Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-01-2021 12:55
Static task
static1
Behavioral task
behavioral1
Sample
January RFQ..exe
Resource
win7v20201028
General
-
Target
January RFQ..exe
-
Size
1.5MB
-
MD5
cc13b6f169803d95f021b0ae44ffe5cb
-
SHA1
fbe82085f8df30bd7968c54afcd583bcb9bdc8dc
-
SHA256
99a42bd8c8cfb6b3b69162c2f3f657b3b3972dd353338ff17accb1c9afcd5892
-
SHA512
df35b54a1833d848ba052fe6c389ad3e08ad3962f7d98f17858cf20afe92d499058f54efb7a7138f99b1abc9df9aecaa10bcbd18bb4112ad60eb093ad4caf1b0
Malware Config
Extracted
formbook
http://www.tokomw.com/wt8z/
blerdofmouth.com
talkheavy33.com
beautynewsreport.com
ashihun83.icu
fexkehv.icu
athe3bina.online
qkshu5.com
legendsfxmarketsreview.com
irisalerts.com
valkings.com
fullyplanted.com
jackmiramusic.com
stationcamphockey.com
ahlfb.com
detailsmatterinc.com
allenkohler.com
artefactoshop.com
quefarra.com
preloved.mobi
queenstyle.salon
mafheb.com
desdetv.net
xuongkhopchinhhang.xyz
coastalexpedited.com
moddevice.com
advancedriskservs.com
ovalprime.com
rediscovercacao.com
punjabidiner.com
psm-gen.com
disciplineandme.com
580-homes.com
chriswituik.com
mac-compost.com
officinadellapappa.com
eastlosrealestate.com
violethousing.com
bitzoptions.com
rmv-plexus.com
sound-virus.com
rollingrevenueroadmap.com
moknowstexting.com
soulseatedbooks.com
lapelfinehomes.com
tabakashi.com
idlatch.com
ifixcom.com
laut.xyz
lesionado911.com
australianonlinepharmacy.com
bornkidocare.com
pornoportail.com
playrighthomeschoolgroup.com
gotroasted.online
setoffiiceup.com
jerseydroneworks.com
shes-eco.com
wrinkledlady.com
kalpari.com
crexii.com
xn--el3bu3in8emoh.com
12257.xyz
digitalbank.center
chadsiphonerepair.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3084-13-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/3084-14-0x000000000041ECB0-mapping.dmp formbook behavioral2/memory/3136-24-0x0000000000E30000-0x0000000000E5E000-memory.dmp formbook -
Suspicious use of SetThreadContext 4 IoCs
Processes:
January RFQ..exeJanuary RFQ..exeNETSTAT.EXEdescription pid process target process PID 3760 set thread context of 3084 3760 January RFQ..exe January RFQ..exe PID 3084 set thread context of 3020 3084 January RFQ..exe Explorer.EXE PID 3084 set thread context of 3020 3084 January RFQ..exe Explorer.EXE PID 3136 set thread context of 3020 3136 NETSTAT.EXE Explorer.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 3136 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 51 IoCs
Processes:
January RFQ..exeJanuary RFQ..exeNETSTAT.EXEpid process 3760 January RFQ..exe 3760 January RFQ..exe 3760 January RFQ..exe 3084 January RFQ..exe 3084 January RFQ..exe 3084 January RFQ..exe 3084 January RFQ..exe 3084 January RFQ..exe 3084 January RFQ..exe 3136 NETSTAT.EXE 3136 NETSTAT.EXE 3136 NETSTAT.EXE 3136 NETSTAT.EXE 3136 NETSTAT.EXE 3136 NETSTAT.EXE 3136 NETSTAT.EXE 3136 NETSTAT.EXE 3136 NETSTAT.EXE 3136 NETSTAT.EXE 3136 NETSTAT.EXE 3136 NETSTAT.EXE 3136 NETSTAT.EXE 3136 NETSTAT.EXE 3136 NETSTAT.EXE 3136 NETSTAT.EXE 3136 NETSTAT.EXE 3136 NETSTAT.EXE 3136 NETSTAT.EXE 3136 NETSTAT.EXE 3136 NETSTAT.EXE 3136 NETSTAT.EXE 3136 NETSTAT.EXE 3136 NETSTAT.EXE 3136 NETSTAT.EXE 3136 NETSTAT.EXE 3136 NETSTAT.EXE 3136 NETSTAT.EXE 3136 NETSTAT.EXE 3136 NETSTAT.EXE 3136 NETSTAT.EXE 3136 NETSTAT.EXE 3136 NETSTAT.EXE 3136 NETSTAT.EXE 3136 NETSTAT.EXE 3136 NETSTAT.EXE 3136 NETSTAT.EXE 3136 NETSTAT.EXE 3136 NETSTAT.EXE 3136 NETSTAT.EXE 3136 NETSTAT.EXE 3136 NETSTAT.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
