Analysis
-
max time kernel
36s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
21-01-2021 07:09
General
-
Target
14f7d9b43392ee6fc45f4233cffd22af.exe
-
Size
1.0MB
-
MD5
14f7d9b43392ee6fc45f4233cffd22af
-
SHA1
549bd3b6249c5c3488e8ce7dd9c117f2aec2ee1a
-
SHA256
1a1316858bdc617d23e0330ddcde1958d2e95a083fa04020675ad4fb01780c46
-
SHA512
48f98e534452954b680e7b769c09b1425d46377d5da7afdb3237fc63c1a0e0f56d8635ea65ce64d77cc4501a2ffa7bde83a37e4198ada138300ca36dabc3cd83
Malware Config
Extracted
formbook
http://www.herbmedia.net/csv8/
slgacha.com
oohdough.com
6983ylc.com
aykassociate.com
latin-hotspot.com
starrockindia.com
beamsubway.com
queensboutique1000.com
madbaddie.com
bhoomimart.com
ankitparivar.com
aldanasanchezmx.com
citest1597669833.com
cristianofreitas.com
myplantus.com
counterfeitmilk.com
8xf39.com
pregnantwomens.com
yyyut6.com
stnanguo.com
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
Xloader Payload 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\14f7d9b43392ee6fc45f4233cffd22af.exe"C:\Users\Admin\AppData\Local\Temp\14f7d9b43392ee6fc45f4233cffd22af.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LvIUCJi" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD7F7.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\14f7d9b43392ee6fc45f4233cffd22af.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpD7F7.tmpMD5
30e10cdf7d5af02435258997819be0d2
SHA1fa8ddce4a64078889e2ecfd88730e3ddf841bc0b
SHA25647331cedc888f13607c7f48d18e04210560310092b47b1e62b13e25d72a417bc
SHA512f977cd94325e0161bf4019a89b64b1248c7839bd52a3f15598024647a3d2a84fabf5d2ab5280a4052214d5e3b41095ca71c95e44f7d5ba3d97970ece8d5a19ec
-
memory/428-17-0x0000000001280000-0x00000000015A0000-memory.dmpFilesize
3.1MB
-
memory/428-15-0x000000000041D0C0-mapping.dmp
-
memory/428-14-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/556-12-0x0000000000000000-mapping.dmp
-
memory/4772-6-0x00000000058A0000-0x00000000058A1000-memory.dmpFilesize
4KB
-
memory/4772-9-0x0000000005A50000-0x0000000005A51000-memory.dmpFilesize
4KB
-
memory/4772-10-0x0000000007CF0000-0x0000000007D77000-memory.dmpFilesize
540KB
-
memory/4772-11-0x0000000007E20000-0x0000000007E21000-memory.dmpFilesize
4KB
-
memory/4772-8-0x0000000005A40000-0x0000000005A4E000-memory.dmpFilesize
56KB
-
memory/4772-7-0x0000000003510000-0x0000000003511000-memory.dmpFilesize
4KB
-
memory/4772-2-0x0000000073360000-0x0000000073A4E000-memory.dmpFilesize
6.9MB
-
memory/4772-5-0x0000000005DA0000-0x0000000005DA1000-memory.dmpFilesize
4KB
-
memory/4772-3-0x0000000000F20000-0x0000000000F21000-memory.dmpFilesize
4KB