Analysis
-
max time kernel
151s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
12-01-2021 07:24
Static task
static1
Behavioral task
behavioral1
Sample
SCAN_20210112140930669.exe
Resource
win7v20201028
General
-
Target
SCAN_20210112140930669.exe
-
Size
837KB
-
MD5
0d7f35bd5d0a8f5e0b52db592ab5509c
-
SHA1
5300466a9a3ca11e3f90785ed8a13115e200def6
-
SHA256
f49e50532a7e5d312f8429c41e28848461651f671139a7590b64d9df029db998
-
SHA512
978f2d13f77d724a780fe33a5740b1735d95b03dae0e6a273cbf1101d13c8e3c7981b219433975ff42db7f97488b1868aa990d660713f702568e411ffc9b00f3
Malware Config
Extracted
formbook
http://www.midnightblueinc.com/2kf/
edmondscakes.com
doublewldr.online
tickets2usa.com
heyhxry.com
weightloss-gulfport.com
prosselius.com
newviewroofers.com
jacksonarearealestate.com
catparkas.xyz
pagos2020.com
sonwsefjrahi.online
franchisethings.com
nuocvietngaynay.com
sohelvai.com
mikeyroush.com
lamesaroofing.com
betbigo138.com
amazon-service-recovery.com
clockin.net
riostrader.com
novergi.com
bounethone.online
unsaluted-muckworm.info
qmglg.com
trans-chna.com
bloom-cottage.info
espacioholista.com
vitrines72.com
vtnywveb.club
shelfdryrock.com
lowcountrykindermusik.com
brendolangiovanni.com
samilisback.com
coffeeofmyheart.com
moderndetailist.com
royalparkhotelandsuites.com
camsick.com
khoetuthiennhien.com
link-glue.com
zzirk.com
alyxthorne.com
tristateinsurancegroup.com
pdztwl.com
basecampmedics.com
orionbilisim.net
comaholic.com
sai-re.com
mimmodetullio.net
thevyvd.com
bookstorie.com
preparednessnow.net
lvtvmounting.com
anchondowedding.com
the-florida-accident-md.com
indyspirits.com
culture-of-safety.com
blue-003.com
federation-advens.com
junmedicare.com
qjnhilfhs.icu
chesed72.com
kingrvrentals.com
greenlightsuccesscoach.com
efrenjose.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2692-14-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/2692-15-0x000000000041EB30-mapping.dmp formbook behavioral2/memory/1304-16-0x0000000000000000-mapping.dmp formbook -
Suspicious use of SetThreadContext 4 IoCs
Processes:
SCAN_20210112140930669.exeSCAN_20210112140930669.exerundll32.exedescription pid process target process PID 540 set thread context of 2692 540 SCAN_20210112140930669.exe SCAN_20210112140930669.exe PID 2692 set thread context of 3016 2692 SCAN_20210112140930669.exe Explorer.EXE PID 2692 set thread context of 3016 2692 SCAN_20210112140930669.exe Explorer.EXE PID 1304 set thread context of 3016 1304 rundll32.exe Explorer.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 37 IoCs
Processes:
SCAN_20210112140930669.exeSCAN_20210112140930669.exerundll32.exepid process 540 SCAN_20210112140930669.exe 2692 SCAN_20210112140930669.exe 2692 SCAN_20210112140930669.exe 2692 SCAN_20210112140930669.exe 2692 SCAN_20210112140930669.exe 2692 SCAN_20210112140930669.exe 2692 SCAN_20210112140930669.exe 1304 rundll32.exe 1304 rundll32.exe 1304 rundll32.exe 1304 rundll32.exe 1304 rundll32.exe 1304 rundll32.exe 1304 rundll32.exe 1304 rundll32.exe 1304 rundll32.exe 1304 rundll32.exe 1304 rundll32.exe 1304 rundll32.exe 1304 rundll32.exe 1304 rundll32.exe 1304 rundll32.exe 1304 rundll32.exe 1304 rundll32.exe 1304 rundll32.exe 1304 rundll32.exe 1304 rundll32.exe 1304 rundll32.exe 1304 rundll32.exe 1304 rundll32.exe 1304 rundll32.exe 1304 rundll32.exe 1304 rundll32.exe 1304 rundll32.exe 1304 rundll32.exe 1304 rundll32.exe 1304 rundll32.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
SCAN_20210112140930669.exerundll32.exepid process 2692 SCAN_20210112140930669.exe 2692 SCAN_20210112140930669.exe 2692 SCAN_20210112140930669.exe 2692 SCAN_20210112140930669.exe 1304 rundll32.exe 1304 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