January RFQ..exeNETSTAT.EXEpid process 3084 January RFQ..exe 3084 January RFQ..exe 3084 January RFQ..exe 3084 January RFQ..exe 3136 NETSTAT.EXE 3136 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
January RFQ..exeJanuary RFQ..exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 3760 January RFQ..exe Token: SeDebugPrivilege 3084 January RFQ..exe Token: SeDebugPrivilege 3136 NETSTAT.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3020 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
January RFQ..exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 3760 wrote to memory of 3084 3760 January RFQ..exe January RFQ..exe PID 3760 wrote to memory of 3084 3760 January RFQ..exe January RFQ..exe PID 3760 wrote to memory of 3084 3760 January RFQ..exe January RFQ..exe PID 3760 wrote to memory of 3084 3760 January RFQ..exe January RFQ..exe PID 3760 wrote to memory of 3084 3760 January RFQ..exe January RFQ..exe PID 3760 wrote to memory of 3084 3760 January RFQ..exe January RFQ..exe PID 3020 wrote to memory of 3136 3020 Explorer.EXE NETSTAT.EXE PID 3020 wrote to memory of 3136 3020 Explorer.EXE NETSTAT.EXE PID 3020 wrote to memory of 3136 3020 Explorer.EXE NETSTAT.EXE PID 3136 wrote to memory of 1268 3136 NETSTAT.EXE cmd.exe PID 3136 wrote to memory of 1268 3136 NETSTAT.EXE cmd.exe PID 3136 wrote to memory of 1268 3136 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\January RFQ..exe"C:\Users\Admin\AppData\Local\Temp\January RFQ..exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\January RFQ..exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\January RFQ..exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1268-25-0x0000000000000000-mapping.dmp
-
memory/3020-29-0x0000000006480000-0x0000000006587000-memory.dmpFilesize
1.0MB
-
memory/3020-21-0x0000000002B20000-0x0000000002BE6000-memory.dmpFilesize
792KB
-
memory/3020-18-0x0000000006170000-0x00000000062A3000-memory.dmpFilesize
1.2MB
-
memory/3084-13-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/3084-20-0x0000000001AC0000-0x0000000001AD4000-memory.dmpFilesize
80KB
-
memory/3084-19-0x0000000001500000-0x0000000001514000-memory.dmpFilesize
80KB
-
memory/3084-17-0x0000000001560000-0x0000000001880000-memory.dmpFilesize
3.1MB
-
memory/3084-14-0x000000000041ECB0-mapping.dmp
-
memory/3136-23-0x0000000001170000-0x000000000117B000-memory.dmpFilesize
44KB
-
memory/3136-22-0x0000000000000000-mapping.dmp
-
memory/3136-28-0x00000000035F0000-0x0000000003683000-memory.dmpFilesize
588KB
-
memory/3136-26-0x0000000003700000-0x0000000003A20000-memory.dmpFilesize
3.1MB
-
memory/3136-24-0x0000000000E30000-0x0000000000E5E000-memory.dmpFilesize
184KB
-
memory/3760-9-0x000000000A7E0000-0x000000000A7EE000-memory.dmpFilesize
56KB
-
memory/3760-7-0x000000000A640000-0x000000000A641000-memory.dmpFilesize
4KB
-
memory/3760-6-0x000000000AA40000-0x000000000AA41000-memory.dmpFilesize
4KB
-
memory/3760-8-0x000000000A720000-0x000000000A721000-memory.dmpFilesize
4KB
-
memory/3760-2-0x0000000073920000-0x000000007400E000-memory.dmpFilesize
6.9MB
-
memory/3760-12-0x000000000C910000-0x000000000C911000-memory.dmpFilesize
4KB
-
memory/3760-5-0x0000000004C00000-0x0000000004C7C000-memory.dmpFilesize
496KB
-
memory/3760-10-0x0000000004EB0000-0x0000000004EB1000-memory.dmpFilesize
4KB
-
memory/3760-11-0x000000000C1A0000-0x000000000C1FA000-memory.dmpFilesize
360KB
-
memory/3760-3-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB