Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
26-11-2020 06:45
Static task
static1
Behavioral task
behavioral1
Sample
anthon.exe
Resource
win7v20201028
General
-
Target
anthon.exe
-
Size
337KB
-
MD5
ea85c89530ed6f12fd8b75451f37afd5
-
SHA1
9ad88734ca8e7c7e0f09b89f244ca7f4a1f606a6
-
SHA256
29f75d4db1b85197038c1ed08661ef0a72158ac895e6aac76526bab07d83c318
-
SHA512
f89c1b3123f77616ee692cb0da7c35b1c095b2917015fa5e38140e1f6755e1937acab3e1269ce414e0c677446df5aa2dd923bf5e238d390c936dffac6311952b
Malware Config
Extracted
formbook
http://www.wellnesspharma.net/94sb/
kaligao.com
springsbounce.com
dreamytree.com
trylolows.com
butload.info
creperie-pancakesquare.com
mirajions.com
joineduphealthresources.net
hamradioblogs.com
linghuidz.com
atelierzeste.com
tweens.network
perteprampram03.net
connorneill.com
nannatech.com
chrmo.com
nanoring.info
mapomarket.com
bongkey.com
sdhhzp.com
threepeninsulas.com
izicomp.net
gekkey.com
pyskah.com
tritoncareer.com
aspirehowhouse.com
don8gr8.com
selfie-trends.com
jogja1945.info
tibio.store
kiranmayee.codes
stlmache.com
aaagroups.net
lzli.net
ranchomanantiales.com
augsburgconfession.net
eczamix.com
subcontratech.com
jwm-consulting.com
alepremiumcartel.com
thesacralgenie.com
dronebezorgd.com
shoprosalind.com
theafterglowagency.com
motoprimoreviews.com
walmartpetrex.com
awonderliang.com
peipei521.com
qabwg.com
trucleanusa.com
mamentos.info
wwwmmcguard.com
aedisurbancollaborative.com
hilferdinghill.com
torcida-r.com
okna4all.com
spidermenroofsupport.com
thedojoofdom.com
dteenpatti.com
starsnus.com
bistrooapp.com
philosopherbynight.com
pfkakaoblue.com
qxmasmobitvshop.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3436-4-0x00000000054A0000-0x00000000054C9000-memory.dmp formbook behavioral2/memory/3600-5-0x0000000000000000-mapping.dmp formbook behavioral2/memory/184-6-0x0000000000000000-mapping.dmp formbook -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3436 rundll32.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
cmd.exeexplorer.exedescription pid process target process PID 3600 set thread context of 2144 3600 cmd.exe Explorer.EXE PID 184 set thread context of 2144 184 explorer.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 51 IoCs
Processes:
rundll32.execmd.exeexplorer.exepid process 3436 rundll32.exe 3600 cmd.exe 3600 cmd.exe 3600 cmd.exe 3600 cmd.exe 184 explorer.exe 184 explorer.exe 184 explorer.exe 184 explorer.exe 184 explorer.exe 184 explorer.exe 184 explorer.exe 184 explorer.exe 184 explorer.exe 184 explorer.exe 184 explorer.exe 184 explorer.exe 184 explorer.exe 184 explorer.exe 184 explorer.exe 184 explorer.exe 184 explorer.exe 184 explorer.exe 184 explorer.exe 184 explorer.exe 184 explorer.exe 184 explorer.exe 184 explorer.exe 184 explorer.exe 184 explorer.exe 184 explorer.exe 184 explorer.exe 184 explorer.exe 184 explorer.exe 184 explorer.exe 184 explorer.exe 184 explorer.exe 184 explorer.exe 184 explorer.exe 184 explorer.exe 184 explorer.exe 184 explorer.exe 184 explorer.exe 184 explorer.exe 184 explorer.exe 184 explorer.exe 184 explorer.exe 184 explorer.exe 184 explorer.exe 184 explorer.exe 184 explorer.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
rundll32.execmd.exeexplorer.exepid process 3436 rundll32.exe 3600 cmd.exe 3600 cmd.exe 3600 cmd.exe 184 explorer.exe 184 explorer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
cmd.exeexplorer.exedescription pid process Token: SeDebugPrivilege 3600 cmd.exe Token: SeDebugPrivilege 184 explorer.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 2144 Explorer.EXE -
Suspicious use of WriteProcessMemory 89 IoCs
Processes:
anthon.exerundll32.exedescription pid process target process PID 984 wrote to memory of 3436 984 anthon.exe rundll32.exe PID 984 wrote to memory of 3436 984 anthon.exe rundll32.exe PID 984 wrote to memory of 3436 984 anthon.exe rundll32.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe PID 3436 wrote to memory of 3600 3436 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\anthon.exe"C:\Users\Admin\AppData\Local\Temp\anthon.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe CloisonParticiple,Touchstones3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\cmd.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\CloisonParticiple.DLLMD5
214b7024c4e0b928e995eef2a7805939
SHA10fdf0897e02c19420f7bb5b905e3406d08c43e99
SHA2566f48abfe00075915b03732910b9c7325e10d84760fd2d46924191d25de46ae00
SHA51243889795edc78626a14a142683778bbacc4f82ed02a5c30debe402d4b0fc5b29f085f97793c613b2cfa8cb15c62e5c345d3149db2c408307f1c1c4d053344173
-
C:\Users\Admin\AppData\Local\Temp\FatigueMD5
9b43d88b4879b96ec30ae5b5ffee8809
SHA1bd10a035b506775df3ecb7c49c7a6ccde397e553
SHA2567d1007db2eeaf7bbba67ecd8607c0b70739463dbed98002aa5b2852f86b80760
SHA512c9e10c1c74423dc7cf29ea83256c50de27f9d51331b210e6a1b4b31ca00587e2ad6ae30b1ad7d675be5cd270d8c471be0ccd7f57fe9c22547168dda2575ef7ab
-
\Users\Admin\AppData\Local\Temp\CloisonParticiple.dllMD5
214b7024c4e0b928e995eef2a7805939
SHA10fdf0897e02c19420f7bb5b905e3406d08c43e99
SHA2566f48abfe00075915b03732910b9c7325e10d84760fd2d46924191d25de46ae00
SHA51243889795edc78626a14a142683778bbacc4f82ed02a5c30debe402d4b0fc5b29f085f97793c613b2cfa8cb15c62e5c345d3149db2c408307f1c1c4d053344173
-
memory/184-6-0x0000000000000000-mapping.dmp
-
memory/184-7-0x0000000001030000-0x000000000146F000-memory.dmpFilesize
4.2MB
-
memory/184-8-0x0000000001030000-0x000000000146F000-memory.dmpFilesize
4.2MB
-
memory/184-10-0x0000000007220000-0x0000000007332000-memory.dmpFilesize
1.1MB
-
memory/3436-0-0x0000000000000000-mapping.dmp
-
memory/3436-4-0x00000000054A0000-0x00000000054C9000-memory.dmpFilesize
164KB
-
memory/3488-9-0x0000000000000000-mapping.dmp
-
memory/3600-5-0x0000000000000000-mapping.dmp