Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
26-11-2020 07:16
Static task
static1
Behavioral task
behavioral1
Sample
Payment - Swift Copy.exe
Resource
win7v20201028
General
-
Target
Payment - Swift Copy.exe
-
Size
878KB
-
MD5
373529da43706b9b230586b501a000fd
-
SHA1
d1a0ad8fe1c1adc9d27b5ceb3d7d27c9512c5495
-
SHA256
49e40687ad1ffb7ba491d92cd38333d3e96c134ba7739dcdd3e8ee2ea1b19506
-
SHA512
f5ba8fbb2409decc4982c5b9d0c7f6b479e8f184af33e99333b23fbfd493888477aa0442bf58290439bda2b2b26fa729aa6e6d0e2fa6ebe8cd23f0f916a4a085
Malware Config
Extracted
formbook
http://www.danneroll.com/mnc/
yicaiboli.com
litercoconut.icu
virtuallyfriday.com
joshuahumphreyproperty.com
mercedes-dieselclaims.com
rock-leaf.com
sandglasshours.com
pooldeckpatiodriveway.com
forenvid.com
wasserfuhr-gmbh.com
rizosmil.com
alberletgyor.com
besafetexting.com
ladoctoracorazon.net
prettyassframes.com
meetyourwish.com
achefskiss.com
parulata.com
thang8-freefirevn2.xyz
statuniverse.com
autotenis.com
gosales.solutions
cryptocurrencymegalodons.com
anelimplus.com
oceanama.com
hagisiran.space
mphsalvageandrecovery.online
alluvionsupply.com
englishteachers4you.com
talkinghorseequine.com
alium-locum.com
musictechnologyshow.com
linjitejituan.com
fullmoondreams.com
csltzs.com
testovulacion.net
saboortii.com
tuyavietnam.com
localkaza.com
mppleague.com
ecomwealthfast.com
escariot.net
oceanpowerclub.com
thecraftssisters.info
pekinghousetntogo.com
avtnywveba.club
bf-milestone.com
sundeckofwashington.com
xn--clnicaimplantcenter-m1b.com
adenikitchen.com
ironolink.com
whyiteachpodcast.com
landscapedesignvalley.com
twobluemagpies.com
uovuesax.icu
willowlandingmarina.com
dy-bxg.com
yogacomsolutions.site
tootandscoot.com
newteethok.com
watchtherainbow.com
bazacar.com
alassalahgroup.net
sabioconteudo.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1748-6-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1748-7-0x000000000041EB60-mapping.dmp formbook behavioral1/memory/1756-8-0x0000000000000000-mapping.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1116 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Payment - Swift Copy.exePayment - Swift Copy.execontrol.exedescription pid process target process PID 1056 set thread context of 1748 1056 Payment - Swift Copy.exe Payment - Swift Copy.exe PID 1748 set thread context of 1256 1748 Payment - Swift Copy.exe Explorer.EXE PID 1756 set thread context of 1256 1756 control.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
Payment - Swift Copy.exePayment - Swift Copy.execontrol.exepid process 1056 Payment - Swift Copy.exe 1056 Payment - Swift Copy.exe 1748 Payment - Swift Copy.exe 1748 Payment - Swift Copy.exe 1756 control.exe 1756 control.exe 1756 control.exe 1756 control.exe 1756 control.exe 1756 control.exe 1756 control.exe 1756 control.exe 1756 control.exe 1756 control.exe 1756 control.exe 1756 control.exe 1756 control.exe 1756 control.exe 1756 control.exe 1756 control.exe 1756 control.exe 1756 control.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Payment - Swift Copy.execontrol.exepid process 1748 Payment - Swift Copy.exe 1748 Payment - Swift Copy.exe 1748 Payment - Swift Copy.exe 1756 control.exe 1756 control.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Payment - Swift Copy.exePayment - Swift Copy.execontrol.exedescription pid process Token: SeDebugPrivilege 1056 Payment - Swift Copy.exe Token: SeDebugPrivilege 1748 Payment - Swift Copy.exe Token: SeDebugPrivilege 1756 control.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Payment - Swift Copy.exeExplorer.EXEcontrol.exedescription pid process target process PID 1056 wrote to memory of 1748 1056 Payment - Swift Copy.exe Payment - Swift Copy.exe PID 1056 wrote to memory of 1748 1056 Payment - Swift Copy.exe Payment - Swift Copy.exe PID 1056 wrote to memory of 1748 1056 Payment - Swift Copy.exe Payment - Swift Copy.exe PID 1056 wrote to memory of 1748 1056 Payment - Swift Copy.exe Payment - Swift Copy.exe PID 1056 wrote to memory of 1748 1056 Payment - Swift Copy.exe Payment - Swift Copy.exe PID 1056 wrote to memory of 1748 1056 Payment - Swift Copy.exe Payment - Swift Copy.exe PID 1056 wrote to memory of 1748 1056 Payment - Swift Copy.exe Payment - Swift Copy.exe PID 1256 wrote to memory of 1756 1256 Explorer.EXE control.exe PID 1256 wrote to memory of 1756 1256 Explorer.EXE control.exe PID 1256 wrote to memory of 1756 1256 Explorer.EXE control.exe PID 1256 wrote to memory of 1756 1256 Explorer.EXE control.exe PID 1756 wrote to memory of 1116 1756 control.exe cmd.exe PID 1756 wrote to memory of 1116 1756 control.exe cmd.exe PID 1756 wrote to memory of 1116 1756 control.exe cmd.exe PID 1756 wrote to memory of 1116 1756 control.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payment - Swift Copy.exe"C:\Users\Admin\AppData\Local\Temp\Payment - Swift Copy.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payment - Swift Copy.exe"C:\Users\Admin\AppData\Local\Temp\Payment - Swift Copy.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Payment - Swift Copy.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1056-0-0x0000000074CF0000-0x00000000753DE000-memory.dmpFilesize
6.9MB
-
memory/1056-1-0x00000000009B0000-0x00000000009B1000-memory.dmpFilesize
4KB
-
memory/1056-3-0x0000000000610000-0x0000000000623000-memory.dmpFilesize
76KB
-
memory/1056-4-0x0000000004FF0000-0x0000000005055000-memory.dmpFilesize
404KB
-
memory/1056-5-0x00000000049C0000-0x00000000049F0000-memory.dmpFilesize
192KB
-
memory/1116-10-0x0000000000000000-mapping.dmp
-
memory/1748-6-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1748-7-0x000000000041EB60-mapping.dmp
-
memory/1756-9-0x0000000000070000-0x000000000008F000-memory.dmpFilesize
124KB
-
memory/1756-8-0x0000000000000000-mapping.dmp
-
memory/1756-11-0x0000000002F50000-0x0000000003065000-memory.dmpFilesize
1.1MB