Analysis
-
max time kernel
147s -
max time network
9s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
11-01-2021 18:37
Static task
static1
Behavioral task
behavioral1
Sample
HSBC payment swift copy.exe
Resource
win7v20201028
General
-
Target
HSBC payment swift copy.exe
-
Size
939KB
-
MD5
a4157360da26197715f33249273aca5b
-
SHA1
1d7c9da78fccf8becc3dd7585f2a6a6882bc561f
-
SHA256
94ff08030a3e4421baf3ad3489d4d757dd4e8aab659aa8a06f99d2d81526d17e
-
SHA512
bc50504e9df77d05771a15d0667e26e7984487c44a9de30252ec49cd5299637246c16ebe51a00c8478860997b4b7b0c593017f9f6a25dfc0d26fc8053973f4e7
Malware Config
Extracted
formbook
http://www.deejayatl.com/khm/
bizzglobal.com
sura-solutions.com
zhaofu7.com
electricindians.com
thedirtyreds.com
graalmilitaryofficial.com
yx-vinylglove.com
e-zenithonline.com
iric-canada.net
solrsmrtnrg.com
terdissuadablesouthe.net
farhadmagic.com
mysimplenook.com
melkavand.com
swirlinginlimbo.com
dentist-sandimas.com
88265536.com
88q18.com
kogiz.com
hasbiadam.com
kanziapparel.com
skyscanworld.com
greentablegoods.com
francescagraziella.com
bj-raytek.com
providenceclassical.net
yanlingbanjia.com
abcstudents.net
man-ass.com
9457-info.com
tabbys.art
kofanatrade.com
olenfex.com
cognitive11.net
moscopva.net
healthierndelicious.com
madameflowersbox.com
aigym365.com
latinforkmagazine.com
capperfoundation.com
sarahandmattswedding.com
axown.com
mystluciapages.com
znesty.com
escaperoomgeeks.com
dirtroadstv.com
citiroyalbn.com
vetoakleoe.com
computux.co.uk
dialite.pro
tarifaplana.info
oldschoolsayings.com
fidelrichard.icu
districthempfarm.com
thearchivevintage.com
cronusampora.com
gracelandremodeling.com
permsingroup.com
blacksheepjumper.com
infant-n-toddlers-world.com
crazy-wife.com
elafrocuba.com
gymkini.com
classour.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1080-7-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1080-8-0x000000000041EA90-mapping.dmp formbook behavioral1/memory/1860-10-0x0000000000000000-mapping.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 268 cmd.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
HSBC payment swift copy.exeHSBC payment swift copy.exenetsh.exedescription pid process target process PID 1740 set thread context of 1080 1740 HSBC payment swift copy.exe HSBC payment swift copy.exe PID 1080 set thread context of 1268 1080 HSBC payment swift copy.exe Explorer.EXE PID 1080 set thread context of 1268 1080 HSBC payment swift copy.exe Explorer.EXE PID 1860 set thread context of 1268 1860 netsh.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
HSBC payment swift copy.exenetsh.exepid process 1080 HSBC payment swift copy.exe 1080 HSBC payment swift copy.exe 1080 HSBC payment swift copy.exe 1860 netsh.exe 1860 netsh.exe 1860 netsh.exe 1860 netsh.exe 1860 netsh.exe 1860 netsh.exe 1860 netsh.exe 1860 netsh.exe 1860 netsh.exe 1860 netsh.exe 1860 netsh.exe 1860 netsh.exe 1860 netsh.exe 1860 netsh.exe 1860 netsh.exe 1860 netsh.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
HSBC payment swift copy.exenetsh.exepid process 1080 HSBC payment swift copy.exe 1080 HSBC payment swift copy.exe 1080 HSBC payment swift copy.exe 1080 HSBC payment swift copy.exe 1860 netsh.exe 1860 netsh.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
HSBC payment swift copy.exenetsh.exedescription pid process Token: SeDebugPrivilege 1080 HSBC payment swift copy.exe Token: SeDebugPrivilege 1860 netsh.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
HSBC payment swift copy.exeExplorer.EXEnetsh.exedescription pid process target process PID 1740 wrote to memory of 1080 1740 HSBC payment swift copy.exe HSBC payment swift copy.exe PID 1740 wrote to memory of 1080 1740 HSBC payment swift copy.exe HSBC payment swift copy.exe PID 1740 wrote to memory of 1080 1740 HSBC payment swift copy.exe HSBC payment swift copy.exe PID 1740 wrote to memory of 1080 1740 HSBC payment swift copy.exe HSBC payment swift copy.exe PID 1740 wrote to memory of 1080 1740 HSBC payment swift copy.exe HSBC payment swift copy.exe PID 1740 wrote to memory of 1080 1740 HSBC payment swift copy.exe HSBC payment swift copy.exe PID 1740 wrote to memory of 1080 1740 HSBC payment swift copy.exe HSBC payment swift copy.exe PID 1268 wrote to memory of 1860 1268 Explorer.EXE netsh.exe PID 1268 wrote to memory of 1860 1268 Explorer.EXE netsh.exe PID 1268 wrote to memory of 1860 1268 Explorer.EXE netsh.exe PID 1268 wrote to memory of 1860 1268 Explorer.EXE netsh.exe PID 1860 wrote to memory of 268 1860 netsh.exe cmd.exe PID 1860 wrote to memory of 268 1860 netsh.exe cmd.exe PID 1860 wrote to memory of 268 1860 netsh.exe cmd.exe PID 1860 wrote to memory of 268 1860 netsh.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\HSBC payment swift copy.exe"C:\Users\Admin\AppData\Local\Temp\HSBC payment swift copy.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\HSBC payment swift copy.exe"C:\Users\Admin\AppData\Local\Temp\HSBC payment swift copy.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\HSBC payment swift copy.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/268-12-0x0000000000000000-mapping.dmp
-
memory/1080-7-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1080-8-0x000000000041EA90-mapping.dmp
-
memory/1268-9-0x0000000004540000-0x000000000460F000-memory.dmpFilesize
828KB
-
memory/1740-2-0x00000000741A0000-0x000000007488E000-memory.dmpFilesize
6.9MB
-
memory/1740-3-0x0000000001080000-0x0000000001081000-memory.dmpFilesize
4KB
-
memory/1740-5-0x00000000004C0000-0x00000000004D2000-memory.dmpFilesize
72KB
-
memory/1740-6-0x0000000005820000-0x000000000588C000-memory.dmpFilesize
432KB
-
memory/1860-10-0x0000000000000000-mapping.dmp
-
memory/1860-11-0x0000000001630000-0x000000000164B000-memory.dmpFilesize
108KB
-
memory/1860-13-0x00000000012F0000-0x000000000147D000-memory.dmpFilesize
1.6MB