Analysis
-
max time kernel
67s -
max time network
117s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
25-11-2020 16:48
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exe
Resource
win7v20201028
General
-
Target
SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exe
-
Size
1.1MB
-
MD5
38277d6e24f7210e5b8d77a337ae51d1
-
SHA1
b31a7b97f75c7f296bef9eb6d5c2a585bf1d802d
-
SHA256
9728048925e7faf422c4d7bacfaa90fae8bdcc9efad8a0868b456f3d4b213d09
-
SHA512
cac75de9024dae4ee011e7957cb410ee8e79550aa37ae184371884a6495e2dd90cc1448a9248dd5ef3e7090288c3cdb5696c99dc433e42a375eaabbf0c9827f7
Malware Config
Extracted
formbook
http://www.mommabearmoney.com/et2d/
wcaconline.com
travelbackpackss.com
ao-m-nishinomiya.com
tilania.com
vegbydesign.net
mybabysisterscloset.com
sanctitude-cuspidated.com
russtybeats.com
dichvubangchuan.com
su-seikatu.info
eratosantorini.com
ninetofivemama.com
delishany.com
pawchamamapet.net
nissicloud.com
strictlyotaku.net
kissmanga.pro
appalachianfx.com
aralending.com
forbrighterlife.com
manhe3.com
cas100.com
kayabrands.net
innerworkshops.love
kforkidz.com
niulorge.com
thelittleredcraftshack.com
583846.com
dutchesspistolpermit.com
gempharmatechllc.com
hatiyhgsnterahs.com
grooming-gigi.com
wevertexinc.com
brazil920.com
loan-stalemate.info
cleanerkitchen-shop.com
lilyamore.com
invest-eight.com
cfa-cuu.com
k978-k2bsp-mr.net
essisoasesorias.com
mechaf.com
danmerinc.com
prestigehometransformations.com
brandsincart.com
dichvuviplike.pro
bigiproperty.com
mysteryblack.com
magentos6.com
pilotsugardaddys.net
securityacadamy.com
media-cruise.com
sloppyasians.com
unempioymentpua.com
texasrefinances.com
hellogringa.com
vspectra.site
lakewoodcharity.com
lowdownlocal.com
jedzeniomat.com
sellmyhouseolympia.com
halsmart.info
lailraw.com
reapen.com
Signatures
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4052-12-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/4052-13-0x000000000041ED50-mapping.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exedescription pid process target process PID 416 set thread context of 4052 416 SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exe SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exeSecuriteInfo.com.Variant.Bulz.229258.13751.2423.exepid process 416 SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exe 416 SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exe 416 SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exe 416 SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exe 416 SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exe 416 SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exe 4052 SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exe 4052 SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exedescription pid process Token: SeDebugPrivilege 416 SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exedescription pid process target process PID 416 wrote to memory of 1648 416 SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exe SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exe PID 416 wrote to memory of 1648 416 SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exe SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exe PID 416 wrote to memory of 1648 416 SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exe SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exe PID 416 wrote to memory of 4052 416 SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exe SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exe PID 416 wrote to memory of 4052 416 SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exe SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exe PID 416 wrote to memory of 4052 416 SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exe SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exe PID 416 wrote to memory of 4052 416 SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exe SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exe PID 416 wrote to memory of 4052 416 SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exe SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exe PID 416 wrote to memory of 4052 416 SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exe SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/416-0-0x0000000073970000-0x000000007405E000-memory.dmpFilesize
6.9MB
-
memory/416-1-0x0000000000C40000-0x0000000000C41000-memory.dmpFilesize
4KB
-
memory/416-3-0x0000000005950000-0x0000000005951000-memory.dmpFilesize
4KB
-
memory/416-4-0x0000000005EF0000-0x0000000005EF1000-memory.dmpFilesize
4KB
-
memory/416-5-0x00000000059F0000-0x00000000059F1000-memory.dmpFilesize
4KB
-
memory/416-6-0x0000000005910000-0x0000000005911000-memory.dmpFilesize
4KB
-
memory/416-7-0x0000000005BE0000-0x0000000005BE1000-memory.dmpFilesize
4KB
-
memory/416-8-0x0000000005930000-0x0000000005944000-memory.dmpFilesize
80KB
-
memory/416-9-0x0000000006760000-0x00000000067C5000-memory.dmpFilesize
404KB
-
memory/416-10-0x00000000067E0000-0x00000000067E6000-memory.dmpFilesize
24KB
-
memory/416-11-0x0000000006800000-0x0000000006830000-memory.dmpFilesize
192KB
-
memory/4052-12-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/4052-13-0x000000000041ED50-mapping.dmp