Analysis
-
max time kernel
147s -
max time network
134s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-01-2021 07:55
Static task
static1
Behavioral task
behavioral1
Sample
Details for bookings.exe
Resource
win7v20201028
General
-
Target
Details for bookings.exe
-
Size
999KB
-
MD5
a25a89b6290bd06ba2bd66ef1ff7b4d1
-
SHA1
5596b820a3ce13c56473185ad4f67079c4ac3f8d
-
SHA256
39872cee88d7cf4d0f0cc42d09348b6fea960a62861fab210bf257c4e6bc3a36
-
SHA512
6a88385d5d653ee01e6251b944de4da855fac18054ede73e8bdae8a30ac832d3a83b8c7ed8bd7c2cf04b855ea9d3fb9032d7560bc25f6d6947ca921b2a8d96a4
Malware Config
Extracted
formbook
http://www.deuxus.com/t052/
ladybug-learning.com
unforgottenstory.com
oldmopaiv.xyz
natashaexim.com
hannahmcelgunn.com
retargetingmachines.info
njoconline.com
unicornlankadelivery.com
giftkerala.com
englishfordoctors.online
schatzilandrvresort.com
brujoisaac.com
basiccampinggear.com
escapees.today
dgyxsy888.com
stevebana.xyz
mimozakebap.com
ezdoff.com
pluumyspalace.com
shaoshanshan.com
crazyvine.wine
sfjt55.com
xjgqh.com
netverificatie-home.info
efnew.com
welderweb.com
2ndstars.com
parrotpink.com
sarahjanehammock.com
pizzawestpalmbeach.com
pivot-branding.com
bribiebootcamp.com
floridaincontinencetherapy.com
muddanyc.com
pflegedienst-24-7.com
kunstradar.com
coolgadgetsdominate.com
comedynationlive.com
workoutandlawn.com
orangecountyvolvolease.com
sunrisemath.com
premiumenterprisegroup.com
mnglobalplatform.com
bijie.xyz
christiandailyusa.com
kismetestatestjohn.com
bobyworks.com
h2cooker.com
kimquint.com
torturechamberproductions.com
superbbsuper.com
bibleandkoran.net
oncuecollective.com
strat-fundamentals.info
taichi.chat
beautyroomgreenwich.com
686761.com
prostatamrt.net
medicina-genomica.com
hl022.com
forestlawnfunerals.com
charismayachts.com
sublimequalitystore.com
bowvacare.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/528-13-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/528-14-0x000000000041ECC0-mapping.dmp formbook behavioral2/memory/1012-21-0x00000000009A0000-0x00000000009CE000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Details for bookings.exeDetails for bookings.exerundll32.exedescription pid process target process PID 4776 set thread context of 528 4776 Details for bookings.exe Details for bookings.exe PID 528 set thread context of 3012 528 Details for bookings.exe Explorer.EXE PID 1012 set thread context of 3012 1012 rundll32.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 41 IoCs
Processes:
Details for bookings.exeDetails for bookings.exerundll32.exepid process 4776 Details for bookings.exe 528 Details for bookings.exe 528 Details for bookings.exe 528 Details for bookings.exe 528 Details for bookings.exe 1012 rundll32.exe 1012 rundll32.exe 1012 rundll32.exe 1012 rundll32.exe 1012 rundll32.exe 1012 rundll32.exe 1012 rundll32.exe 1012 rundll32.exe 1012 rundll32.exe 1012 rundll32.exe 1012 rundll32.exe 1012 rundll32.exe 1012 rundll32.exe 1012 rundll32.exe 1012 rundll32.exe 1012 rundll32.exe 1012 rundll32.exe 1012 rundll32.exe 1012 rundll32.exe 1012 rundll32.exe 1012 rundll32.exe 1012 rundll32.exe 1012 rundll32.exe 1012 rundll32.exe 1012 rundll32.exe 1012 rundll32.exe 1012 rundll32.exe 1012 rundll32.exe 1012 rundll32.exe 1012 rundll32.exe 1012 rundll32.exe 1012 rundll32.exe 1012 rundll32.exe 1012 rundll32.exe 1012 rundll32.exe 1012 rundll32.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Details for bookings.exerundll32.exepid process 528 Details for bookings.exe 528 Details for bookings.exe 528 Details for bookings.exe 1012 rundll32.exe 1012 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
