Analysis
-
max time kernel
40s -
max time network
13s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19-01-2021 07:55
Static task
static1
Behavioral task
behavioral1
Sample
PO-23562#TZ232-DATED19-01-2021.exe
Resource
win7v20201028
General
-
Target
PO-23562#TZ232-DATED19-01-2021.exe
-
Size
1.5MB
-
MD5
497a3aba71e4db2cbf7d3746acff93eb
-
SHA1
2e5a0391fd8024bec52d70d10356caa198c79f64
-
SHA256
2ba03179153cd1efd2098bf6fc7870efb2b3a5a60f2b516c4c3dace977627289
-
SHA512
19d819b0809af869a06a8ae2e700135208000b02bc269849aa21bbe94b90ac6fc87e647f0efaf6a58c558bcc143f4fe3c033059f2480182774978410655f5f18
Malware Config
Extracted
formbook
http://www.styrelseforum.com/p95n/
kimberlyrutledge.com
auctus.agency
johnemotions.com
guilt-brilliant.com
wxshangdian.com
theolivetreeonline.com
stellarfranchisebrands.com
every1no1.com
hoangthanhgroup.com
psm-gen.com
kingdomwow.com
digitalksr.com
karynpolitoforlg.com
youthdaycalgary.com
libertyhandymanservicesllc.com
breatheohio.com
allenleather.com
transformafter50.info
hnhsylsb.com
hmtradebd.com
besrhodislandhomes.com
zuwozo.com
southernhighlandsnails.com
kaaxg.com
bauer-cobolt.com
steelyourselfshop.net
linksoflondoncharmscheap.com
groundwork-pt.com
beautifulangelicskin.com
aduhelmfinancialsupport.com
xn--carpinteratarifa-hsb.com
thekingink.net
ocotegrill.com
gilbertdodge.com
insuranceinquirer.com
withagentcy.com
deeparchivesvpn.com
blamekd.com
acsdealta.xyz
dsxcj.com
kimonoshihan.com
bosquefamily.com
5587sk.com
integrative.life
unitedjournal.info
lynxdeck.com
onlyfanyou.com
aminomedicalscience.com
rachenstern-technik.com
thejewelrybox.net
stopcolleges.com
thesaltlifestyle.com
tappesupportservices.com
andrewgreenhomes.com
meidiansc.com
gobalexporter.com
rvpji571m.xyz
alwekalaaladabeya.com
scientificimaginetics.com
skaizenpharma.com
balloonpost.club
thefunnythingabout.com
premium-vitality.com
businesscalmcoaching.com
Signatures
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/476-9-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/476-10-0x000000000041EDF0-mapping.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO-23562#TZ232-DATED19-01-2021.exedescription pid process target process PID 2028 set thread context of 476 2028 PO-23562#TZ232-DATED19-01-2021.exe PO-23562#TZ232-DATED19-01-2021.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
PO-23562#TZ232-DATED19-01-2021.exePO-23562#TZ232-DATED19-01-2021.exepid process 2028 PO-23562#TZ232-DATED19-01-2021.exe 2028 PO-23562#TZ232-DATED19-01-2021.exe 2028 PO-23562#TZ232-DATED19-01-2021.exe 2028 PO-23562#TZ232-DATED19-01-2021.exe 2028 PO-23562#TZ232-DATED19-01-2021.exe 476 PO-23562#TZ232-DATED19-01-2021.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PO-23562#TZ232-DATED19-01-2021.exedescription pid process Token: SeDebugPrivilege 2028 PO-23562#TZ232-DATED19-01-2021.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
PO-23562#TZ232-DATED19-01-2021.exedescription pid process target process PID 2028 wrote to memory of 2004 2028 PO-23562#TZ232-DATED19-01-2021.exe PO-23562#TZ232-DATED19-01-2021.exe PID 2028 wrote to memory of 2004 2028 PO-23562#TZ232-DATED19-01-2021.exe PO-23562#TZ232-DATED19-01-2021.exe PID 2028 wrote to memory of 2004 2028 PO-23562#TZ232-DATED19-01-2021.exe PO-23562#TZ232-DATED19-01-2021.exe PID 2028 wrote to memory of 2004 2028 PO-23562#TZ232-DATED19-01-2021.exe PO-23562#TZ232-DATED19-01-2021.exe PID 2028 wrote to memory of 476 2028 PO-23562#TZ232-DATED19-01-2021.exe PO-23562#TZ232-DATED19-01-2021.exe PID 2028 wrote to memory of 476 2028 PO-23562#TZ232-DATED19-01-2021.exe PO-23562#TZ232-DATED19-01-2021.exe PID 2028 wrote to memory of 476 2028 PO-23562#TZ232-DATED19-01-2021.exe PO-23562#TZ232-DATED19-01-2021.exe PID 2028 wrote to memory of 476 2028 PO-23562#TZ232-DATED19-01-2021.exe PO-23562#TZ232-DATED19-01-2021.exe PID 2028 wrote to memory of 476 2028 PO-23562#TZ232-DATED19-01-2021.exe PO-23562#TZ232-DATED19-01-2021.exe PID 2028 wrote to memory of 476 2028 PO-23562#TZ232-DATED19-01-2021.exe PO-23562#TZ232-DATED19-01-2021.exe PID 2028 wrote to memory of 476 2028 PO-23562#TZ232-DATED19-01-2021.exe PO-23562#TZ232-DATED19-01-2021.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO-23562#TZ232-DATED19-01-2021.exe"C:\Users\Admin\AppData\Local\Temp\PO-23562#TZ232-DATED19-01-2021.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO-23562#TZ232-DATED19-01-2021.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\PO-23562#TZ232-DATED19-01-2021.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/476-9-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/476-10-0x000000000041EDF0-mapping.dmp
-
memory/476-12-0x0000000000910000-0x0000000000C13000-memory.dmpFilesize
3.0MB
-
memory/2028-2-0x0000000074EE0000-0x00000000755CE000-memory.dmpFilesize
6.9MB
-
memory/2028-3-0x0000000000EF0000-0x0000000000EF1000-memory.dmpFilesize
4KB
-
memory/2028-5-0x0000000000E40000-0x0000000000EBC000-memory.dmpFilesize
496KB
-
memory/2028-6-0x0000000005ED0000-0x0000000005ED1000-memory.dmpFilesize
4KB
-
memory/2028-7-0x00000000002C0000-0x00000000002CE000-memory.dmpFilesize
56KB
-
memory/2028-8-0x0000000000DA0000-0x0000000000DFB000-memory.dmpFilesize
364KB