Analysis
-
max time kernel
150s -
max time network
92s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-01-2021 08:47
Static task
static1
Behavioral task
behavioral1
Sample
mTF1eRdnr0OV8c4.exe
Resource
win7v20201028
General
-
Target
mTF1eRdnr0OV8c4.exe
-
Size
863KB
-
MD5
109a86a9bff8c2bed48d2538fc38f45a
-
SHA1
8ecb82a010603806273c4c76d374cf53c622c0ed
-
SHA256
bae8d59b05bc0896419e973105103ada842908c24340e88e7444b7c640664b83
-
SHA512
1eef1d45689f8080cc9d8a2ebc19aefabe0e52ac6bf9653522e4116d9eff19047b5032a205fd78867a710f18842e0befe141044f0b1194df9ce84144ce626b0c
Malware Config
Extracted
formbook
http://www.badstar.net/tmz/
easywebplacenetlaramie.com
kushions.today
wallsbilplat.com
csgetdegrees.com
wujuenong.net
bhsentertainmentnews.com
worpar.com
ivappsglobal.com
talktogiamfoods.com
nagoyasteakandsushi.com
blockchaininfo.site
unitylinkonlie.com
sofiavoz.com
livesportsite.com
wishesandmessages.com
diningroomspaintcolorsideas.com
landnlushscents.com
metrosdahospitals.com
coast2coastrent.com
turkhristiyanbirligi.com
bootyindex.com
techinvestor.net
monitribe.com
eternallyremember.com
hsedorganics.com
cyberxyno.com
sorbo-balance.xyz
zhtthb.com
threeseedsjewelry.com
h678ui.com
paginaswebpro.com
coffreauxtissus.com
geraloheseuine.com
jvspin-casino.net
nabis27.com
artismart.com
pinewoodshop.site
littlestickdesigns.com
wvvvo.com
billiards-elite.net
mossbergenterprises.com
pdfbookplanet.com
hangerb2b.com
freisaq.com
asnomayritys.com
tbluedotlivewdmall.com
gaberivescorbett.com
innertwinearts.com
furniturevision.com
belle.productions
jabaki.com
shopcryptocurrency247.com
citestaccnt1597752045.com
eni-corp.com
shopkingbodhi.com
voques-tfr.xyz
zhxtt.space
webspicebd.com
outletinmuebles.com
mymoneyoil.com
slingshotct.com
mmcllcbiz.com
petrawie.com
misuperblog.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1212-7-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1212-8-0x000000000041EB70-mapping.dmp formbook behavioral1/memory/1020-9-0x0000000000000000-mapping.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 576 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
mTF1eRdnr0OV8c4.exemTF1eRdnr0OV8c4.exewuapp.exedescription pid process target process PID 1080 set thread context of 1212 1080 mTF1eRdnr0OV8c4.exe mTF1eRdnr0OV8c4.exe PID 1212 set thread context of 1256 1212 mTF1eRdnr0OV8c4.exe Explorer.EXE PID 1020 set thread context of 1256 1020 wuapp.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
mTF1eRdnr0OV8c4.exemTF1eRdnr0OV8c4.exewuapp.exepid process 1080 mTF1eRdnr0OV8c4.exe 1080 mTF1eRdnr0OV8c4.exe 1212 mTF1eRdnr0OV8c4.exe 1212 mTF1eRdnr0OV8c4.exe 1020 wuapp.exe 1020 wuapp.exe 1020 wuapp.exe 1020 wuapp.exe 1020 wuapp.exe 1020 wuapp.exe 1020 wuapp.exe 1020 wuapp.exe 1020 wuapp.exe 1020 wuapp.exe 1020 wuapp.exe 1020 wuapp.exe 1020 wuapp.exe 1020 wuapp.exe 1020 wuapp.exe 1020 wuapp.exe 1020 wuapp.exe 1020 wuapp.exe 1020 wuapp.exe 1020 wuapp.exe 1020 wuapp.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
