Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
26-11-2020 08:35
Static task
static1
Behavioral task
behavioral1
Sample
PO98765.exe
Resource
win7v20201028
General
-
Target
PO98765.exe
-
Size
672KB
-
MD5
137ec800f9c49390f2f225ab22774443
-
SHA1
2f3f1a1615b625cb1daf8d1e4a3eba208a89e30d
-
SHA256
60263179eccb843c5aa38040ebd2483b29a3923a94987f006561488e5d0f1d96
-
SHA512
41b84ea68ec7c2b9fd5205a1ce00fcbfbe03d82efb4ae7ca9030f643aae341ff32b23974a23db5f8c0fbb423b569e838c10da56f185cbf4e70f1c634e8b570ec
Malware Config
Extracted
formbook
http://www.firedoom.com/sbmh/
edlasyarns.com
rettexo.com
friendlyksa.com
westhighlandwaytours.com
goudmarket.com
turkime.com
wellnysdirect.com
handydanny.net
ylccmakq.com
benefits-sherpa.com
sousolutions.net
lspcall.com
makgxoimisitzer.info
katrinarask.com
istanbulconsulter.net
mingjiaxuan.com
faculdadegraca.com
kikegbwebdesign.com
69ase.com
downrangedynamics.com
upllsj.com
punebites.com
cheekymonkeytech.com
hoy.viajes
ablehead.net
wordsubscribeeager.club
keystonefulfillment.com
malvasiahomes.com
direstraitslives.com
parking500.com
groom.land
humanschoolpodcast.com
plv8.online
modernspiritualbombshell.com
elegancerealestategroup.com
magentos6.com
xpressclouds.net
masihingat.com
exposingsecrets.com
beautybymscookie.com
skyauscompany.com
ak-sicherheitssysteme.net
meatslasvegas.com
blessedbeetherapy.com
nightanddayfreight.net
zizb4.com
pharmacymillwork.com
endlessgirls.online
bikingeswatini.com
xoxysei.site
tannhienonline.com
bloochy.com
ceo-ghost.com
amazonecho.sucks
klooskustoms.com
2xingyao.com
menopausebars.com
shdjtx.net
salon-massage-linit.com
macavent.com
purehempbotanicalsinfo.com
saintmaxnetwork.com
imagetown.group
occips.info
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1368-13-0x000000000041ECD0-mapping.dmp formbook behavioral2/memory/1368-12-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/2056-14-0x0000000000000000-mapping.dmp formbook -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
PO98765.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion PO98765.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion PO98765.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
PO98765.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum PO98765.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 PO98765.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
PO98765.exePO98765.exeNETSTAT.EXEdescription pid process target process PID 1124 set thread context of 1368 1124 PO98765.exe PO98765.exe PID 1368 set thread context of 2624 1368 PO98765.exe Explorer.EXE PID 2056 set thread context of 2624 2056 NETSTAT.EXE Explorer.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 2056 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
PO98765.exePO98765.exeNETSTAT.EXEpid process 1124 PO98765.exe 1124 PO98765.exe 1368 PO98765.exe 1368 PO98765.exe 1368 PO98765.exe 1368 PO98765.exe 2056 NETSTAT.EXE 2056 NETSTAT.EXE 2056 NETSTAT.EXE 2056 NETSTAT.EXE 2056 NETSTAT.EXE 2056 NETSTAT.EXE 2056 NETSTAT.EXE 2056 NETSTAT.EXE 2056 NETSTAT.EXE 2056 NETSTAT.EXE 2056 NETSTAT.EXE 2056 NETSTAT.EXE 2056 NETSTAT.EXE 2056 NETSTAT.EXE 2056 NETSTAT.EXE 2056 NETSTAT.EXE 2056 NETSTAT.EXE 2056 NETSTAT.EXE 2056 NETSTAT.EXE 2056 NETSTAT.EXE 2056 NETSTAT.EXE 2056 NETSTAT.EXE 2056 NETSTAT.EXE 2056 NETSTAT.EXE 2056 NETSTAT.EXE 2056 NETSTAT.EXE 2056 NETSTAT.EXE 2056 NETSTAT.EXE 2056 NETSTAT.EXE 2056 NETSTAT.EXE 2056 NETSTAT.EXE 2056 NETSTAT.EXE 2056 NETSTAT.EXE 2056 NETSTAT.EXE 2056 NETSTAT.EXE 2056 NETSTAT.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
