Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-01-2021 07:48
Static task
static1
Behavioral task
behavioral1
Sample
SCAN_20210113140930669.exe
Resource
win7v20201028
General
-
Target
SCAN_20210113140930669.exe
-
Size
1.0MB
-
MD5
5f7d0bc54b8cfbfca3057aeddb3c0909
-
SHA1
a426832c6b424a035cfb30f9d4ba07cd45dc5ce1
-
SHA256
2120a958805532d53821fb90eaaa140d8a6461f667b392e352311ff896465f46
-
SHA512
74977c2c7ac0793912dbc073cb7dc6184d42cab8d93e595abe673c65402b439e0adbaf2e82686dd11da79e4b6dc6d75e94a2745fe7c2e8fd1f2fd55de5b9082b
Malware Config
Extracted
formbook
http://www.midnightblueinc.com/2kf/
edmondscakes.com
doublewldr.online
tickets2usa.com
heyhxry.com
weightloss-gulfport.com
prosselius.com
newviewroofers.com
jacksonarearealestate.com
catparkas.xyz
pagos2020.com
sonwsefjrahi.online
franchisethings.com
nuocvietngaynay.com
sohelvai.com
mikeyroush.com
lamesaroofing.com
betbigo138.com
amazon-service-recovery.com
clockin.net
riostrader.com
novergi.com
bounethone.online
unsaluted-muckworm.info
qmglg.com
trans-chna.com
bloom-cottage.info
espacioholista.com
vitrines72.com
vtnywveb.club
shelfdryrock.com
lowcountrykindermusik.com
brendolangiovanni.com
samilisback.com
coffeeofmyheart.com
moderndetailist.com
royalparkhotelandsuites.com
camsick.com
khoetuthiennhien.com
link-glue.com
zzirk.com
alyxthorne.com
tristateinsurancegroup.com
pdztwl.com
basecampmedics.com
orionbilisim.net
comaholic.com
sai-re.com
mimmodetullio.net
thevyvd.com
bookstorie.com
preparednessnow.net
lvtvmounting.com
anchondowedding.com
the-florida-accident-md.com
indyspirits.com
culture-of-safety.com
blue-003.com
federation-advens.com
junmedicare.com
qjnhilfhs.icu
chesed72.com
kingrvrentals.com
greenlightsuccesscoach.com
efrenjose.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3484-14-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/3484-15-0x000000000041EB30-mapping.dmp formbook behavioral2/memory/3096-16-0x0000000000000000-mapping.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
SCAN_20210113140930669.exeSCAN_20210113140930669.exewlanext.exedescription pid process target process PID 3564 set thread context of 3484 3564 SCAN_20210113140930669.exe SCAN_20210113140930669.exe PID 3484 set thread context of 3020 3484 SCAN_20210113140930669.exe Explorer.EXE PID 3096 set thread context of 3020 3096 wlanext.exe Explorer.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 41 IoCs
Processes:
SCAN_20210113140930669.exeSCAN_20210113140930669.exewlanext.exepid process 3564 SCAN_20210113140930669.exe 3484 SCAN_20210113140930669.exe 3484 SCAN_20210113140930669.exe 3484 SCAN_20210113140930669.exe 3484 SCAN_20210113140930669.exe 3096 wlanext.exe 3096 wlanext.exe 3096 wlanext.exe 3096 wlanext.exe 3096 wlanext.exe 3096 wlanext.exe 3096 wlanext.exe 3096 wlanext.exe 3096 wlanext.exe 3096 wlanext.exe 3096 wlanext.exe 3096 wlanext.exe 3096 wlanext.exe 3096 wlanext.exe 3096 wlanext.exe 3096 wlanext.exe 3096 wlanext.exe 3096 wlanext.exe 3096 wlanext.exe 3096 wlanext.exe 3096 wlanext.exe 3096 wlanext.exe 3096 wlanext.exe 3096 wlanext.exe 3096 wlanext.exe 3096 wlanext.exe 3096 wlanext.exe 3096 wlanext.exe 3096 wlanext.exe 3096 wlanext.exe 3096 wlanext.exe 3096 wlanext.exe 3096 wlanext.exe 3096 wlanext.exe 3096 wlanext.exe 3096 wlanext.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
SCAN_20210113140930669.exewlanext.exepid process 3484 SCAN_20210113140930669.exe 3484 SCAN_20210113140930669.exe 3484 SCAN_20210113140930669.exe 3096 wlanext.exe 3096 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