mTF1eRdnr0OV8c4.exewuapp.exepid process 1212 mTF1eRdnr0OV8c4.exe 1212 mTF1eRdnr0OV8c4.exe 1212 mTF1eRdnr0OV8c4.exe 1020 wuapp.exe 1020 wuapp.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
mTF1eRdnr0OV8c4.exemTF1eRdnr0OV8c4.exewuapp.exedescription pid process Token: SeDebugPrivilege 1080 mTF1eRdnr0OV8c4.exe Token: SeDebugPrivilege 1212 mTF1eRdnr0OV8c4.exe Token: SeDebugPrivilege 1020 wuapp.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
mTF1eRdnr0OV8c4.exeExplorer.EXEwuapp.exedescription pid process target process PID 1080 wrote to memory of 1748 1080 mTF1eRdnr0OV8c4.exe mTF1eRdnr0OV8c4.exe PID 1080 wrote to memory of 1748 1080 mTF1eRdnr0OV8c4.exe mTF1eRdnr0OV8c4.exe PID 1080 wrote to memory of 1748 1080 mTF1eRdnr0OV8c4.exe mTF1eRdnr0OV8c4.exe PID 1080 wrote to memory of 1748 1080 mTF1eRdnr0OV8c4.exe mTF1eRdnr0OV8c4.exe PID 1080 wrote to memory of 1212 1080 mTF1eRdnr0OV8c4.exe mTF1eRdnr0OV8c4.exe PID 1080 wrote to memory of 1212 1080 mTF1eRdnr0OV8c4.exe mTF1eRdnr0OV8c4.exe PID 1080 wrote to memory of 1212 1080 mTF1eRdnr0OV8c4.exe mTF1eRdnr0OV8c4.exe PID 1080 wrote to memory of 1212 1080 mTF1eRdnr0OV8c4.exe mTF1eRdnr0OV8c4.exe PID 1080 wrote to memory of 1212 1080 mTF1eRdnr0OV8c4.exe mTF1eRdnr0OV8c4.exe PID 1080 wrote to memory of 1212 1080 mTF1eRdnr0OV8c4.exe mTF1eRdnr0OV8c4.exe PID 1080 wrote to memory of 1212 1080 mTF1eRdnr0OV8c4.exe mTF1eRdnr0OV8c4.exe PID 1256 wrote to memory of 1020 1256 Explorer.EXE wuapp.exe PID 1256 wrote to memory of 1020 1256 Explorer.EXE wuapp.exe PID 1256 wrote to memory of 1020 1256 Explorer.EXE wuapp.exe PID 1256 wrote to memory of 1020 1256 Explorer.EXE wuapp.exe PID 1256 wrote to memory of 1020 1256 Explorer.EXE wuapp.exe PID 1256 wrote to memory of 1020 1256 Explorer.EXE wuapp.exe PID 1256 wrote to memory of 1020 1256 Explorer.EXE wuapp.exe PID 1020 wrote to memory of 576 1020 wuapp.exe cmd.exe PID 1020 wrote to memory of 576 1020 wuapp.exe cmd.exe PID 1020 wrote to memory of 576 1020 wuapp.exe cmd.exe PID 1020 wrote to memory of 576 1020 wuapp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mTF1eRdnr0OV8c4.exe"C:\Users\Admin\AppData\Local\Temp\mTF1eRdnr0OV8c4.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mTF1eRdnr0OV8c4.exe"{path}"3⤵
-
C:\Users\Admin\AppData\Local\Temp\mTF1eRdnr0OV8c4.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wuapp.exe"C:\Windows\SysWOW64\wuapp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\mTF1eRdnr0OV8c4.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/576-11-0x0000000000000000-mapping.dmp
-
memory/1020-9-0x0000000000000000-mapping.dmp
-
memory/1020-10-0x0000000001130000-0x000000000113B000-memory.dmpFilesize
44KB
-
memory/1020-12-0x0000000003110000-0x0000000003286000-memory.dmpFilesize
1.5MB
-
memory/1080-2-0x0000000074CF0000-0x00000000753DE000-memory.dmpFilesize
6.9MB
-
memory/1080-3-0x0000000000D30000-0x0000000000D31000-memory.dmpFilesize
4KB
-
memory/1080-5-0x0000000000310000-0x000000000031E000-memory.dmpFilesize
56KB
-
memory/1080-6-0x00000000051A0000-0x0000000005230000-memory.dmpFilesize
576KB
-
memory/1212-7-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1212-8-0x000000000041EB70-mapping.dmp