHA256
a88db831c2dbd27895d7d042a3e4e604bd82caad37d51fccc76dfb81d884ffba
-
SHA512
a58dba7b794bcd2fb8d966af8a9c1a5e3c08a17e69351c28819b4b5a22419e315433d6169d73e96d891cc1c6c3a365d341c6d06faf6209fcd2e167a4b77b1e05
Malware Config
Extracted
formbook
http://www.firedoom.com/sbmh/
edlasyarns.com
rettexo.com
friendlyksa.com
westhighlandwaytours.com
goudmarket.com
turkime.com
wellnysdirect.com
handydanny.net
ylccmakq.com
benefits-sherpa.com
sousolutions.net
lspcall.com
makgxoimisitzer.info
katrinarask.com
istanbulconsulter.net
mingjiaxuan.com
faculdadegraca.com
kikegbwebdesign.com
69ase.com
downrangedynamics.com
upllsj.com
punebites.com
cheekymonkeytech.com
hoy.viajes
ablehead.net
wordsubscribeeager.club
keystonefulfillment.com
malvasiahomes.com
direstraitslives.com
parking500.com
groom.land
humanschoolpodcast.com
plv8.online
modernspiritualbombshell.com
elegancerealestategroup.com
magentos6.com
xpressclouds.net
masihingat.com
exposingsecrets.com
beautybymscookie.com
skyauscompany.com
ak-sicherheitssysteme.net
meatslasvegas.com
blessedbeetherapy.com
nightanddayfreight.net
zizb4.com
pharmacymillwork.com
endlessgirls.online
bikingeswatini.com
xoxysei.site
tannhienonline.com
bloochy.com
ceo-ghost.com
amazonecho.sucks
klooskustoms.com
2xingyao.com
menopausebars.com
shdjtx.net
salon-massage-linit.com
macavent.com
purehempbotanicalsinfo.com
saintmaxnetwork.com
imagetown.group
occips.info
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/268-6-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/268-7-0x000000000041ECD0-mapping.dmp formbook behavioral1/memory/644-8-0x0000000000000000-mapping.dmp formbook -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
new po775.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion new po775.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion new po775.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1348 cmd.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
new po775.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum new po775.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 new po775.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
new po775.exenew po775.exemstsc.exedescription pid process target process PID 1732 set thread context of 268 1732 new po775.exe new po775.exe PID 268 set thread context of 1268 268 new po775.exe Explorer.EXE PID 644 set thread context of 1268 644 mstsc.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
new po775.exemstsc.exepid process 268 new po775.exe 268 new po775.exe 644 mstsc.exe 644 mstsc.exe 644 mstsc.exe 644 mstsc.exe 644 mstsc.exe 644 mstsc.exe 644 mstsc.exe 644 mstsc.exe 644 mstsc.exe 644 mstsc.exe 644 mstsc.exe 644 mstsc.exe 644 mstsc.exe 644 mstsc.exe 644 mstsc.exe 644 mstsc.exe 644 mstsc.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
new po775.exemstsc.exepid process 268 new po775.exe 268 new po775.exe 268 new po775.exe 644 mstsc.exe 644 mstsc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
new po775.exemstsc.exedescription pid process Token: SeDebugPrivilege 268 new po775.exe Token: SeDebugPrivilege 644 mstsc.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
new po775.exeExplorer.EXEmstsc.exedescription pid process target process PID 1732 wrote to memory of 268 1732 new po775.exe new po775.exe PID 1732 wrote to memory of 268 1732 new po775.exe new po775.exe PID 1732 wrote to memory of 268 1732 new po775.exe new po775.exe PID 1732 wrote to memory of 268 1732 new po775.exe new po775.exe PID 1732 wrote to memory of 268 1732 new po775.exe new po775.exe PID 1732 wrote to memory of 268 1732 new po775.exe new po775.exe PID 1732 wrote to memory of 268 1732 new po775.exe new po775.exe PID 1268 wrote to memory of 644 1268 Explorer.EXE mstsc.exe PID 1268 wrote to memory of 644 1268 Explorer.EXE mstsc.exe PID 1268 wrote to memory of 644 1268 Explorer.EXE mstsc.exe PID 1268 wrote to memory of 644 1268 Explorer.EXE mstsc.exe PID 644 wrote to memory of 1348 644 mstsc.exe cmd.exe PID 644 wrote to memory of 1348 644 mstsc.exe cmd.exe PID 644 wrote to memory of 1348 644 mstsc.exe cmd.exe PID 644 wrote to memory of 1348 644 mstsc.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\new po775.exe"C:\Users\Admin\AppData\Local\Temp\new po775.exe"2⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\new po775.exe"C:\Users\Admin\AppData\Local\Temp\new po775.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\new po775.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/268-6-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/268-7-0x000000000041ECD0-mapping.dmp
-
memory/644-8-0x0000000000000000-mapping.dmp
-
memory/644-9-0x0000000000CB0000-0x0000000000DB4000-memory.dmpFilesize
1.0MB
-
memory/644-11-0x0000000000B00000-0x0000000000BB8000-memory.dmpFilesize
736KB
-
memory/1348-10-0x0000000000000000-mapping.dmp
-
memory/1732-0-0x00000000748A0000-0x0000000074F8E000-memory.dmpFilesize
6.9MB
-
memory/1732-1-0x00000000011F0000-0x00000000011F1000-memory.dmpFilesize
4KB
-
memory/1732-3-0x00000000004C0000-0x00000000004D3000-memory.dmpFilesize
76KB
-
memory/1732-4-0x0000000004F60000-0x0000000004FC5000-memory.dmpFilesize
404KB
-
memory/1732-5-0x0000000000610000-0x0000000000640000-memory.dmpFilesize
192KB