Analysis
-
max time kernel
118s -
max time network
131s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19-01-2021 17:55
Static task
static1
Behavioral task
behavioral1
Sample
IRS_Covid-19_Relief_Payment_Notice_pdf.exe
Resource
win7v20201028
General
-
Target
IRS_Covid-19_Relief_Payment_Notice_pdf.exe
-
Size
84KB
-
MD5
5525bb8a978d3ac15812c8d8ca9b8a57
-
SHA1
dcb9549ff9c290e056f83639ad546b03206a0806
-
SHA256
21f49ea6e105c22882a9fb0065803deee18eddb76767a30ddade2e2725eb65d9
-
SHA512
0e5504ee2fc22ce87c1cac663e0c4cd76227025da20c2903d63ddafc0fc8a270d56a90b89c31d8ee448a61f881ace27037beb623f4409b9d1020a6b2a0a9f35b
Malware Config
Extracted
formbook
http://www.greatamericapolling.com/71m/
heartprintclub.com
artstudio888.com
a2zitsol.com
azarblock.com
designwithravi.com
twoforksbakery.com
fundacionsinlimiteips.com
alephconference.site
smallpeo.com
ingpatrimoine.com
smartpancake.icu
sakiaza.com
hamptoninnbelton.com
captainamericashirts.com
belvederepublishing.com
trollingguide.com
sfgproposal.com
themindofafunnygirl.com
mishkatelm.com
biodis.cloud
magictouchbygg.com
mindsticksoft.com
hermaks.com
healthshieldonline.com
esanjor.online
cfta4.com
easylivingventures.com
worldfmafamily.com
cbromister.com
jd0001.com
luckyluke.restaurant
tavavl.com
boomerleancircle.com
visiteoes.com
trumpingitagain.com
costneradvantag.com
sasaly.com
lolsig.com
traveltoursworld.online
farmaciaperuanas.com
energyandfinanceconsulting.com
wacrox.com
descargaradwcleaner.net
yourhomeinnov.com
dakineadventures.com
sarmiyem.club
otuekong.com
xywl0816.xyz
zoulya.online
mypersonalgrowthclub.com
ascuteas.com
hailongtt.com
heating-and-air-vazquez.com
bbluebeltlivewdshop.com
vsmouthfreshners.com
zetecglobal.com
eulicense.com
wrs.xyz
toorden.com
fiveoneinterio.com
cherryterry.com
winenote.info
cpathree.com
maheshsutariyacriticalcare.com
Signatures
-
Formbook Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1096-10-0x0000000000401000-0x0000000000541000-memory.dmp formbook -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
IRS_Covid-19_Relief_Payment_Notice_pdf.exeIRS_Covid-19_Relief_Payment_Notice_pdf.exepid process 2044 IRS_Covid-19_Relief_Payment_Notice_pdf.exe 1096 IRS_Covid-19_Relief_Payment_Notice_pdf.exe 1096 IRS_Covid-19_Relief_Payment_Notice_pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
IRS_Covid-19_Relief_Payment_Notice_pdf.exedescription pid process target process PID 2044 set thread context of 1096 2044 IRS_Covid-19_Relief_Payment_Notice_pdf.exe IRS_Covid-19_Relief_Payment_Notice_pdf.exe -
Processes:
IRS_Covid-19_Relief_Payment_Notice_pdf.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 IRS_Covid-19_Relief_Payment_Notice_pdf.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e IRS_Covid-19_Relief_Payment_Notice_pdf.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e IRS_Covid-19_Relief_Payment_Notice_pdf.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
IRS_Covid-19_Relief_Payment_Notice_pdf.exepid process 1096 IRS_Covid-19_Relief_Payment_Notice_pdf.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
IRS_Covid-19_Relief_Payment_Notice_pdf.exepid process 2044 IRS_Covid-19_Relief_Payment_Notice_pdf.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
IRS_Covid-19_Relief_Payment_Notice_pdf.exepid process 2044 IRS_Covid-19_Relief_Payment_Notice_pdf.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
IRS_Covid-19_Relief_Payment_Notice_pdf.exedescription pid process target process PID 2044 wrote to memory of 1096 2044 IRS_Covid-19_Relief_Payment_Notice_pdf.exe IRS_Covid-19_Relief_Payment_Notice_pdf.exe PID 2044 wrote to memory of 1096 2044 IRS_Covid-19_Relief_Payment_Notice_pdf.exe IRS_Covid-19_Relief_Payment_Notice_pdf.exe PID 2044 wrote to memory of 1096 2044 IRS_Covid-19_Relief_Payment_Notice_pdf.exe IRS_Covid-19_Relief_Payment_Notice_pdf.exe PID 2044 wrote to memory of 1096 2044 IRS_Covid-19_Relief_Payment_Notice_pdf.exe IRS_Covid-19_Relief_Payment_Notice_pdf.exe PID 2044 wrote to memory of 1096 2044 IRS_Covid-19_Relief_Payment_Notice_pdf.exe IRS_Covid-19_Relief_Payment_Notice_pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\IRS_Covid-19_Relief_Payment_Notice_pdf.exe"C:\Users\Admin\AppData\Local\Temp\IRS_Covid-19_Relief_Payment_Notice_pdf.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IRS_Covid-19_Relief_Payment_Notice_pdf.exe"C:\Users\Admin\AppData\Local\Temp\IRS_Covid-19_Relief_Payment_Notice_pdf.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/576-9-0x000007FEF6510000-0x000007FEF678A000-memory.dmpFilesize
2.5MB
-
memory/1096-6-0x0000000000401498-mapping.dmp
-
memory/1096-7-0x00000000001B0000-0x00000000002B0000-memory.dmpFilesize
1024KB
-
memory/1096-10-0x0000000000401000-0x0000000000541000-memory.dmpFilesize
1.2MB
-
memory/1096-11-0x000000001E9B0000-0x000000001ECB3000-memory.dmpFilesize
3.0MB
-
memory/2044-4-0x0000000000280000-0x000000000028E000-memory.dmpFilesize
56KB
-
memory/2044-5-0x0000000075251000-0x0000000075253000-memory.dmpFilesize
8KB