Analysis
-
max time kernel
149s -
max time network
13s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
26-11-2020 06:41
Static task
static1
Behavioral task
behavioral1
Sample
PT300975-inv.exe
Resource
win7v20201028
General
-
Target
PT300975-inv.exe
-
Size
546KB
-
MD5
025544a9014cf1667e8a1d4ff68da253
-
SHA1
0123853e7960cdae4f3ad95945b4ec86adbb93c6
-
SHA256
2858bfcb9388b05049df45459ee60bf96be0b0d75a3be34cf3c00f57ec9f4469
-
SHA512
a22db404c3a154339b3cd6d4a4227f319f6cb99d103346856ffd6fd249fe08bace4f528f185edc25c0672ae03b2e14c87b31b0b2d0728372c5893821b5a43068
Malware Config
Extracted
formbook
http://www.registeredagentfirm.com/jqc/
strahlenschutz.digital
soterppe.com
wlw-hnlt.com
topheadlinetowitness-today.info
droriginals.com
baculatechie.online
definity.finance
weddingmustgoon.com
ludisenofloral.com
kenniscourtureconsignments.com
dl888.net
singledynamics.com
internetmarkaching.com
solidconstruct.site
ip-freight.com
11sxsx.com
incomecontent.com
the343radio.com
kimberlygoedhart.net
dgdoughnuts.net
vivethk.com
st-reet.com
luxusgrotte.com
hareland.info
fitdramas.com
shakahats.com
cositasdepachecos.com
lhc965.com
5hnjy.com
zoommedicaremeetings.com
bebywye.site
ravenlewis.com
avia-sales.xyz
screwtaped.com
xaustock.com
hongreng.xyz
lokalised.com
neosolutionsllc.com
ecandkllc.com
sistertravelalliance.com
brotherhoodoffathers.com
mybestme.store
vigilantdis.com
sqatzx.com
kornteengoods.com
miamiwaterworld.com
mywillandmylife.com
novergi.com
eaglesnestpropheticministry.com
sterlworldshop.com
gabriellagullberg.com
toweroflifeinc.com
tiendazoom.com
dividupe.com
szyulics.com
theorangepearl.com
hotvidzhub.download
asacal.com
systemedalarmebe.com
margosbest.com
kathymusic.com
quintred.com
mad54.art
simplification.business
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/316-6-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/316-7-0x000000000041EB50-mapping.dmp formbook behavioral1/memory/332-8-0x0000000000000000-mapping.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
PT300975-inv.exemscorsvw.exerundll32.exedescription pid process target process PID 744 set thread context of 316 744 PT300975-inv.exe mscorsvw.exe PID 316 set thread context of 1256 316 mscorsvw.exe Explorer.EXE PID 332 set thread context of 1256 332 rundll32.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
mscorsvw.exerundll32.exepid process 316 mscorsvw.exe 316 mscorsvw.exe 332 rundll32.exe 332 rundll32.exe 332 rundll32.exe 332 rundll32.exe 332 rundll32.exe 332 rundll32.exe 332 rundll32.exe 332 rundll32.exe 332 rundll32.exe 332 rundll32.exe 332 rundll32.exe 332 rundll32.exe 332 rundll32.exe 332 rundll32.exe 332 rundll32.exe 332 rundll32.exe 332 rundll32.exe 332 rundll32.exe 332 rundll32.exe 332 rundll32.exe 332 rundll32.exe 332 rundll32.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
mscorsvw.exerundll32.exepid process 316 mscorsvw.exe 316 mscorsvw.exe 316 mscorsvw.exe 332 rundll32.exe 332 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
PT300975-inv.exemscorsvw.exerundll32.exedescription pid process Token: SeDebugPrivilege 744 PT300975-inv.exe Token: SeDebugPrivilege 316 mscorsvw.exe Token: SeDebugPrivilege 332 rundll32.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
PT300975-inv.exeExplorer.EXErundll32.exedescription pid process target process PID 744 wrote to memory of 316 744 PT300975-inv.exe mscorsvw.exe PID 744 wrote to memory of 316 744 PT300975-inv.exe mscorsvw.exe PID 744 wrote to memory of 316 744 PT300975-inv.exe mscorsvw.exe PID 744 wrote to memory of 316 744 PT300975-inv.exe mscorsvw.exe PID 744 wrote to memory of 316 744 PT300975-inv.exe mscorsvw.exe PID 744 wrote to memory of 316 744 PT300975-inv.exe mscorsvw.exe PID 744 wrote to memory of 316 744 PT300975-inv.exe mscorsvw.exe PID 1256 wrote to memory of 332 1256 Explorer.EXE rundll32.exe PID 1256 wrote to memory of 332 1256 Explorer.EXE rundll32.exe PID 1256 wrote to memory of 332 1256 Explorer.EXE rundll32.exe PID 1256 wrote to memory of 332 1256 Explorer.EXE rundll32.exe PID 1256 wrote to memory of 332 1256 Explorer.EXE rundll32.exe PID 1256 wrote to memory of 332 1256 Explorer.EXE rundll32.exe PID 1256 wrote to memory of 332 1256 Explorer.EXE rundll32.exe PID 332 wrote to memory of 756 332 rundll32.exe cmd.exe PID 332 wrote to memory of 756 332 rundll32.exe cmd.exe PID 332 wrote to memory of 756 332 rundll32.exe cmd.exe PID 332 wrote to memory of 756 332 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PT300975-inv.exe"C:\Users\Admin\AppData\Local\Temp\PT300975-inv.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/316-6-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/316-7-0x000000000041EB50-mapping.dmp
-
memory/332-8-0x0000000000000000-mapping.dmp
-
memory/332-9-0x0000000000D60000-0x0000000000D6E000-memory.dmpFilesize
56KB
-
memory/332-11-0x0000000000C20000-0x0000000000D08000-memory.dmpFilesize
928KB
-
memory/744-0-0x0000000074CC0000-0x00000000753AE000-memory.dmpFilesize
6.9MB
-
memory/744-1-0x0000000000FB0000-0x0000000000FB1000-memory.dmpFilesize
4KB
-
memory/744-3-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/744-4-0x0000000000420000-0x000000000043F000-memory.dmpFilesize
124KB
-
memory/744-5-0x0000000000450000-0x000000000045A000-memory.dmpFilesize
40KB
-
memory/756-10-0x0000000000000000-mapping.dmp