Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
26-11-2020 13:54
Static task
static1
Behavioral task
behavioral1
Sample
Shipping INVOICE-BL Shipment..exe
Resource
win7v20201028
General
-
Target
Shipping INVOICE-BL Shipment..exe
-
Size
427KB
-
MD5
579ba39b6a146080ef6481591440e445
-
SHA1
06bfc3b47e1ad6a35e10cb4a1edee6c563710107
-
SHA256
d8d9bb65ea3637fda09488baada0c9b387e0619b7c430b93c8a0fa2d8b489bc1
-
SHA512
bc2c920da35971ea6a6dfa8fc4f49829d6ba1eeae9589207b1f77a6e5f66d66dcb87396aadce266a61652f6fdfbe40503b9183af5f5ce26fa6cc9218df1597b9
Malware Config
Extracted
formbook
http://www.jddq888.com/mqgf/
decart.pro
qbluebaylivewd.com
idsbizb.icu
kepamieszczanska.com
greenislandcbg.com
usloader.site
auchandirect.sucks
relacionesdehechizo.com
slabrshop.com
cycheal.com
mycoaiko.com
prettythingsbyjessi.com
gettingthehelloutofca.com
reseachminister.com
techwomenlife.com
perfectfeelin.com
ez-mouse.com
thelonerangernews.com
hvcharging.com
caelaabadie.com
emrdoctor.com
codealemayohabrha.com
arealsmartmove.com
traduocthao.com
octopusemotions.com
tailoredstaffingfirm.com
atouragent.com
titleevolved.com
izservicesnyc.com
gethappylawnandgarden.info
wastie.club
metabol.watch
mandamentesdelafelicidad.com
cryptocapitaltrades.com
mehler.photography
habycontreras.com
marolihealth.com
gyanmix.tech
leraiths.com
labaronnerie.net
vegbin.com
uyieoamejus2zd.com
kababmayhaddi.com
fromcredit2close.com
psareview.com
away.sucks
theeinsidepoop.com
mapnimbis.com
xn----7sbf0aahnq1aem.xn--p1acf
realgoodtactical.com
mamentos.info
2978vh.com
sinoinsights.com
tedarikworld.com
wtmailer15.com
rmld51.com
barrosports.com
juicykingcrabexpress1111.com
dabirpatientcareplus.com
carnesveymacr.com
h2sg.com
visit-erotik.net
penisadvantagereview.com
mommymall.net
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2140-4-0x0000000004CE0000-0x0000000004D09000-memory.dmp formbook behavioral2/memory/3228-5-0x0000000000000000-mapping.dmp formbook behavioral2/memory/4368-6-0x0000000000000000-mapping.dmp formbook -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2140 rundll32.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
cmd.exeexplorer.exedescription pid process target process PID 3228 set thread context of 2852 3228 cmd.exe Explorer.EXE PID 4368 set thread context of 2852 4368 explorer.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 51 IoCs
Processes:
rundll32.execmd.exeexplorer.exepid process 2140 rundll32.exe 3228 cmd.exe 3228 cmd.exe 3228 cmd.exe 3228 cmd.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
rundll32.execmd.exeexplorer.exepid process 2140 rundll32.exe 3228 cmd.exe 3228 cmd.exe 3228 cmd.exe 4368 explorer.exe 4368 explorer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
cmd.exeexplorer.exedescription pid process Token: SeDebugPrivilege 3228 cmd.exe Token: SeDebugPrivilege 4368 explorer.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 2852 Explorer.EXE -
Suspicious use of WriteProcessMemory 89 IoCs
Processes:
Shipping INVOICE-BL Shipment..exerundll32.exedescription pid process target process PID 4712 wrote to memory of 2140 4712 Shipping INVOICE-BL Shipment..exe rundll32.exe PID 4712 wrote to memory of 2140 4712 Shipping INVOICE-BL Shipment..exe rundll32.exe PID 4712 wrote to memory of 2140 4712 Shipping INVOICE-BL Shipment..exe rundll32.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe PID 2140 wrote to memory of 3228 2140 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\Shipping INVOICE-BL Shipment..exe"C:\Users\Admin\AppData\Local\Temp\Shipping INVOICE-BL Shipment..exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe Prehnite,Lychnises3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\cmd.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ErodiumMD5
980a6b092855d202363b6436e4a854e8
SHA1aa8e1a7e1ab7832c3112e5c35b7da143ff919ce0
SHA256f617d029f947ebb5c0b7b159233e699f5653a1f92e81f9fe44c60555884dc93c
SHA5126dedf42a718dbc5a4ad25c20561c3adc0fc629d1135aa68d02fc264363617c827fe7eaa0dd49e828df93d80852b4e5aa8c932b20d43ff833c02c4b868df30367
-
C:\Users\Admin\AppData\Local\Temp\Prehnite.DLLMD5
f8aa685a3908110e79f4639aa7daddfa
SHA1dd4d16172ea4851f757abd34a8cb3c835552e6a3
SHA256aeea4b86ea607cf9820e3cadd4e98353a57ec789ec0a0e2fefbdd84abd25194a
SHA5128989a1e5a29043a8cec9353d8923dc7fca52988949637133d5af5f655b04c8016ef8930da4f57a9c068b8e9208c4b8ae2bdaca9ca699755d139cab0ed2a3c5a6
-
\Users\Admin\AppData\Local\Temp\Prehnite.dllMD5
f8aa685a3908110e79f4639aa7daddfa
SHA1dd4d16172ea4851f757abd34a8cb3c835552e6a3
SHA256aeea4b86ea607cf9820e3cadd4e98353a57ec789ec0a0e2fefbdd84abd25194a
SHA5128989a1e5a29043a8cec9353d8923dc7fca52988949637133d5af5f655b04c8016ef8930da4f57a9c068b8e9208c4b8ae2bdaca9ca699755d139cab0ed2a3c5a6
-
memory/2140-0-0x0000000000000000-mapping.dmp
-
memory/2140-4-0x0000000004CE0000-0x0000000004D09000-memory.dmpFilesize
164KB
-
memory/3044-9-0x0000000000000000-mapping.dmp
-
memory/3228-5-0x0000000000000000-mapping.dmp
-
memory/4368-6-0x0000000000000000-mapping.dmp
-
memory/4368-7-0x00000000008C0000-0x0000000000CFF000-memory.dmpFilesize
4.2MB
-
memory/4368-8-0x00000000008C0000-0x0000000000CFF000-memory.dmpFilesize
4.2MB
-
memory/4368-10-0x0000000006D20000-0x0000000006E65000-memory.dmpFilesize
1.3MB