Analysis
-
max time kernel
145s -
max time network
129s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
05-12-2020 15:25
Static task
static1
Behavioral task
behavioral1
Sample
12-4.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
12-4.exe
Resource
win10v20201028
General
-
Target
12-4.exe
-
Size
1.4MB
-
MD5
86e9f171ca095286ac610deaf54c7667
-
SHA1
ea152559408d3ce06448b654fd9e79b843ad6975
-
SHA256
37cfb7fb31732401d50f7f17c28fbea5997ef4a7236ce89f37dc57675a76b23f
-
SHA512
7c1e51c851e03cd06ebe619b908e3eb133cc291d843909154067019b32ca9919a8323327d8f6527aa36be68630f3ed15dc5c1afa3b4c73157750916abe5f79f2
Malware Config
Extracted
formbook
http://www.leadershifts.academy/gwg/
horne-construction.com
sailbayvolleyball.com
eyecareplusnj.com
iteups.com
longhuixiang.com
sticksnbites.com
wildeuk.com
toprankvehicles.com
hongkongcocktailweeks.com
mehysox.com
monogrammed.xyz
chateauboiseseniorliving.com
purplecherry.online
prashantenterprises.net
systemmigrationservices.com
317redwood.com
cerytefrehabilitacion.com
dontusecicdtestdotenfo50772.com
safeansecurity.com
bualepitso.site
izt.xyz
otmgfreeseobook.com
thedoublebubble.com
healthybackcompany.com
veil-walker.com
bleachedanddistressed.com
advocatusloyal.com
tumejornegocio24.com
webdesigntops.com
gongeph.com
xingningjob.com
imageedit.net
tamarixconsultancy.com
amy-packages.com
ssl9-cds-secure.com
priestlyfollet.com
fajarwedssarah.com
forester-crane.com
snackerlust.com
myimperialcare.com
forenvid.com
cvscarepasscard.com
christiantiktok.com
remarcleads.com
wdc000.com
mexicanstandoffstudio.com
pennyanncavalier.com
webmailexchanger.com
majornopain.com
s2zyy.com
wondermeg.com
enqutercompenses.com
trave-illflavored.info
bjprivatetour.com
httpsjaredspolishing.com
uzmanoyun.com
silviafox.com
milavins.com
waldenbrokers1.com
thermocoupletemp.com
firewar-baiak.online
awsdiscoveryday.com
dollaypop.com
hornyvikings.com
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1668-7-0x00000000047E0000-0x0000000004920000-memory.dmp formbook behavioral1/memory/440-8-0x0000000000000000-mapping.dmp formbook -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
12-4.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mswe = "C:\\Users\\Admin\\AppData\\Local\\ewsM.url" 12-4.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
12-4.exenetsh.exedescription pid process target process PID 1668 set thread context of 1268 1668 12-4.exe Explorer.EXE PID 440 set thread context of 1268 440 netsh.exe Explorer.EXE -
Processes:
netsh.exedescription ioc process Key created \Registry\User\S-1-5-21-293278959-2699126792-324916226-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 netsh.exe -
Processes:
12-4.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 12-4.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 12-4.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 12-4.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
12-4.exenetsh.exepid process 1668 12-4.exe 1668 12-4.exe 440 netsh.exe 440 netsh.exe 440 netsh.exe 440 netsh.exe 440 netsh.exe 440 netsh.exe 440 netsh.exe 440 netsh.exe 440 netsh.exe 440 netsh.exe 440 netsh.exe 440 netsh.exe 440 netsh.exe 440 netsh.exe 440 netsh.exe 440 netsh.exe 440 netsh.exe 440 netsh.exe 440 netsh.exe 440 netsh.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
12-4.exenetsh.exepid process 1668 12-4.exe 1668 12-4.exe 1668 12-4.exe 440 netsh.exe 440 netsh.exe 440 netsh.exe 440 netsh.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
12-4.exenetsh.exedescription pid process Token: SeDebugPrivilege 1668 12-4.exe Token: SeDebugPrivilege 440 netsh.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Explorer.EXEnetsh.exedescription pid process target process PID 1268 wrote to memory of 440 1268 Explorer.EXE netsh.exe PID 1268 wrote to memory of 440 1268 Explorer.EXE netsh.exe PID 1268 wrote to memory of 440 1268 Explorer.EXE netsh.exe PID 1268 wrote to memory of 440 1268 Explorer.EXE netsh.exe PID 440 wrote to memory of 1520 440 netsh.exe Firefox.exe PID 440 wrote to memory of 1520 440 netsh.exe Firefox.exe PID 440 wrote to memory of 1520 440 netsh.exe Firefox.exe PID 440 wrote to memory of 1520 440 netsh.exe Firefox.exe PID 440 wrote to memory of 1520 440 netsh.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\12-4.exe"C:\Users\Admin\AppData\Local\Temp\12-4.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/440-8-0x0000000000000000-mapping.dmp
-
memory/440-9-0x00000000008D0000-0x00000000008EB000-memory.dmpFilesize
108KB
-
memory/440-10-0x0000000003E80000-0x0000000003FD6000-memory.dmpFilesize
1.3MB
-
memory/440-11-0x00000000035E0000-0x0000000003689000-memory.dmpFilesize
676KB
-
memory/976-4-0x000007FEF5B70000-0x000007FEF5DEA000-memory.dmpFilesize
2.5MB
-
memory/1520-12-0x0000000000000000-mapping.dmp
-
memory/1520-13-0x000000013F2C0000-0x000000013F353000-memory.dmpFilesize
588KB
-
memory/1668-2-0x0000000002090000-0x00000000020BB000-memory.dmpFilesize
172KB
-
memory/1668-5-0x0000000004650000-0x00000000046A0000-memory.dmpFilesize
320KB
-
memory/1668-7-0x00000000047E0000-0x0000000004920000-memory.dmpFilesize
1.2MB