Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19-03-2021 17:46
Static task
static1
Behavioral task
behavioral1
Sample
test.jpg.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
test.jpg.exe
Resource
win10v20201028
General
-
Target
test.jpg.exe
-
Size
764KB
-
MD5
980a55049ad78b00f7a9cd35feccef70
-
SHA1
c550a9b12b02882ac068fce2f65f4e827c9ba1b8
-
SHA256
1a65d32d353149d5b310fc0ea603268baf85a66733870cc890d6558ac44a1107
-
SHA512
d3794e0d3108eba464236b5e9b19b3c0c472751c51ce7385425a888b00681788e85af2952190ac94e3bce80dd7f073f5d5eedc1db66683e72a4856ee8db13b98
Malware Config
Extracted
formbook
http://www.joomlas123.info/3nop/
bakecakesandmore.com
shenglisuoye.com
chinapopfactory.com
ynlrhd.com
liqourforyou.com
leonqamil.com
meccafon.com
online-marketing-strategie.biz
rbfxi.com
frseyb.info
leyu91.com
hotsmail.today
beepot.tech
dunaemmetmobility.com
sixpenceworkshop.com
incrediblefavorcoaching.com
pofo.info
yanshudaili.com
yellowbrickwedding.com
paintpartyblueprint.com
capricorn1967.com
meucarrapicho.com
41230793.net
yoghurtberry.com
wv0uoagz0yr.biz
yfjbupes.com
mindfulinthemadness.com
deloslifesciences.com
adokristal.com
vandergardetuinmeubelshop.com
janewagtus.com
cloudmorning.com
foresteryt01.com
accident-law-yer.info
divorcerefinance.guru
wenxiban.com
589man.com
rockerdwe.com
duftkerzen.info
igametalent.com
yoursafetraffictoupdates.review
jialingjiangpubu.com
maximscrapbooking.com
20sf.info
shadowlandswitchery.com
pmbnc.info
shoppingdrift.online
potashdragon.com
ubkswmpes.com
064ewj.info
rewsales.com
dealsforyou.tech
ziruixu.com
naehascloud.com
smokvape.faith
sunflowermoonstudio.com
stepgentertainment.com
tawbj.info
besthappybuds.net
koohshoping.com
ajikrentcarsurabaya.com
jkjohnsroofingfl.com
whatsnexttnd.com
yoyodvd.com
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/528-16-0x0000000000000000-mapping.dmp formbook behavioral1/memory/528-18-0x0000000010410000-0x000000001043D000-memory.dmp formbook behavioral1/memory/1036-24-0x0000000000080000-0x00000000000AD000-memory.dmp formbook -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
chkdsk.exedescription ioc process Key created \Registry\User\S-1-5-21-293278959-2699126792-324916226-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run chkdsk.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\JHL0HZEHUBJ = "C:\\Program Files (x86)\\internet explorer\\ieinstal.exe" chkdsk.exe -
Executes dropped EXE 1 IoCs
Processes:
order.exepid process 1292 order.exe -
Loads dropped DLL 3 IoCs
Processes:
test.jpg.exepid process 1656 test.jpg.exe 1656 test.jpg.exe 1656 test.jpg.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key created \Registry\User\S-1-5-21-293278959-2699126792-324916226-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run chkdsk.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
ieinstal.exechkdsk.exedescription pid process target process PID 528 set thread context of 1272 528 ieinstal.exe Explorer.EXE PID 1036 set thread context of 1272 1036 chkdsk.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Processes:
chkdsk.exedescription ioc process Key created \Registry\User\S-1-5-21-293278959-2699126792-324916226-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 chkdsk.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 4 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
ieinstal.exechkdsk.exepid process 528 ieinstal.exe 528 ieinstal.exe 1036 chkdsk.exe 1036 chkdsk.exe 1036 chkdsk.exe 1036 chkdsk.exe 1036 chkdsk.exe 1036 chkdsk.exe 1036 chkdsk.exe 1036 chkdsk.exe 1036 chkdsk.exe 1036 chkdsk.exe 1036 chkdsk.exe 1036 chkdsk.exe 1036 chkdsk.exe 1036 chkdsk.exe 1036 chkdsk.exe 1036 chkdsk.exe 1036 chkdsk.exe 1036 chkdsk.exe 1036 chkdsk.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
