Analysis
-
max time kernel
148s -
max time network
102s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-01-2021 08:25
Static task
static1
Behavioral task
behavioral1
Sample
PO2364#FD21200.exe
Resource
win7v20201028
General
-
Target
PO2364#FD21200.exe
-
Size
962KB
-
MD5
e8421cdad373cbd60667510c8cb5709d
-
SHA1
ea4906ef27cd9672eafc7acffb6376c9842e9d3c
-
SHA256
89997eff59d390acca1d0b385aa4714417178afb9011ac5d07e290fac2ca51b9
-
SHA512
a055ef641e73750a847ead59de41d3215ffa6f53a124744d09fd062b2efe260479e0f440915b52574fc37d2c16014db8bef08c35d03339713ffaefe6abf2101c
Malware Config
Extracted
formbook
http://www.styrelseforum.com/p95n/
kimberlyrutledge.com
auctus.agency
johnemotions.com
guilt-brilliant.com
wxshangdian.com
theolivetreeonline.com
stellarfranchisebrands.com
every1no1.com
hoangthanhgroup.com
psm-gen.com
kingdomwow.com
digitalksr.com
karynpolitoforlg.com
youthdaycalgary.com
libertyhandymanservicesllc.com
breatheohio.com
allenleather.com
transformafter50.info
hnhsylsb.com
hmtradebd.com
besrhodislandhomes.com
zuwozo.com
southernhighlandsnails.com
kaaxg.com
bauer-cobolt.com
steelyourselfshop.net
linksoflondoncharmscheap.com
groundwork-pt.com
beautifulangelicskin.com
aduhelmfinancialsupport.com
xn--carpinteratarifa-hsb.com
thekingink.net
ocotegrill.com
gilbertdodge.com
insuranceinquirer.com
withagentcy.com
deeparchivesvpn.com
blamekd.com
acsdealta.xyz
dsxcj.com
kimonoshihan.com
bosquefamily.com
5587sk.com
integrative.life
unitedjournal.info
lynxdeck.com
onlyfanyou.com
aminomedicalscience.com
rachenstern-technik.com
thejewelrybox.net
stopcolleges.com
thesaltlifestyle.com
tappesupportservices.com
andrewgreenhomes.com
meidiansc.com
gobalexporter.com
rvpji571m.xyz
alwekalaaladabeya.com
scientificimaginetics.com
skaizenpharma.com
balloonpost.club
thefunnythingabout.com
premium-vitality.com
businesscalmcoaching.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1352-5-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1352-6-0x000000000041EDF0-mapping.dmp formbook behavioral1/memory/1472-17-0x00000000000D0000-0x00000000000FE000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1212 cmd.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
PO2364#FD21200.exePO2364#FD21200.exemsdt.exedescription pid process target process PID 1088 set thread context of 1352 1088 PO2364#FD21200.exe PO2364#FD21200.exe PID 1352 set thread context of 1236 1352 PO2364#FD21200.exe Explorer.EXE PID 1352 set thread context of 1236 1352 PO2364#FD21200.exe Explorer.EXE PID 1472 set thread context of 1236 1472 msdt.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
PO2364#FD21200.exePO2364#FD21200.exemsdt.exepid process 1088 PO2364#FD21200.exe 1088 PO2364#FD21200.exe 1352 PO2364#FD21200.exe 1352 PO2364#FD21200.exe 1352 PO2364#FD21200.exe 1472 msdt.exe 1472 msdt.exe 1472 msdt.exe 1472 msdt.exe 1472 msdt.exe 1472 msdt.exe 1472 msdt.exe 1472 msdt.exe 1472 msdt.exe 1472 msdt.exe 1472 msdt.exe 1472 msdt.exe 1472 msdt.exe 1472 msdt.exe 1472 msdt.exe 1472 msdt.exe 1472 msdt.exe 1472 msdt.exe 1472 msdt.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
PO2364#FD21200.exemsdt.exepid process 1352 PO2364#FD21200.exe 1352 PO2364#FD21200.exe 1352 PO2364#FD21200.exe 1352 PO2364#FD21200.exe 1472 msdt.exe 1472 msdt.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
PO2364#FD21200.exePO2364#FD21200.exemsdt.exedescription pid process Token: SeDebugPrivilege 1088 PO2364#FD21200.exe Token: SeDebugPrivilege 1352 PO2364#FD21200.exe Token: SeDebugPrivilege 1472 msdt.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1236 Explorer.EXE 1236 Explorer.EXE 1236 Explorer.EXE 1236 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1236 Explorer.EXE 1236 Explorer.EXE 1236 Explorer.EXE 1236 Explorer.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
PO2364#FD21200.exeExplorer.EXEmsdt.exedescription pid process target process PID 1088 wrote to memory of 1320 1088 PO2364#FD21200.exe PO2364#FD21200.exe PID 1088 wrote to memory of 1320 1088 PO2364#FD21200.exe PO2364#FD21200.exe PID 1088 wrote to memory of 1320 1088 PO2364#FD21200.exe PO2364#FD21200.exe PID 1088 wrote to memory of 1320 1088 PO2364#FD21200.exe PO2364#FD21200.exe PID 1088 wrote to memory of 1352 1088 PO2364#FD21200.exe PO2364#FD21200.exe PID 1088 wrote to memory of 1352 1088 PO2364#FD21200.exe PO2364#FD21200.exe PID 1088 wrote to memory of 1352 1088 PO2364#FD21200.exe PO2364#FD21200.exe PID 1088 wrote to memory of 1352 1088 PO2364#FD21200.exe PO2364#FD21200.exe PID 1088 wrote to memory of 1352 1088 PO2364#FD21200.exe PO2364#FD21200.exe PID 1088 wrote to memory of 1352 1088 PO2364#FD21200.exe PO2364#FD21200.exe PID 1088 wrote to memory of 1352 1088 PO2364#FD21200.exe PO2364#FD21200.exe PID 1236 wrote to memory of 1472 1236 Explorer.EXE msdt.exe PID 1236 wrote to memory of 1472 1236 Explorer.EXE msdt.exe PID 1236 wrote to memory of 1472 1236 Explorer.EXE msdt.exe PID 1236 wrote to memory of 1472 1236 Explorer.EXE msdt.exe PID 1472 wrote to memory of 1212 1472 msdt.exe cmd.exe PID 1472 wrote to memory of 1212 1472 msdt.exe cmd.exe PID 1472 wrote to memory of 1212 1472 msdt.exe cmd.exe PID 1472 wrote to memory of 1212 1472 msdt.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO2364#FD21200.exe"C:\Users\Admin\AppData\Local\Temp\PO2364#FD21200.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO2364#FD21200.exe"{path}"3⤵
-
C:\Users\Admin\AppData\Local\Temp\PO2364#FD21200.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PO2364#FD21200.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1088-3-0x0000000000150000-0x0000000000151000-memory.dmpFilesize
4KB
-
memory/1088-4-0x0000000000151000-0x0000000000152000-memory.dmpFilesize
4KB
-
memory/1088-2-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB
-
memory/1212-15-0x0000000000000000-mapping.dmp
-
memory/1236-10-0x0000000003BD0000-0x0000000003CA7000-memory.dmpFilesize
860KB
-
memory/1236-12-0x00000000061B0000-0x000000000631F000-memory.dmpFilesize
1.4MB
-
memory/1352-6-0x000000000041EDF0-mapping.dmp
-
memory/1352-9-0x0000000000180000-0x0000000000194000-memory.dmpFilesize
80KB
-
memory/1352-8-0x0000000000B60000-0x0000000000E63000-memory.dmpFilesize
3.0MB
-
memory/1352-11-0x00000000001D0000-0x00000000001E4000-memory.dmpFilesize
80KB
-
memory/1352-5-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1472-13-0x0000000000000000-mapping.dmp
-
memory/1472-17-0x00000000000D0000-0x00000000000FE000-memory.dmpFilesize
184KB
-
memory/1472-18-0x0000000002220000-0x0000000002523000-memory.dmpFilesize
3.0MB
-
memory/1472-16-0x0000000000400000-0x00000000004F4000-memory.dmpFilesize
976KB
-
memory/1472-19-0x0000000002130000-0x00000000021C3000-memory.dmpFilesize
588KB