Analysis
-
max time kernel
149s -
max time network
139s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
25-11-2020 14:08
Static task
static1
Behavioral task
behavioral1
Sample
new po775.exe
Resource
win7v20201028
General
-
Target
new po775.exe
-
Size
742KB
-
MD5
e5c21682444f59793a1c2704d90ead6d
-
SHA1
76b0a20b9b86057e42df99e5f5f30be57a06f320
-
SHA256
a88db831c2dbd27895d7d042a3e4e604bd82caad37d51fccc76dfb81d884ffba
-
SHA512
a58dba7b794bcd2fb8d966af8a9c1a5e3c08a17e69351c28819b4b5a22419e315433d6169d73e96d891cc1c6c3a365d341c6d06faf6209fcd2e167a4b77b1e05
Malware Config
Extracted
formbook
http://www.firedoom.com/sbmh/
edlasyarns.com
rettexo.com
friendlyksa.com
westhighlandwaytours.com
goudmarket.com
turkime.com
wellnysdirect.com
handydanny.net
ylccmakq.com
benefits-sherpa.com
sousolutions.net
lspcall.com
makgxoimisitzer.info
katrinarask.com
istanbulconsulter.net
mingjiaxuan.com
faculdadegraca.com
kikegbwebdesign.com
69ase.com
downrangedynamics.com
upllsj.com
punebites.com
cheekymonkeytech.com
hoy.viajes
ablehead.net
wordsubscribeeager.club
keystonefulfillment.com
malvasiahomes.com
direstraitslives.com
parking500.com
groom.land
humanschoolpodcast.com
plv8.online
modernspiritualbombshell.com
elegancerealestategroup.com
magentos6.com
xpressclouds.net
masihingat.com
exposingsecrets.com
beautybymscookie.com
skyauscompany.com
ak-sicherheitssysteme.net
meatslasvegas.com
blessedbeetherapy.com
nightanddayfreight.net
zizb4.com
pharmacymillwork.com
endlessgirls.online
bikingeswatini.com
xoxysei.site
tannhienonline.com
bloochy.com
ceo-ghost.com
amazonecho.sucks
klooskustoms.com
2xingyao.com
menopausebars.com
shdjtx.net
salon-massage-linit.com
macavent.com
purehempbotanicalsinfo.com
saintmaxnetwork.com
imagetown.group
occips.info
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3548-12-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/3548-13-0x000000000041ECD0-mapping.dmp formbook behavioral2/memory/1332-14-0x0000000000000000-mapping.dmp formbook -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
new po775.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion new po775.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion new po775.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
new po775.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum new po775.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 new po775.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
new po775.exenew po775.exeexplorer.exedescription pid process target process PID 1628 set thread context of 3548 1628 new po775.exe new po775.exe PID 3548 set thread context of 2144 3548 new po775.exe Explorer.EXE PID 1332 set thread context of 2144 1332 explorer.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 38 IoCs
Processes:
new po775.exeexplorer.exepid process 3548 new po775.exe 3548 new po775.exe 3548 new po775.exe 3548 new po775.exe 1332 explorer.exe 1332 explorer.exe 1332 explorer.exe 1332 explorer.exe 1332 explorer.exe 1332 explorer.exe 1332 explorer.exe 1332 explorer.exe 1332 explorer.exe 1332 explorer.exe 1332 explorer.exe 1332 explorer.exe 1332 explorer.exe 1332 explorer.exe 1332 explorer.exe 1332 explorer.exe 1332 explorer.exe 1332 explorer.exe 1332 explorer.exe 1332 explorer.exe 1332 explorer.exe 1332 explorer.exe 1332 explorer.exe 1332 explorer.exe 1332 explorer.exe 1332 explorer.exe 1332 explorer.exe 1332 explorer.exe 1332 explorer.exe 1332 explorer.exe 1332 explorer.exe 1332 explorer.exe 1332 explorer.exe 1332 explorer.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
new po775.exeexplorer.exepid process 3548 new po775.exe 3548 new po775.exe 3548 new po775.exe 1332 explorer.exe 1332 explorer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
new po775.exeexplorer.exedescription pid process Token: SeDebugPrivilege 3548 new po775.exe Token: SeDebugPrivilege 1332 explorer.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 2144 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
new po775.exeExplorer.EXEexplorer.exedescription pid process target process PID 1628 wrote to memory of 3548 1628 new po775.exe new po775.exe PID 1628 wrote to memory of 3548 1628 new po775.exe new po775.exe PID 1628 wrote to memory of 3548 1628 new po775.exe new po775.exe PID 1628 wrote to memory of 3548 1628 new po775.exe new po775.exe PID 1628 wrote to memory of 3548 1628 new po775.exe new po775.exe PID 1628 wrote to memory of 3548 1628 new po775.exe new po775.exe PID 2144 wrote to memory of 1332 2144 Explorer.EXE explorer.exe PID 2144 wrote to memory of 1332 2144 Explorer.EXE explorer.exe PID 2144 wrote to memory of 1332 2144 Explorer.EXE explorer.exe PID 1332 wrote to memory of 2124 1332 explorer.exe cmd.exe PID 1332 wrote to memory of 2124 1332 explorer.exe cmd.exe PID 1332 wrote to memory of 2124 1332 explorer.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\new po775.exe"C:\Users\Admin\AppData\Local\Temp\new po775.exe"2⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\new po775.exe"C:\Users\Admin\AppData\Local\Temp\new po775.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\new po775.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1332-14-0x0000000000000000-mapping.dmp
-
memory/1332-18-0x00000000066D0000-0x000000000679D000-memory.dmpFilesize
820KB
-
memory/1332-16-0x0000000001370000-0x00000000017AF000-memory.dmpFilesize
4.2MB
-
memory/1332-15-0x0000000001370000-0x00000000017AF000-memory.dmpFilesize
4.2MB
-
memory/1628-9-0x0000000006330000-0x0000000006395000-memory.dmpFilesize
404KB
-
memory/1628-4-0x0000000005AB0000-0x0000000005AB1000-memory.dmpFilesize
4KB
-
memory/1628-7-0x0000000005650000-0x0000000005651000-memory.dmpFilesize
4KB
-
memory/1628-8-0x00000000054B0000-0x00000000054C3000-memory.dmpFilesize
76KB
-
memory/1628-0-0x0000000073840000-0x0000000073F2E000-memory.dmpFilesize
6.9MB
-
memory/1628-10-0x00000000063A0000-0x00000000063D0000-memory.dmpFilesize
192KB
-
memory/1628-11-0x0000000006470000-0x0000000006471000-memory.dmpFilesize
4KB
-
memory/1628-1-0x0000000000BB0000-0x0000000000BB1000-memory.dmpFilesize
4KB
-
memory/1628-3-0x0000000005510000-0x0000000005511000-memory.dmpFilesize
4KB
-
memory/1628-5-0x00000000055B0000-0x00000000055B1000-memory.dmpFilesize
4KB
-
memory/1628-6-0x0000000005490000-0x0000000005491000-memory.dmpFilesize
4KB
-
memory/2124-17-0x0000000000000000-mapping.dmp
-
memory/3548-13-0x000000000041ECD0-mapping.dmp
-
memory/3548-12-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB