Analysis
-
max time kernel
12s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
12-01-2021 22:46
Static task
static1
Behavioral task
behavioral1
Sample
inz.exe
Resource
win7v20201028
General
-
Target
inz.exe
-
Size
411KB
-
MD5
ab87bb7551411aec9c0b27cb4dcca79e
-
SHA1
e689e98a99d1d2a6e9a67a6adbd7fba737ed2d6b
-
SHA256
6c63e68f6d116d78c115e15d1c1bdaeb1064cb562de15c4f5d46142e637f26e3
-
SHA512
5a0ef5f90cd43534e2043dbe4fae17c9b1a1197be9e1acd29c1c069f710732bd8f6c3aad59b5ff16e4c65ac43b4e23e8a2c8c7f5fc27a74638c150b319234f4f
Malware Config
Extracted
formbook
http://www.nationshiphop.com/hko6/
apartmentsineverettwa.com
forritcu.net
hotroodes.com
skinnerttc.com
royaltrustmyanmar.com
adreslog.com
kaysbridalboutiques.com
multitask-improvements.com
geniiforum.com
smarthomehatinh.asia
banglikeaboss.com
javlover.club
affiliateclubindia.com
mycapecoralhomevalue.com
comparamuebles.online
newrochellenissan.com
nairobi-paris.com
fwk.xyz
downdepot.com
nextgenmemorabilia.com
achonabu.com
stevebana.xyz
jacmkt.com
weownthenight187.com
divshop.pro
wewearceylon.com
skyreadymix.net
jaffacorner.com
bakerlibra.icu
femalecoliving.com
best20banks.com
millcityloam.com
signature-office.com
qlifepharmacy.com
dextermind.net
fittcycleacademy.com
davidoff.sucks
1033393.com
tutorsboulder.com
bonicc.com
goodberryjuice.com
zhaowulu.com
teryaq.media
a-zsolutionsllc.com
bitcoincandy.xyz
cfmfair.com
annefontain.com
princesssexyluxwear.com
prodigybrushes.com
zzhqp.com
hwcailing.com
translatiions.com
azery.site
wy1917.com
ringohouse.info
chartershome.com
thongtinhay.net
2201virginiacondo5.com
laurieryork.net
mujeresnegociantes.com
anchoriaswimwear.com
michaelsala.com
esdeportebici.com
ninjitsoo.com
Signatures
-
Formbook Payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/2916-5-0x0000000000400000-0x0000000000443000-memory.dmp formbook behavioral2/memory/2916-6-0x000000000040188B-mapping.dmp formbook behavioral2/memory/3880-7-0x00000000021F0000-0x0000000002233000-memory.dmp formbook behavioral2/memory/2916-8-0x0000000000400000-0x0000000000443000-memory.dmp formbook behavioral2/memory/2916-10-0x00000000032A0000-0x00000000032CE000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
Processes:
inz.exedescription pid process target process PID 3880 set thread context of 2916 3880 inz.exe inz.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1336 2916 WerFault.exe inz.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 1336 WerFault.exe 1336 WerFault.exe 1336 WerFault.exe 1336 WerFault.exe 1336 WerFault.exe 1336 WerFault.exe 1336 WerFault.exe 1336 WerFault.exe 1336 WerFault.exe 1336 WerFault.exe 1336 WerFault.exe 1336 WerFault.exe 1336 WerFault.exe 1336 WerFault.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
inz.exeinz.exeinz.exeinz.exepid process 2604 inz.exe 2536 inz.exe 2800 inz.exe 3880 inz.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1336 WerFault.exe Token: SeBackupPrivilege 1336 WerFault.exe Token: SeDebugPrivilege 1336 WerFault.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
inz.exeinz.exeinz.exeinz.exedescription pid process target process PID 2604 wrote to memory of 3268 2604 inz.exe inz.exe PID 2604 wrote to memory of 3268 2604 inz.exe inz.exe PID 2604 wrote to memory of 3268 2604 inz.exe inz.exe PID 2604 wrote to memory of 2536 2604 inz.exe inz.exe PID 2604 wrote to memory of 2536 2604 inz.exe inz.exe PID 2604 wrote to memory of 2536 2604 inz.exe inz.exe PID 2536 wrote to memory of 2740 2536 inz.exe inz.exe PID 2536 wrote to memory of 2740 2536 inz.exe inz.exe PID 2536 wrote to memory of 2740 2536 inz.exe inz.exe PID 2536 wrote to memory of 2800 2536 inz.exe inz.exe PID 2536 wrote to memory of 2800 2536 inz.exe inz.exe PID 2536 wrote to memory of 2800 2536 inz.exe inz.exe PID 2800 wrote to memory of 2960 2800 inz.exe inz.exe PID 2800 wrote to memory of 2960 2800 inz.exe inz.exe PID 2800 wrote to memory of 2960 2800 inz.exe inz.exe PID 2800 wrote to memory of 3880 2800 inz.exe inz.exe PID 2800 wrote to memory of 3880 2800 inz.exe inz.exe PID 2800 wrote to memory of 3880 2800 inz.exe inz.exe PID 3880 wrote to memory of 2916 3880 inz.exe inz.exe PID 3880 wrote to memory of 2916 3880 inz.exe inz.exe PID 3880 wrote to memory of 2916 3880 inz.exe inz.exe PID 3880 wrote to memory of 2916 3880 inz.exe inz.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\inz.exe"C:\Users\Admin\AppData\Local\Temp\inz.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Users\Admin\AppData\Local\Temp\inz.exe"C:\Users\Admin\AppData\Local\Temp\inz.exe"2⤵PID:3268
-
-
C:\Users\Admin\AppData\Local\Temp\inz.exe"C:\Users\Admin\AppData\Local\Temp\inz.exe"2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Users\Admin\AppData\Local\Temp\inz.exe"C:\Users\Admin\AppData\Local\Temp\inz.exe"3⤵PID:2740
-
-
C:\Users\Admin\AppData\Local\Temp\inz.exe"C:\Users\Admin\AppData\Local\Temp\inz.exe"3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Users\Admin\AppData\Local\Temp\inz.exe"C:\Users\Admin\AppData\Local\Temp\inz.exe"4⤵PID:2960
-
-
C:\Users\Admin\AppData\Local\Temp\inz.exe"C:\Users\Admin\AppData\Local\Temp\inz.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Users\Admin\AppData\Local\Temp\inz.exe"C:\Users\Admin\AppData\Local\Temp\inz.exe"5⤵PID:2916
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 8806⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1336
-
-
-
-
-