Analysis
-
max time kernel
147s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-12-2020 14:39
Static task
static1
Behavioral task
behavioral1
Sample
anthony.exe
Resource
win7v20201028
General
-
Target
anthony.exe
-
Size
389KB
-
MD5
aa078a3e0ae224567676780e445d0987
-
SHA1
1a41de109b5ffc1b76d88435e4c1b86d6014361f
-
SHA256
881dc085a9c46e3e31ad8189720dc6e16a7f3b40a6de30d6cadd088c0f769bec
-
SHA512
28601887427c5a7eaf6e260fa858599030b91a5fc5643abbdca28081ef59747be591690f3f7ee27f4f63af8b389367ccfc440f1f7bcd8ff51497c6572251bc0e
Malware Config
Extracted
formbook
http://www.wellnesspharma.net/94sb/
kaligao.com
springsbounce.com
dreamytree.com
trylolows.com
butload.info
creperie-pancakesquare.com
mirajions.com
joineduphealthresources.net
hamradioblogs.com
linghuidz.com
atelierzeste.com
tweens.network
perteprampram03.net
connorneill.com
nannatech.com
chrmo.com
nanoring.info
mapomarket.com
bongkey.com
sdhhzp.com
threepeninsulas.com
izicomp.net
gekkey.com
pyskah.com
tritoncareer.com
aspirehowhouse.com
don8gr8.com
selfie-trends.com
jogja1945.info
tibio.store
kiranmayee.codes
stlmache.com
aaagroups.net
lzli.net
ranchomanantiales.com
augsburgconfession.net
eczamix.com
subcontratech.com
jwm-consulting.com
alepremiumcartel.com
thesacralgenie.com
dronebezorgd.com
shoprosalind.com
theafterglowagency.com
motoprimoreviews.com
walmartpetrex.com
awonderliang.com
peipei521.com
qabwg.com
trucleanusa.com
mamentos.info
wwwmmcguard.com
aedisurbancollaborative.com
hilferdinghill.com
torcida-r.com
okna4all.com
spidermenroofsupport.com
thedojoofdom.com
dteenpatti.com
starsnus.com
bistrooapp.com
philosopherbynight.com
pfkakaoblue.com
qxmasmobitvshop.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/5016-6-0x0000000005B40000-0x0000000005B69000-memory.dmp xloader behavioral2/memory/3588-7-0x0000000000000000-mapping.dmp xloader behavioral2/memory/512-8-0x0000000000000000-mapping.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 5016 rundll32.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
cmd.exemstsc.exedescription pid process target process PID 3588 set thread context of 2552 3588 cmd.exe Explorer.EXE PID 512 set thread context of 2552 512 mstsc.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 53 IoCs
Processes:
rundll32.execmd.exemstsc.exepid process 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 3588 cmd.exe 3588 cmd.exe 3588 cmd.exe 3588 cmd.exe 512 mstsc.exe 512 mstsc.exe 512 mstsc.exe 512 mstsc.exe 512 mstsc.exe 512 mstsc.exe 512 mstsc.exe 512 mstsc.exe 512 mstsc.exe 512 mstsc.exe 512 mstsc.exe 512 mstsc.exe 512 mstsc.exe 512 mstsc.exe 512 mstsc.exe 512 mstsc.exe 512 mstsc.exe 512 mstsc.exe 512 mstsc.exe 512 mstsc.exe 512 mstsc.exe 512 mstsc.exe 512 mstsc.exe 512 mstsc.exe 512 mstsc.exe 512 mstsc.exe 512 mstsc.exe 512 mstsc.exe 512 mstsc.exe 512 mstsc.exe 512 mstsc.exe 512 mstsc.exe 512 mstsc.exe 512 mstsc.exe 512 mstsc.exe 512 mstsc.exe 512 mstsc.exe 512 mstsc.exe 512 mstsc.exe 512 mstsc.exe 512 mstsc.exe 512 mstsc.exe 512 mstsc.exe 512 mstsc.exe 512 mstsc.exe 512 mstsc.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
rundll32.execmd.exemstsc.exepid process 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 3588 cmd.exe 3588 cmd.exe 3588 cmd.exe 512 mstsc.exe 512 mstsc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
cmd.exemstsc.exedescription pid process Token: SeDebugPrivilege 3588 cmd.exe Token: SeDebugPrivilege 512 mstsc.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 2552 Explorer.EXE -
Suspicious use of WriteProcessMemory 97 IoCs
Processes:
anthony.exerundll32.exedescription pid process target process PID 4764 wrote to memory of 5016 4764 anthony.exe rundll32.exe PID 4764 wrote to memory of 5016 4764 anthony.exe rundll32.exe PID 4764 wrote to memory of 5016 4764 anthony.exe rundll32.exe PID 5016 wrote to memory of 4160 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 4160 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 4160 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 4160 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3452 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3452 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3452 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3452 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe PID 5016 wrote to memory of 3588 5016 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
PID:2552 -
C:\Users\Admin\AppData\Local\Temp\anthony.exe"C:\Users\Admin\AppData\Local\Temp\anthony.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe Formicarium,Chechako3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵PID:4160
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵PID:3452
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3588
-
-
-
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:512 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\cmd.exe"3⤵PID:644
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
615c2b05240c4cc08eb974142adb4b48
SHA14c1d31132e20a11f5fa77f78f8d353f00871a82e
SHA256e3941182b18c301a9b108bf22b9b76c153fc633017799e472a701cefbaaef260
SHA512c14e36a1cfd037a7af3200ec97394409396b3b07f5a10ec72b61a2052346d215adf6403246ab9f5b980b61cf011a982edf7791e6828083bbd536cb8264361c03
-
MD5
4c17a43455fe2c1b3e13643ce40c6289
SHA16a35ee24e502632f4b247425acfbb8937ed0c6c7
SHA25693a9368167223906271bc361fcb6e6d21239f30ce5ea94fc4cf601b2c382bc88
SHA512e4dae063f0a90f93e05b9733ec3cc38d59b1bb3299df2d2c72ae173db5fe786e876153e588ac2896012597c3175d0431bbe3aed0d4e6a8dbd93b1efedd0d982f
-
MD5
615c2b05240c4cc08eb974142adb4b48
SHA14c1d31132e20a11f5fa77f78f8d353f00871a82e
SHA256e3941182b18c301a9b108bf22b9b76c153fc633017799e472a701cefbaaef260
SHA512c14e36a1cfd037a7af3200ec97394409396b3b07f5a10ec72b61a2052346d215adf6403246ab9f5b980b61cf011a982edf7791e6828083bbd536cb8264361c03