SCAN_20210113140930669.exeSCAN_20210113140930669.exewlanext.exedescription pid process Token: SeDebugPrivilege 3564 SCAN_20210113140930669.exe Token: SeDebugPrivilege 3484 SCAN_20210113140930669.exe Token: SeDebugPrivilege 3096 wlanext.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3020 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
SCAN_20210113140930669.exeExplorer.EXEwlanext.exedescription pid process target process PID 3564 wrote to memory of 3228 3564 SCAN_20210113140930669.exe schtasks.exe PID 3564 wrote to memory of 3228 3564 SCAN_20210113140930669.exe schtasks.exe PID 3564 wrote to memory of 3228 3564 SCAN_20210113140930669.exe schtasks.exe PID 3564 wrote to memory of 3484 3564 SCAN_20210113140930669.exe SCAN_20210113140930669.exe PID 3564 wrote to memory of 3484 3564 SCAN_20210113140930669.exe SCAN_20210113140930669.exe PID 3564 wrote to memory of 3484 3564 SCAN_20210113140930669.exe SCAN_20210113140930669.exe PID 3564 wrote to memory of 3484 3564 SCAN_20210113140930669.exe SCAN_20210113140930669.exe PID 3564 wrote to memory of 3484 3564 SCAN_20210113140930669.exe SCAN_20210113140930669.exe PID 3564 wrote to memory of 3484 3564 SCAN_20210113140930669.exe SCAN_20210113140930669.exe PID 3020 wrote to memory of 3096 3020 Explorer.EXE wlanext.exe PID 3020 wrote to memory of 3096 3020 Explorer.EXE wlanext.exe PID 3020 wrote to memory of 3096 3020 Explorer.EXE wlanext.exe PID 3096 wrote to memory of 3248 3096 wlanext.exe cmd.exe PID 3096 wrote to memory of 3248 3096 wlanext.exe cmd.exe PID 3096 wrote to memory of 3248 3096 wlanext.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SCAN_20210113140930669.exe"C:\Users\Admin\AppData\Local\Temp\SCAN_20210113140930669.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fqJdWysg" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA42.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\SCAN_20210113140930669.exe"C:\Users\Admin\AppData\Local\Temp\SCAN_20210113140930669.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\SCAN_20210113140930669.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpA42.tmpMD5
a62b99ea51031c1a9316b07cffda6812
SHA1f6a9e5632e9f43028802bb0ab8e508c70ba0924a
SHA256a7c0d75bf79e277af9c721d221c6ebefc5ec188620461a1c452f81ba008d31e8
SHA512d26cdf34e243d21416c126fff8e17572882ba9cd64d7307c1c042f7bf30931c9a329ffa24037b917213395513a88267cb23256e33caa6a5a0c14b3550ad4fe2d
-
memory/3096-20-0x00000000011C0000-0x000000000126E000-memory.dmpFilesize
696KB
-
memory/3096-18-0x0000000001350000-0x0000000001367000-memory.dmpFilesize
92KB
-
memory/3096-17-0x0000000001350000-0x0000000001367000-memory.dmpFilesize
92KB
-
memory/3096-16-0x0000000000000000-mapping.dmp
-
memory/3228-12-0x0000000000000000-mapping.dmp
-
memory/3248-19-0x0000000000000000-mapping.dmp
-
memory/3484-15-0x000000000041EB30-mapping.dmp
-
memory/3484-14-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/3564-7-0x0000000005150000-0x0000000005151000-memory.dmpFilesize
4KB
-
memory/3564-11-0x0000000005EA0000-0x0000000005F0B000-memory.dmpFilesize
428KB
-
memory/3564-10-0x00000000050E0000-0x00000000050F2000-memory.dmpFilesize
72KB
-
memory/3564-9-0x00000000052B0000-0x00000000052B1000-memory.dmpFilesize
4KB
-
memory/3564-8-0x0000000005090000-0x0000000005091000-memory.dmpFilesize
4KB
-
memory/3564-2-0x0000000073920000-0x000000007400E000-memory.dmpFilesize
6.9MB
-
memory/3564-6-0x00000000055B0000-0x00000000055B1000-memory.dmpFilesize
4KB
-
memory/3564-5-0x0000000004FD0000-0x0000000004FD1000-memory.dmpFilesize
4KB
-
memory/3564-3-0x00000000006E0000-0x00000000006E1000-memory.dmpFilesize
4KB