Analysis
-
max time kernel
150s -
max time network
13s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
11-01-2021 09:01
Static task
static1
Behavioral task
behavioral1
Sample
20210111140930669.exe
Resource
win7v20201028
General
-
Target
20210111140930669.exe
-
Size
868KB
-
MD5
55a9f49ac7b18c445a01aa766954a68d
-
SHA1
73ebd37572a79adec31ceefda6bfec90a9f70f3a
-
SHA256
1b6a34ba043c45cfc63367a5a35d3c58b074d723c666d018b3c4c0d950e42b40
-
SHA512
50d1c160637c22e51432ac86e38f3e9e941069859ea02d62df505cb7e7190ba8282b0462520c0879798e1f3509283d2e13b5f3ef61bfe8a8699a18fc0cb482ef
Malware Config
Extracted
formbook
http://www.midnightblueinc.com/2kf/
edmondscakes.com
doublewldr.online
tickets2usa.com
heyhxry.com
weightloss-gulfport.com
prosselius.com
newviewroofers.com
jacksonarearealestate.com
catparkas.xyz
pagos2020.com
sonwsefjrahi.online
franchisethings.com
nuocvietngaynay.com
sohelvai.com
mikeyroush.com
lamesaroofing.com
betbigo138.com
amazon-service-recovery.com
clockin.net
riostrader.com
novergi.com
bounethone.online
unsaluted-muckworm.info
qmglg.com
trans-chna.com
bloom-cottage.info
espacioholista.com
vitrines72.com
vtnywveb.club
shelfdryrock.com
lowcountrykindermusik.com
brendolangiovanni.com
samilisback.com
coffeeofmyheart.com
moderndetailist.com
royalparkhotelandsuites.com
camsick.com
khoetuthiennhien.com
link-glue.com
zzirk.com
alyxthorne.com
tristateinsurancegroup.com
pdztwl.com
basecampmedics.com
orionbilisim.net
comaholic.com
sai-re.com
mimmodetullio.net
thevyvd.com
bookstorie.com
preparednessnow.net
lvtvmounting.com
anchondowedding.com
the-florida-accident-md.com
indyspirits.com
culture-of-safety.com
blue-003.com
federation-advens.com
junmedicare.com
qjnhilfhs.icu
chesed72.com
kingrvrentals.com
greenlightsuccesscoach.com
efrenjose.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/396-9-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/396-10-0x000000000041EB30-mapping.dmp formbook behavioral1/memory/1496-11-0x0000000000000000-mapping.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1584 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
20210111140930669.exe20210111140930669.exerundll32.exedescription pid process target process PID 596 set thread context of 396 596 20210111140930669.exe 20210111140930669.exe PID 396 set thread context of 1248 396 20210111140930669.exe Explorer.EXE PID 1496 set thread context of 1248 1496 rundll32.exe Explorer.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
20210111140930669.exe20210111140930669.exerundll32.exepid process 596 20210111140930669.exe 396 20210111140930669.exe 396 20210111140930669.exe 1496 rundll32.exe 1496 rundll32.exe 1496 rundll32.exe 1496 rundll32.exe 1496 rundll32.exe 1496 rundll32.exe 1496 rundll32.exe 1496 rundll32.exe 1496 rundll32.exe 1496 rundll32.exe 1496 rundll32.exe 1496 rundll32.exe 1496 rundll32.exe 1496 rundll32.exe 1496 rundll32.exe 1496 rundll32.exe 1496 rundll32.exe 1496 rundll32.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
20210111140930669.exerundll32.exepid process 396 20210111140930669.exe 396 20210111140930669.exe 396 20210111140930669.exe 1496 rundll32.exe 1496 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
