Analysis
-
max time kernel
147s -
max time network
41s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
25-11-2020 20:51
Static task
static1
Behavioral task
behavioral1
Sample
RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exe
Resource
win10v20201028
General
-
Target
RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exe
-
Size
1.2MB
-
MD5
cd4a8d5b7b52bad98531415d46545391
-
SHA1
d2646f03108d4063899716427c5dac918b264a5a
-
SHA256
bdbc84c2fb75f0ed7b7e7c6ce24b02dba946003328b27cd17be926b83654f779
-
SHA512
2ad8c0097734eac098c043b95df314114d1fd1f677ddc3cc7be08ae1330de642621d73c6418082eabb97b4dbc94e6a05f058b2834ab9ecdd86615991c3a0bdff
Malware Config
Extracted
formbook
http://www.hansonkx.xyz/mkv/
gungorevdenevenakliyat.com
tungsten-projects.com
sensualdelightsboutique.com
mageedigital.com
101cv.online
kuaiditianxia.com
theretailwalk.com
autolinkpa.com
checkpoints.xyz
primeshoppinghouse.com
mapdial.com
yxj66.net
angrysymphony.com
manausservico.com
saqiralsharq.com
cocoabeachconeys.com
messianicentertainment.com
gip7.com
1111dcafe.com
mortgagesafetynet.com
webhostingsrilanka.info
brandsrx.technology
arcreditcards.com
28fenfa.com
mrt555.com
hongdajunheng.com
ta-recruitment.com
themusicchannellive.com
hagiwara.store
batesklinkemfg.com
digsnutrition.com
justrainservices.com
dombeograd.com
4bbconnect.com
usalignassociate.com
trialfacts.site
euphoricmoondust.com
elfraza.com
xiaomaque555.com
airlinereason.asia
threepeninsulas.com
hurricanelauraroofing.com
trendhour.icu
wh534.com
thedigitalinteractive.com
shinbi.info
aist72.com
didemfoods.com
abuyoghotel.com
surptalb.xyz
bcndelicious.cat
bjtzmp.com
worthyworks.site
pleasanthavendaycare.com
agenthaq.net
topferhimmel.com
heyteddi.com
bicegrandcafe.com
consommeresponsable.com
treasuretrovepropertyllc.com
boimgo.com
carolinaclothinggroup.com
residentialwarantyservices.com
fithappenstx.com
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/292-3-0x0000000004990000-0x0000000004AD0000-memory.dmp formbook behavioral1/memory/1376-4-0x0000000000000000-mapping.dmp formbook -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Hmsm = "C:\\Users\\Admin\\AppData\\Local\\msmH.url" RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).execolorcpl.exedescription pid process target process PID 292 set thread context of 1244 292 RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exe Explorer.EXE PID 1376 set thread context of 1244 1376 colorcpl.exe Explorer.EXE -
Processes:
colorcpl.exedescription ioc process Key created \Registry\User\S-1-5-21-3825035466-2522850611-591511364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 colorcpl.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 6 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).execolorcpl.exepid process 292 RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exe 292 RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exe 1376 colorcpl.exe 1376 colorcpl.exe 1376 colorcpl.exe 1376 colorcpl.exe 1376 colorcpl.exe 1376 colorcpl.exe 1376 colorcpl.exe 1376 colorcpl.exe 1376 colorcpl.exe 1376 colorcpl.exe 1376 colorcpl.exe 1376 colorcpl.exe 1376 colorcpl.exe 1376 colorcpl.exe 1376 colorcpl.exe 1376 colorcpl.exe 1376 colorcpl.exe 1376 colorcpl.exe 1376 colorcpl.exe 1376 colorcpl.exe 1376 colorcpl.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).execolorcpl.exepid process 292 RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exe 292 RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exe 292 RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exe 1376 colorcpl.exe 1376 colorcpl.exe 1376 colorcpl.exe 1376 colorcpl.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).execolorcpl.exedescription pid process Token: SeDebugPrivilege 292 RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exe Token: SeDebugPrivilege 1376 colorcpl.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Explorer.EXEcolorcpl.exedescription pid process target process PID 1244 wrote to memory of 1376 1244 Explorer.EXE colorcpl.exe PID 1244 wrote to memory of 1376 1244 Explorer.EXE colorcpl.exe PID 1244 wrote to memory of 1376 1244 Explorer.EXE colorcpl.exe PID 1244 wrote to memory of 1376 1244 Explorer.EXE colorcpl.exe PID 1376 wrote to memory of 1516 1376 colorcpl.exe Firefox.exe PID 1376 wrote to memory of 1516 1376 colorcpl.exe Firefox.exe PID 1376 wrote to memory of 1516 1376 colorcpl.exe Firefox.exe PID 1376 wrote to memory of 1516 1376 colorcpl.exe Firefox.exe PID 1376 wrote to memory of 1516 1376 colorcpl.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exe"C:\Users\Admin\AppData\Local\Temp\RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\colorcpl.exe"C:\Windows\SysWOW64\colorcpl.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/292-1-0x0000000004450000-0x00000000044B7000-memory.dmpFilesize
412KB
-
memory/292-3-0x0000000004990000-0x0000000004AD0000-memory.dmpFilesize
1.2MB
-
memory/764-6-0x000007FEF6580000-0x000007FEF67FA000-memory.dmpFilesize
2.5MB
-
memory/1376-4-0x0000000000000000-mapping.dmp
-
memory/1376-5-0x0000000000900000-0x0000000000918000-memory.dmpFilesize
96KB
-
memory/1376-7-0x0000000003340000-0x0000000003431000-memory.dmpFilesize
964KB
-
memory/1376-8-0x0000000003C30000-0x0000000003D8A000-memory.dmpFilesize
1.4MB
-
memory/1516-9-0x0000000000000000-mapping.dmp
-
memory/1516-10-0x000000013FB50000-0x000000013FBE3000-memory.dmpFilesize
588KB