Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
11-12-2020 19:04
Static task
static1
Behavioral task
behavioral1
Sample
SMT20200616.exe
Resource
win7v20201028
General
-
Target
SMT20200616.exe
-
Size
311KB
-
MD5
9eda8430e6bf0bab3f1e7134b584cd1b
-
SHA1
03b3d3d673686f0bd4316bd99c0a135e6e3250ba
-
SHA256
1c22bad3a6eb408ec1f4d6ef50b04e2294a77979abc411f9dbb752e2b495345b
-
SHA512
6ad03fb677542c246814976b473d033c743d0cee598139f96cd91e1c0fb958bc0dba5ad712b9fc61c72df09fcdf1b762ef0ae77f5692d6b7f1252935eb40cf78
Malware Config
Extracted
formbook
http://www.sudelt.com/rk3/
cedarridgerussellterriers.com
zamperl-couture.com
8minutesprofitlink.com
yuyinyue.net
castleminerforum.com
habbodm.biz
tektlc.life
strive2thriveglobal.com
richen8.com
ettlingen.digital
clairegoals.com
clearptsd.biz
wxqingtai.com
matttoken.com
macopride.com
hudong.ltd
wirelessantalya.com
connectlibrary.com
ourtime.site
vitalitymax.life
com-accounts-updates.com
himalayanartcn.com
kreationmedia.com
shtaoren.com
btyeml.download
fujitasetsubi.com
saleshop.download
glutenfreeforme.biz
lefthandchurch.com
bestjnj.com
xn--vcsr9nkv1blui.net
topl2jservers.com
gmc.finance
bfcyjt.com
thegecko.online
m299999.com
kastanet1.com
avslzdcwqu777.com
moccasincreek.technology
wanderingstarstories.com
hiduphalal.com
fantastichentai.com
ekai-neuropsicologia.com
docdomy.com
getridofchronicfatigue.info
newreceiptrecent.com
capemaykungfu.com
sluttycamwhores.com
egeizreklam.com
southernwineoneline.com
077c9.com
xdobx.biz
stefhairbeauty.com
yagestore.com
ferratumbrazil.com
nevillepaterson.com
empireeliteshowcase.com
nenlamgi.com
shunfengtc.com
hannahlarae.com
digitalstartupbrands.com
fideruleltd.com
pinwx.com
marylburkhardt.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4008-11-0x000000000041E300-mapping.dmp formbook behavioral2/memory/4008-10-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral2/memory/1528-12-0x0000000000000000-mapping.dmp formbook -
Processes:
resource yara_rule behavioral2/memory/580-8-0x0000000005C70000-0x0000000005CA4000-memory.dmp rezer0 -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
chkdsk.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run chkdsk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\YBKPD4THR6A = "C:\\Program Files (x86)\\Ggrl0wdz\\izbx1brhtxl.exe" chkdsk.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
SMT20200616.exeSMT20200616.exechkdsk.exedescription pid process target process PID 580 set thread context of 4008 580 SMT20200616.exe SMT20200616.exe PID 4008 set thread context of 3040 4008 SMT20200616.exe Explorer.EXE PID 4008 set thread context of 3040 4008 SMT20200616.exe Explorer.EXE PID 1528 set thread context of 3040 1528 chkdsk.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
chkdsk.exedescription ioc process File opened for modification C:\Program Files (x86)\Ggrl0wdz\izbx1brhtxl.exe chkdsk.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Processes:
chkdsk.exedescription ioc process Key created \Registry\User\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
Processes:
SMT20200616.exeSMT20200616.exechkdsk.exepid process 580 SMT20200616.exe 580 SMT20200616.exe 580 SMT20200616.exe 580 SMT20200616.exe 4008 SMT20200616.exe 4008 SMT20200616.exe 4008 SMT20200616.exe 4008 SMT20200616.exe 4008 SMT20200616.exe 4008 SMT20200616.exe 1528 chkdsk.exe 1528 chkdsk.exe 1528 chkdsk.exe 1528 chkdsk.exe 1528 chkdsk.exe 1528 chkdsk.exe 1528 chkdsk.exe 1528 chkdsk.exe 1528 chkdsk.exe 1528 chkdsk.exe 1528 chkdsk.exe 1528 chkdsk.exe 1528 chkdsk.exe 1528 chkdsk.exe 1528 chkdsk.exe 1528 chkdsk.exe 1528 chkdsk.exe 1528 chkdsk.exe 1528 chkdsk.exe 1528 chkdsk.exe 1528 chkdsk.exe 1528 chkdsk.exe 1528 chkdsk.exe 1528 chkdsk.exe 1528 chkdsk.exe 1528 chkdsk.exe 1528 chkdsk.exe 1528 chkdsk.exe 1528 chkdsk.exe 1528 chkdsk.exe 1528 chkdsk.exe 1528 chkdsk.exe 1528 chkdsk.exe 1528 chkdsk.exe 1528 chkdsk.exe 1528 chkdsk.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3040 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