PO98765.exeNETSTAT.EXEpid process 1368 PO98765.exe 1368 PO98765.exe 1368 PO98765.exe 2056 NETSTAT.EXE 2056 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
PO98765.exePO98765.exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 1124 PO98765.exe Token: SeDebugPrivilege 1368 PO98765.exe Token: SeDebugPrivilege 2056 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
PO98765.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 1124 wrote to memory of 844 1124 PO98765.exe PO98765.exe PID 1124 wrote to memory of 844 1124 PO98765.exe PO98765.exe PID 1124 wrote to memory of 844 1124 PO98765.exe PO98765.exe PID 1124 wrote to memory of 1368 1124 PO98765.exe PO98765.exe PID 1124 wrote to memory of 1368 1124 PO98765.exe PO98765.exe PID 1124 wrote to memory of 1368 1124 PO98765.exe PO98765.exe PID 1124 wrote to memory of 1368 1124 PO98765.exe PO98765.exe PID 1124 wrote to memory of 1368 1124 PO98765.exe PO98765.exe PID 1124 wrote to memory of 1368 1124 PO98765.exe PO98765.exe PID 2624 wrote to memory of 2056 2624 Explorer.EXE NETSTAT.EXE PID 2624 wrote to memory of 2056 2624 Explorer.EXE NETSTAT.EXE PID 2624 wrote to memory of 2056 2624 Explorer.EXE NETSTAT.EXE PID 2056 wrote to memory of 936 2056 NETSTAT.EXE cmd.exe PID 2056 wrote to memory of 936 2056 NETSTAT.EXE cmd.exe PID 2056 wrote to memory of 936 2056 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO98765.exe"C:\Users\Admin\AppData\Local\Temp\PO98765.exe"2⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO98765.exe"C:\Users\Admin\AppData\Local\Temp\PO98765.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\PO98765.exe"C:\Users\Admin\AppData\Local\Temp\PO98765.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PO98765.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/936-17-0x0000000000000000-mapping.dmp
-
memory/1124-9-0x0000000005D40000-0x0000000005DA5000-memory.dmpFilesize
404KB
-
memory/1124-6-0x0000000004E00000-0x0000000004E01000-memory.dmpFilesize
4KB
-
memory/1124-10-0x0000000005DC0000-0x0000000005DF0000-memory.dmpFilesize
192KB
-
memory/1124-5-0x0000000004EA0000-0x0000000004EA1000-memory.dmpFilesize
4KB
-
memory/1124-11-0x0000000005EB0000-0x0000000005EB1000-memory.dmpFilesize
4KB
-
memory/1124-7-0x0000000004F40000-0x0000000004F41000-memory.dmpFilesize
4KB
-
memory/1124-8-0x0000000004E80000-0x0000000004E93000-memory.dmpFilesize
76KB
-
memory/1124-1-0x00000000004A0000-0x00000000004A1000-memory.dmpFilesize
4KB
-
memory/1124-4-0x00000000054B0000-0x00000000054B1000-memory.dmpFilesize
4KB
-
memory/1124-3-0x00000000029C0000-0x00000000029C1000-memory.dmpFilesize
4KB
-
memory/1124-0-0x0000000073CB0000-0x000000007439E000-memory.dmpFilesize
6.9MB
-
memory/1368-12-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1368-13-0x000000000041ECD0-mapping.dmp
-
memory/2056-14-0x0000000000000000-mapping.dmp
-
memory/2056-15-0x0000000000E10000-0x0000000000E1B000-memory.dmpFilesize
44KB
-
memory/2056-16-0x0000000000E10000-0x0000000000E1B000-memory.dmpFilesize
44KB
-
memory/2056-18-0x00000000048F0000-0x0000000004A5D000-memory.dmpFilesize
1.4MB