Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-01-2021 17:53
Static task
static1
Behavioral task
behavioral1
Sample
Details...exe
Resource
win7v20201028
General
-
Target
Details...exe
-
Size
978KB
-
MD5
4784ea7aa126e562158fd9882a3f771e
-
SHA1
1e74531be148cd8ecea482b060836f1102cbb57b
-
SHA256
62e4e1e22348e0eb9b33c350ee4489a3d9292dd81bf289282ebb148507180609
-
SHA512
5b8ec648de68f613d104870e4b4e7a08c9d79a83ba3622ba4f00166ae16fa994f59e96ca5c732c76d0f553141590634a2443e26e8be359b172b7d06d254a8493
Malware Config
Extracted
formbook
http://www.deuxus.com/t052/
ladybug-learning.com
unforgottenstory.com
oldmopaiv.xyz
natashaexim.com
hannahmcelgunn.com
retargetingmachines.info
njoconline.com
unicornlankadelivery.com
giftkerala.com
englishfordoctors.online
schatzilandrvresort.com
brujoisaac.com
basiccampinggear.com
escapees.today
dgyxsy888.com
stevebana.xyz
mimozakebap.com
ezdoff.com
pluumyspalace.com
shaoshanshan.com
crazyvine.wine
sfjt55.com
xjgqh.com
netverificatie-home.info
efnew.com
welderweb.com
2ndstars.com
parrotpink.com
sarahjanehammock.com
pizzawestpalmbeach.com
pivot-branding.com
bribiebootcamp.com
floridaincontinencetherapy.com
muddanyc.com
pflegedienst-24-7.com
kunstradar.com
coolgadgetsdominate.com
comedynationlive.com
workoutandlawn.com
orangecountyvolvolease.com
sunrisemath.com
premiumenterprisegroup.com
mnglobalplatform.com
bijie.xyz
christiandailyusa.com
kismetestatestjohn.com
bobyworks.com
h2cooker.com
kimquint.com
torturechamberproductions.com
superbbsuper.com
bibleandkoran.net
oncuecollective.com
strat-fundamentals.info
taichi.chat
beautyroomgreenwich.com
686761.com
prostatamrt.net
medicina-genomica.com
hl022.com
forestlawnfunerals.com
charismayachts.com
sublimequalitystore.com
bowvacare.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/192-13-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/192-14-0x000000000041ECC0-mapping.dmp formbook behavioral2/memory/3644-23-0x00000000027C0000-0x00000000027EE000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Details...exeDetails...exesystray.exedescription pid process target process PID 4012 set thread context of 192 4012 Details...exe Details...exe PID 192 set thread context of 3128 192 Details...exe Explorer.EXE PID 3644 set thread context of 3128 3644 systray.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 43 IoCs
Processes:
Details...exeDetails...exesystray.exepid process 4012 Details...exe 4012 Details...exe 4012 Details...exe 192 Details...exe 192 Details...exe 192 Details...exe 192 Details...exe 3644 systray.exe 3644 systray.exe 3644 systray.exe 3644 systray.exe 3644 systray.exe 3644 systray.exe 3644 systray.exe 3644 systray.exe 3644 systray.exe 3644 systray.exe 3644 systray.exe 3644 systray.exe 3644 systray.exe 3644 systray.exe 3644 systray.exe 3644 systray.exe 3644 systray.exe 3644 systray.exe 3644 systray.exe 3644 systray.exe 3644 systray.exe 3644 systray.exe 3644 systray.exe 3644 systray.exe 3644 systray.exe 3644 systray.exe 3644 systray.exe 3644 systray.exe 3644 systray.exe 3644 systray.exe 3644 systray.exe 3644 systray.exe 3644 systray.exe 3644 systray.exe 3644 systray.exe 3644 systray.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Details...exesystray.exepid process 192 Details...exe 192 Details...exe 192 Details...exe 3644 systray.exe 3644 systray.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Details...exeDetails...exesystray.exedescription pid process Token: SeDebugPrivilege 4012 Details...exe Token: SeDebugPrivilege 192 Details...exe Token: SeDebugPrivilege 3644 systray.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3128 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Details...exeExplorer.EXEsystray.exedescription pid process target process PID 4012 wrote to memory of 208 4012 Details...exe Details...exe PID 4012 wrote to memory of 208 4012 Details...exe Details...exe PID 4012 wrote to memory of 208 4012 Details...exe Details...exe PID 4012 wrote to memory of 192 4012 Details...exe Details...exe PID 4012 wrote to memory of 192 4012 Details...exe Details...exe PID 4012 wrote to memory of 192 4012 Details...exe Details...exe PID 4012 wrote to memory of 192 4012 Details...exe Details...exe PID 4012 wrote to memory of 192 4012 Details...exe Details...exe PID 4012 wrote to memory of 192 4012 Details...exe Details...exe PID 3128 wrote to memory of 3644 3128 Explorer.EXE systray.exe PID 3128 wrote to memory of 3644 3128 Explorer.EXE systray.exe PID 3128 wrote to memory of 3644 3128 Explorer.EXE systray.exe PID 3644 wrote to memory of 2648 3644 systray.exe cmd.exe PID 3644 wrote to memory of 2648 3644 systray.exe cmd.exe PID 3644 wrote to memory of 2648 3644 systray.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Users\Admin\AppData\Local\Temp\Details...exe"C:\Users\Admin\AppData\Local\Temp\Details...exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Users\Admin\AppData\Local\Temp\Details...exe"C:\Users\Admin\AppData\Local\Temp\Details...exe"3⤵PID:208
-
C:\Users\Admin\AppData\Local\Temp\Details...exe"C:\Users\Admin\AppData\Local\Temp\Details...exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:192 -
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Details...exe"3⤵PID:2648