Analysis
-
max time kernel
148s -
max time network
130s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-01-2021 20:13
Static task
static1
Behavioral task
behavioral1
Sample
Inv.exe
Resource
win7v20201028
General
-
Target
Inv.exe
-
Size
326KB
-
MD5
a3aba7d40da6c8c86e4e8d035803f314
-
SHA1
469b36f05939d6ec6457f1b72ba9f6c7a960be06
-
SHA256
1f94eb81e3cde4f677fd210e1ff7f5d06987cbdc2fa7de79e28b224e49244b40
-
SHA512
2cfa59a865a8292b98fb3e8e6ae79a4613d773be87c927ba4cc8e0f034010c0e5ebd0b85a74ca02ef59d47335908bcc610a597bc9cbfbfaaf364d76f51fff2fc
Malware Config
Extracted
formbook
http://www.nationshiphop.com/hko6/
apartmentsineverettwa.com
forritcu.net
hotroodes.com
skinnerttc.com
royaltrustmyanmar.com
adreslog.com
kaysbridalboutiques.com
multitask-improvements.com
geniiforum.com
smarthomehatinh.asia
banglikeaboss.com
javlover.club
affiliateclubindia.com
mycapecoralhomevalue.com
comparamuebles.online
newrochellenissan.com
nairobi-paris.com
fwk.xyz
downdepot.com
nextgenmemorabilia.com
achonabu.com
stevebana.xyz
jacmkt.com
weownthenight187.com
divshop.pro
wewearceylon.com
skyreadymix.net
jaffacorner.com
bakerlibra.icu
femalecoliving.com
best20banks.com
millcityloam.com
signature-office.com
qlifepharmacy.com
dextermind.net
fittcycleacademy.com
davidoff.sucks
1033393.com
tutorsboulder.com
bonicc.com
goodberryjuice.com
zhaowulu.com
teryaq.media
a-zsolutionsllc.com
bitcoincandy.xyz
cfmfair.com
annefontain.com
princesssexyluxwear.com
prodigybrushes.com
zzhqp.com
hwcailing.com
translatiions.com
azery.site
wy1917.com
ringohouse.info
chartershome.com
thongtinhay.net
2201virginiacondo5.com
laurieryork.net
mujeresnegociantes.com
anchoriaswimwear.com
michaelsala.com
esdeportebici.com
ninjitsoo.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/824-2-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/824-3-0x000000000041ECF0-mapping.dmp formbook behavioral2/memory/3200-5-0x0000000000000000-mapping.dmp formbook -
Suspicious use of SetThreadContext 4 IoCs
Processes:
Inv.exeInv.exeraserver.exedescription pid process target process PID 4804 set thread context of 824 4804 Inv.exe Inv.exe PID 824 set thread context of 3152 824 Inv.exe Explorer.EXE PID 824 set thread context of 3152 824 Inv.exe Explorer.EXE PID 3200 set thread context of 3152 3200 raserver.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
Inv.exeraserver.exepid process 824 Inv.exe 824 Inv.exe 824 Inv.exe 824 Inv.exe 824 Inv.exe 824 Inv.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe 3200 raserver.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
Inv.exeInv.exeraserver.exepid process 4804 Inv.exe 824 Inv.exe 824 Inv.exe 824 Inv.exe 824 Inv.exe 3200 raserver.exe 3200 raserver.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Inv.exeraserver.exedescription pid process Token: SeDebugPrivilege 824 Inv.exe Token: SeDebugPrivilege 3200 raserver.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3152 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Inv.exeInv.exeraserver.exedescription pid process target process PID 4804 wrote to memory of 824 4804 Inv.exe Inv.exe PID 4804 wrote to memory of 824 4804 Inv.exe Inv.exe PID 4804 wrote to memory of 824 4804 Inv.exe Inv.exe PID 4804 wrote to memory of 824 4804 Inv.exe Inv.exe PID 824 wrote to memory of 3200 824 Inv.exe raserver.exe PID 824 wrote to memory of 3200 824 Inv.exe raserver.exe PID 824 wrote to memory of 3200 824 Inv.exe raserver.exe PID 3200 wrote to memory of 452 3200 raserver.exe cmd.exe PID 3200 wrote to memory of 452 3200 raserver.exe cmd.exe PID 3200 wrote to memory of 452 3200 raserver.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\Inv.exe"C:\Users\Admin\AppData\Local\Temp\Inv.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Inv.exe"C:\Users\Admin\AppData\Local\Temp\Inv.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Inv.exe"5⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/452-8-0x0000000000000000-mapping.dmp
-
memory/824-2-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/824-3-0x000000000041ECF0-mapping.dmp
-
memory/3200-6-0x0000000001150000-0x000000000116F000-memory.dmpFilesize
124KB
-
memory/3200-5-0x0000000000000000-mapping.dmp
-
memory/3200-7-0x0000000001150000-0x000000000116F000-memory.dmpFilesize
124KB
-
memory/3200-9-0x0000000005660000-0x00000000057ED000-memory.dmpFilesize
1.6MB