Details for bookings.exeDetails for bookings.exeExplorer.EXErundll32.exedescription pid process Token: SeDebugPrivilege 4776 Details for bookings.exe Token: SeDebugPrivilege 528 Details for bookings.exe Token: SeShutdownPrivilege 3012 Explorer.EXE Token: SeCreatePagefilePrivilege 3012 Explorer.EXE Token: SeDebugPrivilege 1012 rundll32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Details for bookings.exeExplorer.EXErundll32.exedescription pid process target process PID 4776 wrote to memory of 528 4776 Details for bookings.exe Details for bookings.exe PID 4776 wrote to memory of 528 4776 Details for bookings.exe Details for bookings.exe PID 4776 wrote to memory of 528 4776 Details for bookings.exe Details for bookings.exe PID 4776 wrote to memory of 528 4776 Details for bookings.exe Details for bookings.exe PID 4776 wrote to memory of 528 4776 Details for bookings.exe Details for bookings.exe PID 4776 wrote to memory of 528 4776 Details for bookings.exe Details for bookings.exe PID 3012 wrote to memory of 1012 3012 Explorer.EXE rundll32.exe PID 3012 wrote to memory of 1012 3012 Explorer.EXE rundll32.exe PID 3012 wrote to memory of 1012 3012 Explorer.EXE rundll32.exe PID 1012 wrote to memory of 1080 1012 rundll32.exe cmd.exe PID 1012 wrote to memory of 1080 1012 rundll32.exe cmd.exe PID 1012 wrote to memory of 1080 1012 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Details for bookings.exe"C:\Users\Admin\AppData\Local\Temp\Details for bookings.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Details for bookings.exe"C:\Users\Admin\AppData\Local\Temp\Details for bookings.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Details for bookings.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/528-13-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/528-17-0x0000000001C70000-0x0000000001C84000-memory.dmpFilesize
80KB
-
memory/528-16-0x0000000001950000-0x0000000001C70000-memory.dmpFilesize
3.1MB
-
memory/528-14-0x000000000041ECC0-mapping.dmp
-
memory/1012-19-0x0000000000000000-mapping.dmp
-
memory/1012-24-0x0000000004DB0000-0x0000000004E43000-memory.dmpFilesize
588KB
-
memory/1012-23-0x0000000004A90000-0x0000000004DB0000-memory.dmpFilesize
3.1MB
-
memory/1012-21-0x00000000009A0000-0x00000000009CE000-memory.dmpFilesize
184KB
-
memory/1012-20-0x0000000000CD0000-0x0000000000CE3000-memory.dmpFilesize
76KB
-
memory/1080-22-0x0000000000000000-mapping.dmp
-
memory/3012-18-0x00000000058F0000-0x0000000005A25000-memory.dmpFilesize
1.2MB
-
memory/3012-25-0x00000000057D0000-0x00000000058DB000-memory.dmpFilesize
1.0MB
-
memory/4776-12-0x00000000060C0000-0x0000000006126000-memory.dmpFilesize
408KB
-
memory/4776-3-0x0000000000B00000-0x0000000000B01000-memory.dmpFilesize
4KB
-
memory/4776-5-0x00000000054B0000-0x00000000054B1000-memory.dmpFilesize
4KB
-
memory/4776-2-0x0000000073150000-0x000000007383E000-memory.dmpFilesize
6.9MB
-
memory/4776-6-0x0000000005A50000-0x0000000005A51000-memory.dmpFilesize
4KB
-
memory/4776-7-0x0000000005550000-0x0000000005551000-memory.dmpFilesize
4KB
-
memory/4776-8-0x0000000005610000-0x0000000005611000-memory.dmpFilesize
4KB
-
memory/4776-11-0x0000000005730000-0x0000000005731000-memory.dmpFilesize
4KB
-
memory/4776-10-0x0000000005650000-0x0000000005673000-memory.dmpFilesize
140KB
-
memory/4776-9-0x00000000056B0000-0x00000000056B1000-memory.dmpFilesize
4KB