Analysis
-
max time kernel
147s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-01-2021 20:20
Static task
static1
Behavioral task
behavioral1
Sample
ins.exe
Resource
win7v20201028
General
-
Target
ins.exe
-
Size
311KB
-
MD5
689ce116559e5aa27f5b8dcd91406e08
-
SHA1
6092abe31afd20dfaa023bba7d9c0e1c000236b3
-
SHA256
de6f5b39f4129ed442da26837a296a2b2e9573af841cc7fc41a5a72d4c673de7
-
SHA512
d315d45328a6e9b4af40600637f720a8b6df640253284e7f6860333d98b57062bec4c8dc88b195264b398b3e6808bd85ab128e3e6b7c18e99f25e545945a2606
Malware Config
Extracted
formbook
http://www.nationshiphop.com/hko6/
apartmentsineverettwa.com
forritcu.net
hotroodes.com
skinnerttc.com
royaltrustmyanmar.com
adreslog.com
kaysbridalboutiques.com
multitask-improvements.com
geniiforum.com
smarthomehatinh.asia
banglikeaboss.com
javlover.club
affiliateclubindia.com
mycapecoralhomevalue.com
comparamuebles.online
newrochellenissan.com
nairobi-paris.com
fwk.xyz
downdepot.com
nextgenmemorabilia.com
achonabu.com
stevebana.xyz
jacmkt.com
weownthenight187.com
divshop.pro
wewearceylon.com
skyreadymix.net
jaffacorner.com
bakerlibra.icu
femalecoliving.com
best20banks.com
millcityloam.com
signature-office.com
qlifepharmacy.com
dextermind.net
fittcycleacademy.com
davidoff.sucks
1033393.com
tutorsboulder.com
bonicc.com
goodberryjuice.com
zhaowulu.com
teryaq.media
a-zsolutionsllc.com
bitcoincandy.xyz
cfmfair.com
annefontain.com
princesssexyluxwear.com
prodigybrushes.com
zzhqp.com
hwcailing.com
translatiions.com
azery.site
wy1917.com
ringohouse.info
chartershome.com
thongtinhay.net
2201virginiacondo5.com
laurieryork.net
mujeresnegociantes.com
anchoriaswimwear.com
michaelsala.com
esdeportebici.com
ninjitsoo.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/752-2-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/752-3-0x000000000041ECF0-mapping.dmp formbook behavioral2/memory/3188-6-0x0000000000000000-mapping.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
ins.exeins.exesvchost.exedescription pid process target process PID 640 set thread context of 752 640 ins.exe ins.exe PID 752 set thread context of 3040 752 ins.exe Explorer.EXE PID 3188 set thread context of 3040 3188 svchost.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
ins.exesvchost.exepid process 752 ins.exe 752 ins.exe 752 ins.exe 752 ins.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
ins.exeins.exesvchost.exepid process 640 ins.exe 752 ins.exe 752 ins.exe 752 ins.exe 3188 svchost.exe 3188 svchost.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
ins.exesvchost.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 752 ins.exe Token: SeDebugPrivilege 3188 svchost.exe Token: SeShutdownPrivilege 3040 Explorer.EXE Token: SeCreatePagefilePrivilege 3040 Explorer.EXE Token: SeShutdownPrivilege 3040 Explorer.EXE Token: SeCreatePagefilePrivilege 3040 Explorer.EXE Token: SeShutdownPrivilege 3040 Explorer.EXE Token: SeCreatePagefilePrivilege 3040 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3040 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
ins.exeExplorer.EXEsvchost.exedescription pid process target process PID 640 wrote to memory of 752 640 ins.exe ins.exe PID 640 wrote to memory of 752 640 ins.exe ins.exe PID 640 wrote to memory of 752 640 ins.exe ins.exe PID 640 wrote to memory of 752 640 ins.exe ins.exe PID 3040 wrote to memory of 3188 3040 Explorer.EXE svchost.exe PID 3040 wrote to memory of 3188 3040 Explorer.EXE svchost.exe PID 3040 wrote to memory of 3188 3040 Explorer.EXE svchost.exe PID 3188 wrote to memory of 2204 3188 svchost.exe cmd.exe PID 3188 wrote to memory of 2204 3188 svchost.exe cmd.exe PID 3188 wrote to memory of 2204 3188 svchost.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ins.exe"C:\Users\Admin\AppData\Local\Temp\ins.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ins.exe"C:\Users\Admin\AppData\Local\Temp\ins.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\ins.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/752-2-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/752-3-0x000000000041ECF0-mapping.dmp
-
memory/2204-9-0x0000000000000000-mapping.dmp
-
memory/3188-6-0x0000000000000000-mapping.dmp
-
memory/3188-7-0x0000000001170000-0x000000000117C000-memory.dmpFilesize
48KB
-
memory/3188-8-0x0000000001170000-0x000000000117C000-memory.dmpFilesize
48KB
-
memory/3188-10-0x0000000003E50000-0x0000000003F89000-memory.dmpFilesize
1.2MB