Analysis
-
max time kernel
59s -
max time network
36s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-01-2021 19:50
Static task
static1
Behavioral task
behavioral1
Sample
deed11e2b4b23dbe0c9ef99b5390bd6f.exe
Resource
win7v20201028
General
-
Target
deed11e2b4b23dbe0c9ef99b5390bd6f.exe
-
Size
708KB
-
MD5
deed11e2b4b23dbe0c9ef99b5390bd6f
-
SHA1
158662003b5e63c1419267d5e8b0d4ce79e72081
-
SHA256
326090842ee6d692e02ae131a2003658939f60e79bceb7bad983cfe16400062f
-
SHA512
380a473f9e6ce25e5e68ac15794d1bcbe125a887067a48c258abb625b96080d90fad32cb860043af4b32d4d8afc84365726e4a861ec03976a6bec7651d3e0380
Malware Config
Extracted
formbook
http://www.thesiromiel.com/kgw/
valentinakasu.com
soyelmatador.com
collaborativeprosperity.com
power8brokers.com
nexus-ink.com
manpasandmeatmarket.com
the-ethical-forums.today
maryannpark.com
bikininbodymommy.com
pxwuo.com
bigbangmerch.com
okaysinger.com
shopcarpe.com
rainbowhillsswimclub.com
crifinmarket.com
ebl-play.net
forceandsonsequipment.com
viagraytqwi.com
latashashop.com
suffocatinglymundanepodcast.com
metanoria.com
camera-kento.com
hotsaledeals.store
outlawgospelshow.com
saisaharashipping.com
buyiprod.com
pestigenix.com
opendesignpodcast.com
patentml.com
covaxbiotech.com
youjar.com
domvy.xyz
remodelmemphis.com
milehighdistributionllc.com
merchandisingpremium.com
fallguysmovile.com
actuelburo.xyz
nedlebow.com
shopcryptocurrency247.com
riellymoore.com
affinitymotorsales.com
akmh.pro
hsrrxs.com
atlanticdentallab.com
sagarpantry.com
murinemodel.com
karybeautycare.com
boshangkeji.com
dailynewstodays.com
oregonpyramids.com
dsjmzyz.com
gidagozlemevi.com
tribelessofficial.com
cyberonica.com
onehourcheckout.com
tenaflypedatrics.com
nbworldfire.com
setyourhead.com
manticore-habitat.com
iqftomatoes.com
fejsearesete.com
gregsgradeaappliancerepair.com
sfmfgco.com
directprnews.com
Signatures
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/332-7-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/332-8-0x000000000041EB70-mapping.dmp formbook -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
deed11e2b4b23dbe0c9ef99b5390bd6f.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion deed11e2b4b23dbe0c9ef99b5390bd6f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion deed11e2b4b23dbe0c9ef99b5390bd6f.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
deed11e2b4b23dbe0c9ef99b5390bd6f.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum deed11e2b4b23dbe0c9ef99b5390bd6f.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 deed11e2b4b23dbe0c9ef99b5390bd6f.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
deed11e2b4b23dbe0c9ef99b5390bd6f.exedescription pid process target process PID 1204 set thread context of 332 1204 deed11e2b4b23dbe0c9ef99b5390bd6f.exe deed11e2b4b23dbe0c9ef99b5390bd6f.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
deed11e2b4b23dbe0c9ef99b5390bd6f.exedeed11e2b4b23dbe0c9ef99b5390bd6f.exepid process 1204 deed11e2b4b23dbe0c9ef99b5390bd6f.exe 332 deed11e2b4b23dbe0c9ef99b5390bd6f.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
deed11e2b4b23dbe0c9ef99b5390bd6f.exedescription pid process Token: SeDebugPrivilege 1204 deed11e2b4b23dbe0c9ef99b5390bd6f.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
deed11e2b4b23dbe0c9ef99b5390bd6f.exedescription pid process target process PID 1204 wrote to memory of 332 1204 deed11e2b4b23dbe0c9ef99b5390bd6f.exe deed11e2b4b23dbe0c9ef99b5390bd6f.exe PID 1204 wrote to memory of 332 1204 deed11e2b4b23dbe0c9ef99b5390bd6f.exe deed11e2b4b23dbe0c9ef99b5390bd6f.exe PID 1204 wrote to memory of 332 1204 deed11e2b4b23dbe0c9ef99b5390bd6f.exe deed11e2b4b23dbe0c9ef99b5390bd6f.exe PID 1204 wrote to memory of 332 1204 deed11e2b4b23dbe0c9ef99b5390bd6f.exe deed11e2b4b23dbe0c9ef99b5390bd6f.exe PID 1204 wrote to memory of 332 1204 deed11e2b4b23dbe0c9ef99b5390bd6f.exe deed11e2b4b23dbe0c9ef99b5390bd6f.exe PID 1204 wrote to memory of 332 1204 deed11e2b4b23dbe0c9ef99b5390bd6f.exe deed11e2b4b23dbe0c9ef99b5390bd6f.exe PID 1204 wrote to memory of 332 1204 deed11e2b4b23dbe0c9ef99b5390bd6f.exe deed11e2b4b23dbe0c9ef99b5390bd6f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\deed11e2b4b23dbe0c9ef99b5390bd6f.exe"C:\Users\Admin\AppData\Local\Temp\deed11e2b4b23dbe0c9ef99b5390bd6f.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\deed11e2b4b23dbe0c9ef99b5390bd6f.exe"C:\Users\Admin\AppData\Local\Temp\deed11e2b4b23dbe0c9ef99b5390bd6f.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/332-7-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/332-8-0x000000000041EB70-mapping.dmp
-
memory/1204-2-0x0000000073E00000-0x00000000744EE000-memory.dmpFilesize
6.9MB
-
memory/1204-3-0x0000000000AA0000-0x0000000000AA1000-memory.dmpFilesize
4KB
-
memory/1204-5-0x0000000000370000-0x0000000000382000-memory.dmpFilesize
72KB
-
memory/1204-6-0x00000000053E0000-0x000000000544F000-memory.dmpFilesize
444KB