SMT20200616.exechkdsk.exepid process 4008 SMT20200616.exe 4008 SMT20200616.exe 4008 SMT20200616.exe 4008 SMT20200616.exe 1528 chkdsk.exe 1528 chkdsk.exe 1528 chkdsk.exe 1528 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
SMT20200616.exeSMT20200616.exechkdsk.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 580 SMT20200616.exe Token: SeDebugPrivilege 4008 SMT20200616.exe Token: SeDebugPrivilege 1528 chkdsk.exe Token: SeShutdownPrivilege 3040 Explorer.EXE Token: SeCreatePagefilePrivilege 3040 Explorer.EXE Token: SeShutdownPrivilege 3040 Explorer.EXE Token: SeCreatePagefilePrivilege 3040 Explorer.EXE Token: SeShutdownPrivilege 3040 Explorer.EXE Token: SeCreatePagefilePrivilege 3040 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3040 Explorer.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
SMT20200616.exeExplorer.EXEchkdsk.exedescription pid process target process PID 580 wrote to memory of 2624 580 SMT20200616.exe SMT20200616.exe PID 580 wrote to memory of 2624 580 SMT20200616.exe SMT20200616.exe PID 580 wrote to memory of 2624 580 SMT20200616.exe SMT20200616.exe PID 580 wrote to memory of 2724 580 SMT20200616.exe SMT20200616.exe PID 580 wrote to memory of 2724 580 SMT20200616.exe SMT20200616.exe PID 580 wrote to memory of 2724 580 SMT20200616.exe SMT20200616.exe PID 580 wrote to memory of 4008 580 SMT20200616.exe SMT20200616.exe PID 580 wrote to memory of 4008 580 SMT20200616.exe SMT20200616.exe PID 580 wrote to memory of 4008 580 SMT20200616.exe SMT20200616.exe PID 580 wrote to memory of 4008 580 SMT20200616.exe SMT20200616.exe PID 580 wrote to memory of 4008 580 SMT20200616.exe SMT20200616.exe PID 580 wrote to memory of 4008 580 SMT20200616.exe SMT20200616.exe PID 3040 wrote to memory of 1528 3040 Explorer.EXE chkdsk.exe PID 3040 wrote to memory of 1528 3040 Explorer.EXE chkdsk.exe PID 3040 wrote to memory of 1528 3040 Explorer.EXE chkdsk.exe PID 1528 wrote to memory of 2124 1528 chkdsk.exe cmd.exe PID 1528 wrote to memory of 2124 1528 chkdsk.exe cmd.exe PID 1528 wrote to memory of 2124 1528 chkdsk.exe cmd.exe PID 1528 wrote to memory of 2344 1528 chkdsk.exe Firefox.exe PID 1528 wrote to memory of 2344 1528 chkdsk.exe Firefox.exe PID 1528 wrote to memory of 2344 1528 chkdsk.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SMT20200616.exe"C:\Users\Admin\AppData\Local\Temp\SMT20200616.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SMT20200616.exe"{path}"3⤵
-
C:\Users\Admin\AppData\Local\Temp\SMT20200616.exe"{path}"3⤵
-
C:\Users\Admin\AppData\Local\Temp\SMT20200616.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\SMT20200616.exe"3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/580-2-0x0000000073190000-0x000000007387E000-memory.dmpFilesize
6.9MB
-
memory/580-3-0x0000000000D50000-0x0000000000D51000-memory.dmpFilesize
4KB
-
memory/580-5-0x0000000005700000-0x0000000005701000-memory.dmpFilesize
4KB
-
memory/580-6-0x00000000030D0000-0x00000000030DB000-memory.dmpFilesize
44KB
-
memory/580-7-0x0000000005840000-0x0000000005841000-memory.dmpFilesize
4KB
-
memory/580-8-0x0000000005C70000-0x0000000005CA4000-memory.dmpFilesize
208KB
-
memory/580-9-0x00000000062E0000-0x00000000062E1000-memory.dmpFilesize
4KB
-
memory/1528-17-0x00000000080F0000-0x0000000008232000-memory.dmpFilesize
1.3MB
-
memory/1528-16-0x0000000005D40000-0x0000000005E0C000-memory.dmpFilesize
816KB
-
memory/1528-12-0x0000000000000000-mapping.dmp
-
memory/1528-13-0x0000000000040000-0x000000000004A000-memory.dmpFilesize
40KB
-
memory/1528-14-0x0000000000040000-0x000000000004A000-memory.dmpFilesize
40KB
-
memory/2124-15-0x0000000000000000-mapping.dmp
-
memory/2344-18-0x0000000000000000-mapping.dmp
-
memory/2344-19-0x00007FF615870000-0x00007FF615903000-memory.dmpFilesize
588KB
-
memory/2344-20-0x00007FF615870000-0x00007FF615903000-memory.dmpFilesize
588KB
-
memory/2344-21-0x00007FF615870000-0x00007FF615903000-memory.dmpFilesize
588KB
-
memory/4008-10-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/4008-11-0x000000000041E300-mapping.dmp