Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
21-01-2021 19:23
Behavioral task
behavioral1
Sample
download.dat.exe
Resource
win7v20201028
General
-
Target
download.dat.exe
-
Size
182KB
-
MD5
124416d2b956cf91c800dc8d94e696b4
-
SHA1
d10ceb17baac1cd703f84903c159e19cc33f7357
-
SHA256
c765588034bd272b0ff08491d8b477776e4e284c37abcc9a8b7ae08acf0b4fb1
-
SHA512
082aa13db5f569b6dec46faad7bd88d20a9de447831b99512496b2013ff1b478401ed9640948982c875544d0135e56b034505eb5cdef8829018934e1fc004e59
Malware Config
Extracted
formbook
http://www.familyof2.com/p3c/
scsykt.com
333999dy.com
soaringhood.net
thejaxstar.com
sakura-wedding.com
ussalesmarketing.com
mathworksheetsforkids.net
bestchinesefoods.com
theparkchi.com
cb6333.com
xldd0817nt15vkr6.xyz
joyousheartphotography.com
kittylol.com
caufooding.com
pippamalmgren.life
saveitall.today
connect-clarity.info
smartestgift.com
nilshana.com
arkpropertysolutions.com
iircad.com
theidahojosh.com
theperfect-date.com
roboeditor.com
battlebornbourbon.net
supermarioplumbing.net
ingrid4u.com
kirkwoodexecutive.com
centroufologicosiciliano.info
opostoriesfromthenba.com
issuingsolution.com
coronakite.com
money-beast.com
adboozl.com
ideasdelvino.com
betwho.site
wanshanglian.com
nehyam.com
mohdaziz.com
niagateknik.com
archivosr.com
appositedocument.club
cleanviser.com
the1099guy.com
beautyprorecommends.com
shireprojectservices.com
crony-resolute.info
lnlenqin.com
task-center.com
wherecanidropoffmyballot.net
goroito-glashaus.com
collegiate-services.com
putrajayamall.com
dodiblunts.com
amusingsbyamber.com
lifelongcart.com
nuestravida.site
braidwood-uk.com
sirg-consulting.com
farleymullen.com
cchidwick.xyz
nutritionaldonuts.com
dbf.network
comercializadorasepter.net
Signatures
-
Formbook Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1780-8-0x0000000000090000-0x00000000000BE000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1596 cmd.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
download.dat.exemsiexec.exedescription pid process target process PID 1184 set thread context of 1256 1184 download.dat.exe Explorer.EXE PID 1780 set thread context of 1256 1780 msiexec.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
download.dat.exemsiexec.exepid process 1184 download.dat.exe 1184 download.dat.exe 1780 msiexec.exe 1780 msiexec.exe 1780 msiexec.exe 1780 msiexec.exe 1780 msiexec.exe 1780 msiexec.exe 1780 msiexec.exe 1780 msiexec.exe 1780 msiexec.exe 1780 msiexec.exe 1780 msiexec.exe 1780 msiexec.exe 1780 msiexec.exe 1780 msiexec.exe 1780 msiexec.exe 1780 msiexec.exe 1780 msiexec.exe 1780 msiexec.exe 1780 msiexec.exe 1780 msiexec.exe 1780 msiexec.exe 1780 msiexec.exe 1780 msiexec.exe 1780 msiexec.exe 1780 msiexec.exe 1780 msiexec.exe 1780 msiexec.exe 1780 msiexec.exe 1780 msiexec.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
download.dat.exemsiexec.exepid process 1184 download.dat.exe 1184 download.dat.exe 1184 download.dat.exe 1780 msiexec.exe 1780 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
download.dat.exemsiexec.exedescription pid process Token: SeDebugPrivilege 1184 download.dat.exe Token: SeDebugPrivilege 1780 msiexec.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Explorer.EXEmsiexec.exedescription pid process target process PID 1256 wrote to memory of 1780 1256 Explorer.EXE msiexec.exe PID 1256 wrote to memory of 1780 1256 Explorer.EXE msiexec.exe PID 1256 wrote to memory of 1780 1256 Explorer.EXE msiexec.exe PID 1256 wrote to memory of 1780 1256 Explorer.EXE msiexec.exe PID 1256 wrote to memory of 1780 1256 Explorer.EXE msiexec.exe PID 1256 wrote to memory of 1780 1256 Explorer.EXE msiexec.exe PID 1256 wrote to memory of 1780 1256 Explorer.EXE msiexec.exe PID 1780 wrote to memory of 1596 1780 msiexec.exe cmd.exe PID 1780 wrote to memory of 1596 1780 msiexec.exe cmd.exe PID 1780 wrote to memory of 1596 1780 msiexec.exe cmd.exe PID 1780 wrote to memory of 1596 1780 msiexec.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\download.dat.exe"C:\Users\Admin\AppData\Local\Temp\download.dat.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\download.dat.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1184-2-0x0000000000A20000-0x0000000000D23000-memory.dmpFilesize
3.0MB
-
memory/1184-3-0x0000000000130000-0x0000000000144000-memory.dmpFilesize
80KB
-
memory/1256-4-0x0000000006F50000-0x00000000070F9000-memory.dmpFilesize
1.7MB
-
memory/1256-12-0x0000000002B20000-0x0000000002BE2000-memory.dmpFilesize
776KB
-
memory/1596-10-0x0000000000000000-mapping.dmp
-
memory/1780-5-0x0000000000000000-mapping.dmp
-
memory/1780-6-0x00000000759F1000-0x00000000759F3000-memory.dmpFilesize
8KB
-
memory/1780-7-0x0000000000CF0000-0x0000000000D04000-memory.dmpFilesize
80KB
-
memory/1780-8-0x0000000000090000-0x00000000000BE000-memory.dmpFilesize
184KB
-
memory/1780-9-0x00000000022A0000-0x00000000025A3000-memory.dmpFilesize
3.0MB
-
memory/1780-11-0x0000000000B90000-0x0000000000C23000-memory.dmpFilesize
588KB