SCAN_20210112140930669.exeSCAN_20210112140930669.exeExplorer.EXErundll32.exedescription pid process Token: SeDebugPrivilege 540 SCAN_20210112140930669.exe Token: SeDebugPrivilege 2692 SCAN_20210112140930669.exe Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeDebugPrivilege 1304 rundll32.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3016 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
SCAN_20210112140930669.exeExplorer.EXErundll32.exedescription pid process target process PID 540 wrote to memory of 1404 540 SCAN_20210112140930669.exe schtasks.exe PID 540 wrote to memory of 1404 540 SCAN_20210112140930669.exe schtasks.exe PID 540 wrote to memory of 1404 540 SCAN_20210112140930669.exe schtasks.exe PID 540 wrote to memory of 2692 540 SCAN_20210112140930669.exe SCAN_20210112140930669.exe PID 540 wrote to memory of 2692 540 SCAN_20210112140930669.exe SCAN_20210112140930669.exe PID 540 wrote to memory of 2692 540 SCAN_20210112140930669.exe SCAN_20210112140930669.exe PID 540 wrote to memory of 2692 540 SCAN_20210112140930669.exe SCAN_20210112140930669.exe PID 540 wrote to memory of 2692 540 SCAN_20210112140930669.exe SCAN_20210112140930669.exe PID 540 wrote to memory of 2692 540 SCAN_20210112140930669.exe SCAN_20210112140930669.exe PID 3016 wrote to memory of 1304 3016 Explorer.EXE rundll32.exe PID 3016 wrote to memory of 1304 3016 Explorer.EXE rundll32.exe PID 3016 wrote to memory of 1304 3016 Explorer.EXE rundll32.exe PID 1304 wrote to memory of 2192 1304 rundll32.exe cmd.exe PID 1304 wrote to memory of 2192 1304 rundll32.exe cmd.exe PID 1304 wrote to memory of 2192 1304 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SCAN_20210112140930669.exe"C:\Users\Admin\AppData\Local\Temp\SCAN_20210112140930669.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TOYAehanY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5B11.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\SCAN_20210112140930669.exe"C:\Users\Admin\AppData\Local\Temp\SCAN_20210112140930669.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\SCAN_20210112140930669.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp5B11.tmpMD5
3951a19122ca11d41bfbafd0749e76bb
SHA1cb8d290688e3c2ebd90bc5eaef5c1267029285c3
SHA256dfed047e8505d0b25d1606217b9a898777381ccd0d1f9cf00ca79271a0fbc791
SHA51288675298aa03bcbfc5f3b8d5cb35d4bcc323849172b3fb3ef6b2ad14dfa2d78f9d5ab6390d0fcbcaa99e827dc806a6d76157f8c3ce2d50f126479809ceeff6fe
-
memory/540-11-0x0000000005F40000-0x0000000005FAC000-memory.dmpFilesize
432KB
-
memory/540-6-0x00000000056D0000-0x00000000056D1000-memory.dmpFilesize
4KB
-
memory/540-7-0x00000000051D0000-0x00000000051D1000-memory.dmpFilesize
4KB
-
memory/540-2-0x0000000073520000-0x0000000073C0E000-memory.dmpFilesize
6.9MB
-
memory/540-9-0x00000000053E0000-0x00000000053E1000-memory.dmpFilesize
4KB
-
memory/540-5-0x0000000005130000-0x0000000005131000-memory.dmpFilesize
4KB
-
memory/540-10-0x0000000005530000-0x0000000005542000-memory.dmpFilesize
72KB
-
memory/540-8-0x00000000050E0000-0x00000000050E1000-memory.dmpFilesize
4KB
-
memory/540-3-0x0000000000800000-0x0000000000801000-memory.dmpFilesize
4KB
-
memory/1304-16-0x0000000000000000-mapping.dmp
-
memory/1304-18-0x00000000009C0000-0x00000000009D3000-memory.dmpFilesize
76KB
-
memory/1304-17-0x00000000009C0000-0x00000000009D3000-memory.dmpFilesize
76KB
-
memory/1404-12-0x0000000000000000-mapping.dmp
-
memory/2192-19-0x0000000000000000-mapping.dmp
-
memory/2692-15-0x000000000041EB30-mapping.dmp
-
memory/2692-14-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB