Analysis
-
max time kernel
147s -
max time network
136s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
11-01-2021 18:37
Static task
static1
Behavioral task
behavioral1
Sample
HSBC payment swift copy.exe
Resource
win7v20201028
General
-
Target
HSBC payment swift copy.exe
-
Size
939KB
-
MD5
a4157360da26197715f33249273aca5b
-
SHA1
1d7c9da78fccf8becc3dd7585f2a6a6882bc561f
-
SHA256
94ff08030a3e4421baf3ad3489d4d757dd4e8aab659aa8a06f99d2d81526d17e
-
SHA512
bc50504e9df77d05771a15d0667e26e7984487c44a9de30252ec49cd5299637246c16ebe51a00c8478860997b4b7b0c593017f9f6a25dfc0d26fc8053973f4e7
Malware Config
Extracted
formbook
http://www.deejayatl.com/khm/
bizzglobal.com
sura-solutions.com
zhaofu7.com
electricindians.com
thedirtyreds.com
graalmilitaryofficial.com
yx-vinylglove.com
e-zenithonline.com
iric-canada.net
solrsmrtnrg.com
terdissuadablesouthe.net
farhadmagic.com
mysimplenook.com
melkavand.com
swirlinginlimbo.com
dentist-sandimas.com
88265536.com
88q18.com
kogiz.com
hasbiadam.com
kanziapparel.com
skyscanworld.com
greentablegoods.com
francescagraziella.com
bj-raytek.com
providenceclassical.net
yanlingbanjia.com
abcstudents.net
man-ass.com
9457-info.com
tabbys.art
kofanatrade.com
olenfex.com
cognitive11.net
moscopva.net
healthierndelicious.com
madameflowersbox.com
aigym365.com
latinforkmagazine.com
capperfoundation.com
sarahandmattswedding.com
axown.com
mystluciapages.com
znesty.com
escaperoomgeeks.com
dirtroadstv.com
citiroyalbn.com
vetoakleoe.com
computux.co.uk
dialite.pro
tarifaplana.info
oldschoolsayings.com
fidelrichard.icu
districthempfarm.com
thearchivevintage.com
cronusampora.com
gracelandremodeling.com
permsingroup.com
blacksheepjumper.com
infant-n-toddlers-world.com
crazy-wife.com
elafrocuba.com
gymkini.com
classour.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3136-12-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/3136-13-0x000000000041EA90-mapping.dmp formbook behavioral2/memory/1992-14-0x0000000000000000-mapping.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
HSBC payment swift copy.exeHSBC payment swift copy.exeNETSTAT.EXEdescription pid process target process PID 3636 set thread context of 3136 3636 HSBC payment swift copy.exe HSBC payment swift copy.exe PID 3136 set thread context of 2908 3136 HSBC payment swift copy.exe Explorer.EXE PID 1992 set thread context of 2908 1992 NETSTAT.EXE Explorer.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 1992 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 38 IoCs
Processes:
HSBC payment swift copy.exeNETSTAT.EXEpid process 3136 HSBC payment swift copy.exe 3136 HSBC payment swift copy.exe 3136 HSBC payment swift copy.exe 3136 HSBC payment swift copy.exe 1992 NETSTAT.EXE 1992 NETSTAT.EXE 1992 NETSTAT.EXE 1992 NETSTAT.EXE 1992 NETSTAT.EXE 1992 NETSTAT.EXE 1992 NETSTAT.EXE 1992 NETSTAT.EXE 1992 NETSTAT.EXE 1992 NETSTAT.EXE 1992 NETSTAT.EXE 1992 NETSTAT.EXE 1992 NETSTAT.EXE 1992 NETSTAT.EXE 1992 NETSTAT.EXE 1992 NETSTAT.EXE 1992 NETSTAT.EXE 1992 NETSTAT.EXE 1992 NETSTAT.EXE 1992 NETSTAT.EXE 1992 NETSTAT.EXE 1992 NETSTAT.EXE 1992 NETSTAT.EXE 1992 NETSTAT.EXE 1992 NETSTAT.EXE 1992 NETSTAT.EXE 1992 NETSTAT.EXE 1992 NETSTAT.EXE 1992 NETSTAT.EXE 1992 NETSTAT.EXE 1992 NETSTAT.EXE 1992 NETSTAT.EXE 1992 NETSTAT.EXE 1992 NETSTAT.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