20210111140930669.exe20210111140930669.exerundll32.exedescription pid process Token: SeDebugPrivilege 596 20210111140930669.exe Token: SeDebugPrivilege 396 20210111140930669.exe Token: SeDebugPrivilege 1496 rundll32.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1248 Explorer.EXE 1248 Explorer.EXE 1248 Explorer.EXE 1248 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1248 Explorer.EXE 1248 Explorer.EXE 1248 Explorer.EXE 1248 Explorer.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
20210111140930669.exeExplorer.EXErundll32.exedescription pid process target process PID 596 wrote to memory of 1628 596 20210111140930669.exe schtasks.exe PID 596 wrote to memory of 1628 596 20210111140930669.exe schtasks.exe PID 596 wrote to memory of 1628 596 20210111140930669.exe schtasks.exe PID 596 wrote to memory of 1628 596 20210111140930669.exe schtasks.exe PID 596 wrote to memory of 396 596 20210111140930669.exe 20210111140930669.exe PID 596 wrote to memory of 396 596 20210111140930669.exe 20210111140930669.exe PID 596 wrote to memory of 396 596 20210111140930669.exe 20210111140930669.exe PID 596 wrote to memory of 396 596 20210111140930669.exe 20210111140930669.exe PID 596 wrote to memory of 396 596 20210111140930669.exe 20210111140930669.exe PID 596 wrote to memory of 396 596 20210111140930669.exe 20210111140930669.exe PID 596 wrote to memory of 396 596 20210111140930669.exe 20210111140930669.exe PID 1248 wrote to memory of 1496 1248 Explorer.EXE rundll32.exe PID 1248 wrote to memory of 1496 1248 Explorer.EXE rundll32.exe PID 1248 wrote to memory of 1496 1248 Explorer.EXE rundll32.exe PID 1248 wrote to memory of 1496 1248 Explorer.EXE rundll32.exe PID 1248 wrote to memory of 1496 1248 Explorer.EXE rundll32.exe PID 1248 wrote to memory of 1496 1248 Explorer.EXE rundll32.exe PID 1248 wrote to memory of 1496 1248 Explorer.EXE rundll32.exe PID 1496 wrote to memory of 1584 1496 rundll32.exe cmd.exe PID 1496 wrote to memory of 1584 1496 rundll32.exe cmd.exe PID 1496 wrote to memory of 1584 1496 rundll32.exe cmd.exe PID 1496 wrote to memory of 1584 1496 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\20210111140930669.exe"C:\Users\Admin\AppData\Local\Temp\20210111140930669.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HOvZfcnD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD23D.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\20210111140930669.exe"C:\Users\Admin\AppData\Local\Temp\20210111140930669.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\20210111140930669.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpD23D.tmpMD5
b28efb15bff543f226c76f91c0060d46
SHA1d1c7d6677ee2c1d64f3eb8df773d87069484b5f9
SHA256c92467353d78d2d216a4dd87d28efcbe2ae0cba01afd991feec54909ffb08b88
SHA5128db2ef5199cda81edb85164ff2a06d46da47bcb0c9a7bf8573ba62b3af4895945e87abd33b8eb2d5919948ef734a4a76305b85215b7ce7dfeac47be8f1e862ed
-
memory/396-9-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/396-10-0x000000000041EB30-mapping.dmp
-
memory/596-2-0x0000000073D40000-0x000000007442E000-memory.dmpFilesize
6.9MB
-
memory/596-3-0x0000000001140000-0x0000000001141000-memory.dmpFilesize
4KB
-
memory/596-5-0x0000000000260000-0x0000000000272000-memory.dmpFilesize
72KB
-
memory/596-6-0x0000000005000000-0x000000000506D000-memory.dmpFilesize
436KB
-
memory/1496-11-0x0000000000000000-mapping.dmp
-
memory/1496-12-0x0000000000C60000-0x0000000000C6E000-memory.dmpFilesize
56KB
-
memory/1496-14-0x0000000000B60000-0x0000000000C59000-memory.dmpFilesize
996KB
-
memory/1584-13-0x0000000000000000-mapping.dmp
-
memory/1628-7-0x0000000000000000-mapping.dmp