Analysis
-
max time kernel
149s -
max time network
84s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
12-01-2021 11:05
General
-
Target
DHL SHIPPING AND TRACKING DOCUMENT_PDF.exe
-
Size
1.1MB
-
MD5
eb2002937cb72b457e35ce221ebf299e
-
SHA1
be5027e99c4f251652b533e768167ee5a40fc7e2
-
SHA256
e4141a1f1d7e56f4196a1cea4d0804d0206d858e452012fd36e5d1c0eac81c3d
-
SHA512
850e03147c2ea65119eff125dd4e6e5dc002721f22e3bcccacb1ad54661235a5244b86c2cc59e25737f81ba221a53411f025235376a22620373f4def8bc4e272
Malware Config
Extracted
formbook
http://www.believe.academy/me2z/
rampdauto.com
noriharte.com
harborfreightcreditcard.com
tktspyhwz.icu
cagehosting.com
hgfte.club
fullnessspa.com
link-repair.com
rrjyds.com
edevletdestekcardmerkez.com
sprayingmachines.com
janerowenlester.com
velocityworkflow.com
kcrm.computer
kjbubeng.com
virtualhockeyconference.com
trugrits.com
creativesociallight.com
dnaswabtesting.com
willpool.com
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
Xloader Payload 3 IoCs
-
Deletes itself 1 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious behavior: MapViewOfSection 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL SHIPPING AND TRACKING DOCUMENT_PDF.exe"C:\Users\Admin\AppData\Local\Temp\DHL SHIPPING AND TRACKING DOCUMENT_PDF.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ndyNgiAFxyaGRA" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF90E.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\DHL SHIPPING AND TRACKING DOCUMENT_PDF.exe"C:\Users\Admin\AppData\Local\Temp\DHL SHIPPING AND TRACKING DOCUMENT_PDF.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\DHL SHIPPING AND TRACKING DOCUMENT_PDF.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpF90E.tmpMD5
3dcd026944d9020781af6e07a8ca0896
SHA1b8c2aa842787beaa0f13f7900e9179c9c70bfdbf
SHA2567e432db90d54ac2567166dc038ee7bc2815883d688f7a5ef1d873aa66b88f353
SHA5124eace6907785f8a51642849dd0b692a679a7cd2a8ad4589d3c2be3c3b54c750fe2f3e063a6f1848a13ef0037267b0c9f790bce7b414163cfc3dffa9f2bb10f3d
-
memory/760-15-0x00000000053F0000-0x000000000552D000-memory.dmpFilesize
1.2MB
-
memory/760-13-0x00000000009A0000-0x00000000009BB000-memory.dmpFilesize
108KB
-
memory/760-12-0x0000000000000000-mapping.dmp
-
memory/1080-7-0x0000000000000000-mapping.dmp
-
memory/1268-11-0x0000000005F70000-0x0000000006063000-memory.dmpFilesize
972KB
-
memory/1472-9-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1472-10-0x000000000041D090-mapping.dmp
-
memory/1480-14-0x0000000000000000-mapping.dmp
-
memory/1744-2-0x00000000741A0000-0x000000007488E000-memory.dmpFilesize
6.9MB
-
memory/1744-6-0x00000000051A0000-0x0000000005208000-memory.dmpFilesize
416KB
-
memory/1744-5-0x00000000004E0000-0x00000000004F2000-memory.dmpFilesize
72KB
-
memory/1744-3-0x0000000000290000-0x0000000000291000-memory.dmpFilesize
4KB