HSBC payment swift copy.exeNETSTAT.EXEpid process 3136 HSBC payment swift copy.exe 3136 HSBC payment swift copy.exe 3136 HSBC payment swift copy.exe 1992 NETSTAT.EXE 1992 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
HSBC payment swift copy.exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 3136 HSBC payment swift copy.exe Token: SeDebugPrivilege 1992 NETSTAT.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 2908 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
HSBC payment swift copy.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 3636 wrote to memory of 3136 3636 HSBC payment swift copy.exe HSBC payment swift copy.exe PID 3636 wrote to memory of 3136 3636 HSBC payment swift copy.exe HSBC payment swift copy.exe PID 3636 wrote to memory of 3136 3636 HSBC payment swift copy.exe HSBC payment swift copy.exe PID 3636 wrote to memory of 3136 3636 HSBC payment swift copy.exe HSBC payment swift copy.exe PID 3636 wrote to memory of 3136 3636 HSBC payment swift copy.exe HSBC payment swift copy.exe PID 3636 wrote to memory of 3136 3636 HSBC payment swift copy.exe HSBC payment swift copy.exe PID 2908 wrote to memory of 1992 2908 Explorer.EXE NETSTAT.EXE PID 2908 wrote to memory of 1992 2908 Explorer.EXE NETSTAT.EXE PID 2908 wrote to memory of 1992 2908 Explorer.EXE NETSTAT.EXE PID 1992 wrote to memory of 3896 1992 NETSTAT.EXE cmd.exe PID 1992 wrote to memory of 3896 1992 NETSTAT.EXE cmd.exe PID 1992 wrote to memory of 3896 1992 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\HSBC payment swift copy.exe"C:\Users\Admin\AppData\Local\Temp\HSBC payment swift copy.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Users\Admin\AppData\Local\Temp\HSBC payment swift copy.exe"C:\Users\Admin\AppData\Local\Temp\HSBC payment swift copy.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3136 -
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\HSBC payment swift copy.exe"3⤵PID:3896
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1992-18-0x0000000002AD0000-0x0000000002C16000-memory.dmpFilesize
1.3MB
-
memory/1992-16-0x0000000000AC0000-0x0000000000ACB000-memory.dmpFilesize
44KB
-
memory/1992-15-0x0000000000AC0000-0x0000000000ACB000-memory.dmpFilesize
44KB
-
memory/1992-14-0x0000000000000000-mapping.dmp
-
memory/3136-12-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/3136-13-0x000000000041EA90-mapping.dmp
-
memory/3636-7-0x0000000004AA0000-0x0000000004AA1000-memory.dmpFilesize
4KB
-
memory/3636-10-0x0000000004A80000-0x0000000004A92000-memory.dmpFilesize
72KB
-
memory/3636-11-0x00000000059B0000-0x0000000005A1C000-memory.dmpFilesize
432KB
-
memory/3636-9-0x0000000004C60000-0x0000000004C61000-memory.dmpFilesize
4KB
-
memory/3636-8-0x0000000004A40000-0x0000000004A41000-memory.dmpFilesize
4KB
-
memory/3636-2-0x0000000073BA0000-0x000000007428E000-memory.dmpFilesize
6.9MB
-
memory/3636-6-0x0000000004F00000-0x0000000004F01000-memory.dmpFilesize
4KB
-
memory/3636-5-0x0000000004940000-0x0000000004941000-memory.dmpFilesize
4KB
-
memory/3636-3-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/3896-17-0x0000000000000000-mapping.dmp