Analysis
-
max time kernel
145s -
max time network
145s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-01-2021 15:04
Static task
static1
Behavioral task
behavioral1
Sample
insz.exe
Resource
win7v20201028
General
-
Target
insz.exe
-
Size
209KB
-
MD5
394f9f303f2a0039f204a23c0a5ad1a7
-
SHA1
a84f6b731446c79f491292a46133087825cdc0ca
-
SHA256
ca035ce2804aff96e07142ecb344766e2fca568af3b5b01f60d7886225d7cd49
-
SHA512
ca16a81380c60f0e705e089bfaed815b0a050b4bbadbea1a54332f816a4cfb5535d86f86c93a865d84747e7a32c73193658b6ea5ec72d44cf915b519f6f9af21
Malware Config
Extracted
formbook
http://www.nationshiphop.com/hko6/
apartmentsineverettwa.com
forritcu.net
hotroodes.com
skinnerttc.com
royaltrustmyanmar.com
adreslog.com
kaysbridalboutiques.com
multitask-improvements.com
geniiforum.com
smarthomehatinh.asia
banglikeaboss.com
javlover.club
affiliateclubindia.com
mycapecoralhomevalue.com
comparamuebles.online
newrochellenissan.com
nairobi-paris.com
fwk.xyz
downdepot.com
nextgenmemorabilia.com
achonabu.com
stevebana.xyz
jacmkt.com
weownthenight187.com
divshop.pro
wewearceylon.com
skyreadymix.net
jaffacorner.com
bakerlibra.icu
femalecoliving.com
best20banks.com
millcityloam.com
signature-office.com
qlifepharmacy.com
dextermind.net
fittcycleacademy.com
davidoff.sucks
1033393.com
tutorsboulder.com
bonicc.com
goodberryjuice.com
zhaowulu.com
teryaq.media
a-zsolutionsllc.com
bitcoincandy.xyz
cfmfair.com
annefontain.com
princesssexyluxwear.com
prodigybrushes.com
zzhqp.com
hwcailing.com
translatiions.com
azery.site
wy1917.com
ringohouse.info
chartershome.com
thongtinhay.net
2201virginiacondo5.com
laurieryork.net
mujeresnegociantes.com
anchoriaswimwear.com
michaelsala.com
esdeportebici.com
ninjitsoo.com
Signatures
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2456-3-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/3204-10-0x0000000000FA0000-0x0000000000FCE000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
insz.exeinsz.exehelp.exedescription pid process target process PID 4032 set thread context of 2456 4032 insz.exe insz.exe PID 2456 set thread context of 2828 2456 insz.exe Explorer.EXE PID 3204 set thread context of 2828 3204 help.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
insz.exehelp.exepid process 2456 insz.exe 2456 insz.exe 2456 insz.exe 2456 insz.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe 3204 help.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
insz.exeinsz.exehelp.exepid process 4032 insz.exe 2456 insz.exe 2456 insz.exe 2456 insz.exe 3204 help.exe 3204 help.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
insz.exehelp.exedescription pid process Token: SeDebugPrivilege 2456 insz.exe Token: SeDebugPrivilege 3204 help.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
insz.exeExplorer.EXEhelp.exedescription pid process target process PID 4032 wrote to memory of 2456 4032 insz.exe insz.exe PID 4032 wrote to memory of 2456 4032 insz.exe insz.exe PID 4032 wrote to memory of 2456 4032 insz.exe insz.exe PID 4032 wrote to memory of 2456 4032 insz.exe insz.exe PID 2828 wrote to memory of 3204 2828 Explorer.EXE help.exe PID 2828 wrote to memory of 3204 2828 Explorer.EXE help.exe PID 2828 wrote to memory of 3204 2828 Explorer.EXE help.exe PID 3204 wrote to memory of 1928 3204 help.exe cmd.exe PID 3204 wrote to memory of 1928 3204 help.exe cmd.exe PID 3204 wrote to memory of 1928 3204 help.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\insz.exe"C:\Users\Admin\AppData\Local\Temp\insz.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\insz.exe"C:\Users\Admin\AppData\Local\Temp\insz.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\insz.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1928-8-0x0000000000000000-mapping.dmp
-
memory/2456-2-0x000000000041ECF0-mapping.dmp
-
memory/2456-3-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/2456-4-0x0000000001310000-0x0000000001630000-memory.dmpFilesize
3.1MB
-
memory/2456-5-0x0000000001010000-0x0000000001024000-memory.dmpFilesize
80KB
-
memory/2828-6-0x00000000058B0000-0x00000000059CC000-memory.dmpFilesize
1.1MB
-
memory/2828-14-0x0000000003290000-0x0000000003353000-memory.dmpFilesize
780KB
-
memory/3204-7-0x0000000000000000-mapping.dmp
-
memory/3204-9-0x00000000010F0000-0x00000000010F7000-memory.dmpFilesize
28KB
-
memory/3204-10-0x0000000000FA0000-0x0000000000FCE000-memory.dmpFilesize
184KB
-
memory/3204-11-0x0000000003AD0000-0x0000000003DF0000-memory.dmpFilesize
3.1MB
-
memory/3204-13-0x00000000035E0000-0x0000000003673000-memory.dmpFilesize
588KB