Analysis
-
max time kernel
151s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-01-2021 09:07
Static task
static1
Behavioral task
behavioral1
Sample
inv.exe
Resource
win7v20201028
General
-
Target
inv.exe
-
Size
343KB
-
MD5
59ca7615f52a57b4d4528956889491ca
-
SHA1
790ffd88a22f28df64c491e9fef87d50ceb9bfb7
-
SHA256
bfa63841a36301ed60a4a0c177ad229a1b09266034182b7c8695fa5d7324f0b4
-
SHA512
6564a9edcc216bfde643e24604cb2f536ea997bf902d933c40760ff834decb990f2f70f968484a27619551e4e493adcf867f0a19c1806a8142845692102f95fd
Malware Config
Extracted
formbook
http://www.nationshiphop.com/hko6/
apartmentsineverettwa.com
forritcu.net
hotroodes.com
skinnerttc.com
royaltrustmyanmar.com
adreslog.com
kaysbridalboutiques.com
multitask-improvements.com
geniiforum.com
smarthomehatinh.asia
banglikeaboss.com
javlover.club
affiliateclubindia.com
mycapecoralhomevalue.com
comparamuebles.online
newrochellenissan.com
nairobi-paris.com
fwk.xyz
downdepot.com
nextgenmemorabilia.com
achonabu.com
stevebana.xyz
jacmkt.com
weownthenight187.com
divshop.pro
wewearceylon.com
skyreadymix.net
jaffacorner.com
bakerlibra.icu
femalecoliving.com
best20banks.com
millcityloam.com
signature-office.com
qlifepharmacy.com
dextermind.net
fittcycleacademy.com
davidoff.sucks
1033393.com
tutorsboulder.com
bonicc.com
goodberryjuice.com
zhaowulu.com
teryaq.media
a-zsolutionsllc.com
bitcoincandy.xyz
cfmfair.com
annefontain.com
princesssexyluxwear.com
prodigybrushes.com
zzhqp.com
hwcailing.com
translatiions.com
azery.site
wy1917.com
ringohouse.info
chartershome.com
thongtinhay.net
2201virginiacondo5.com
laurieryork.net
mujeresnegociantes.com
anchoriaswimwear.com
michaelsala.com
esdeportebici.com
ninjitsoo.com
Signatures
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3476-3-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/3824-11-0x0000000002DB0000-0x0000000002DDE000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
inv.exeinv.exemstsc.exedescription pid process target process PID 4760 set thread context of 3476 4760 inv.exe inv.exe PID 3476 set thread context of 2640 3476 inv.exe Explorer.EXE PID 3824 set thread context of 2640 3824 mstsc.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
inv.exemstsc.exepid process 3476 inv.exe 3476 inv.exe 3476 inv.exe 3476 inv.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe 3824 mstsc.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
inv.exeinv.exemstsc.exepid process 4760 inv.exe 3476 inv.exe 3476 inv.exe 3476 inv.exe 3824 mstsc.exe 3824 mstsc.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
inv.exeExplorer.EXEmstsc.exedescription pid process Token: SeDebugPrivilege 3476 inv.exe Token: SeShutdownPrivilege 2640 Explorer.EXE Token: SeCreatePagefilePrivilege 2640 Explorer.EXE Token: SeShutdownPrivilege 2640 Explorer.EXE Token: SeCreatePagefilePrivilege 2640 Explorer.EXE Token: SeShutdownPrivilege 2640 Explorer.EXE Token: SeCreatePagefilePrivilege 2640 Explorer.EXE Token: SeShutdownPrivilege 2640 Explorer.EXE Token: SeCreatePagefilePrivilege 2640 Explorer.EXE Token: SeShutdownPrivilege 2640 Explorer.EXE Token: SeCreatePagefilePrivilege 2640 Explorer.EXE Token: SeShutdownPrivilege 2640 Explorer.EXE Token: SeCreatePagefilePrivilege 2640 Explorer.EXE Token: SeShutdownPrivilege 2640 Explorer.EXE Token: SeCreatePagefilePrivilege 2640 Explorer.EXE Token: SeShutdownPrivilege 2640 Explorer.EXE Token: SeCreatePagefilePrivilege 2640 Explorer.EXE Token: SeShutdownPrivilege 2640 Explorer.EXE Token: SeCreatePagefilePrivilege 2640 Explorer.EXE Token: SeShutdownPrivilege 2640 Explorer.EXE Token: SeCreatePagefilePrivilege 2640 Explorer.EXE Token: SeDebugPrivilege 3824 mstsc.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 2640 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
inv.exeExplorer.EXEmstsc.exedescription pid process target process PID 4760 wrote to memory of 3476 4760 inv.exe inv.exe PID 4760 wrote to memory of 3476 4760 inv.exe inv.exe PID 4760 wrote to memory of 3476 4760 inv.exe inv.exe PID 4760 wrote to memory of 3476 4760 inv.exe inv.exe PID 2640 wrote to memory of 3824 2640 Explorer.EXE mstsc.exe PID 2640 wrote to memory of 3824 2640 Explorer.EXE mstsc.exe PID 2640 wrote to memory of 3824 2640 Explorer.EXE mstsc.exe PID 3824 wrote to memory of 3384 3824 mstsc.exe cmd.exe PID 3824 wrote to memory of 3384 3824 mstsc.exe cmd.exe PID 3824 wrote to memory of 3384 3824 mstsc.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\inv.exe"C:\Users\Admin\AppData\Local\Temp\inv.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\inv.exe"C:\Users\Admin\AppData\Local\Temp\inv.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\inv.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2640-7-0x0000000002530000-0x000000000262E000-memory.dmpFilesize
1016KB
-
memory/2640-14-0x0000000004B10000-0x0000000004BFC000-memory.dmpFilesize
944KB
-
memory/3384-9-0x0000000000000000-mapping.dmp
-
memory/3476-2-0x000000000041ECF0-mapping.dmp
-
memory/3476-3-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/3476-4-0x00000000017B0000-0x0000000001AD0000-memory.dmpFilesize
3.1MB
-
memory/3476-6-0x0000000001360000-0x0000000001374000-memory.dmpFilesize
80KB
-
memory/3824-8-0x0000000000000000-mapping.dmp
-
memory/3824-10-0x00000000000D0000-0x00000000003CC000-memory.dmpFilesize
3.0MB
-
memory/3824-11-0x0000000002DB0000-0x0000000002DDE000-memory.dmpFilesize
184KB
-
memory/3824-12-0x0000000004720000-0x0000000004A40000-memory.dmpFilesize
3.1MB
-
memory/3824-13-0x0000000004620000-0x00000000046B3000-memory.dmpFilesize
588KB