ieinstal.exechkdsk.exepid process 528 ieinstal.exe 528 ieinstal.exe 528 ieinstal.exe 1036 chkdsk.exe 1036 chkdsk.exe 1036 chkdsk.exe 1036 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ieinstal.exechkdsk.exedescription pid process Token: SeDebugPrivilege 528 ieinstal.exe Token: SeDebugPrivilege 1036 chkdsk.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
DllHost.exeExplorer.EXEpid process 2044 DllHost.exe 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
test.jpg.exeorder.exeExplorer.EXEchkdsk.exedescription pid process target process PID 1656 wrote to memory of 1292 1656 test.jpg.exe order.exe PID 1656 wrote to memory of 1292 1656 test.jpg.exe order.exe PID 1656 wrote to memory of 1292 1656 test.jpg.exe order.exe PID 1656 wrote to memory of 1292 1656 test.jpg.exe order.exe PID 1292 wrote to memory of 528 1292 order.exe ieinstal.exe PID 1292 wrote to memory of 528 1292 order.exe ieinstal.exe PID 1292 wrote to memory of 528 1292 order.exe ieinstal.exe PID 1292 wrote to memory of 528 1292 order.exe ieinstal.exe PID 1292 wrote to memory of 528 1292 order.exe ieinstal.exe PID 1292 wrote to memory of 528 1292 order.exe ieinstal.exe PID 1292 wrote to memory of 528 1292 order.exe ieinstal.exe PID 1292 wrote to memory of 528 1292 order.exe ieinstal.exe PID 1292 wrote to memory of 528 1292 order.exe ieinstal.exe PID 1292 wrote to memory of 528 1292 order.exe ieinstal.exe PID 1272 wrote to memory of 1036 1272 Explorer.EXE chkdsk.exe PID 1272 wrote to memory of 1036 1272 Explorer.EXE chkdsk.exe PID 1272 wrote to memory of 1036 1272 Explorer.EXE chkdsk.exe PID 1272 wrote to memory of 1036 1272 Explorer.EXE chkdsk.exe PID 1036 wrote to memory of 1984 1036 chkdsk.exe Firefox.exe PID 1036 wrote to memory of 1984 1036 chkdsk.exe Firefox.exe PID 1036 wrote to memory of 1984 1036 chkdsk.exe Firefox.exe PID 1036 wrote to memory of 1984 1036 chkdsk.exe Firefox.exe PID 1036 wrote to memory of 1984 1036 chkdsk.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\test.jpg.exe"C:\Users\Admin\AppData\Local\Temp\test.jpg.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\order.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\order.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\order.exeMD5
a9b4ac2880dbc00edc0b62fb63b1e447
SHA1062ef6e5beac11ae5d408646a02d04e5e6e7cd8b
SHA2562b8c7e1fd94c1cbb024493f569dd13cf9dad1854d23866fb63b75a41836d845a
SHA51288d2bbebdd8a6bac05e62a375ad1da2cbe7bbbf5a2aaedabfa3bca36e353cd208d81d9432d506c3ea001e1c511a9be8984654a34e27bb219e81040caae94ace9
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\order.exeMD5
a9b4ac2880dbc00edc0b62fb63b1e447
SHA1062ef6e5beac11ae5d408646a02d04e5e6e7cd8b
SHA2562b8c7e1fd94c1cbb024493f569dd13cf9dad1854d23866fb63b75a41836d845a
SHA51288d2bbebdd8a6bac05e62a375ad1da2cbe7bbbf5a2aaedabfa3bca36e353cd208d81d9432d506c3ea001e1c511a9be8984654a34e27bb219e81040caae94ace9
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\test.jpgMD5
0879e3401ab547891747edc709ecbbec
SHA191e27a26d6c7f9738ae73643cc5dbd5c5ebc8576
SHA2568774d498e85555448fda230243d8afa9cbf60dd70b847411b60967e2a1dac9c7
SHA512f02bd578ad77e2c113fb18f89a06c7ea2c1935e6056541f6c182335506fd27041ea64f3050f4a4262838351cc0e7a486dd809d3404d8afda6deb04429aa8c5bc
-
C:\Users\Admin\AppData\Roaming\-65A6372\-65logim.jpegMD5
e9e5a59b622d08f7b2dedd7fb2bfd006
SHA18a669ab6f4e76aa1130b52c27a821cb0d7dddcd1
SHA2568c88884af3bd2b464b2e748472fc8a1dc92578ab6f5f40c52be22413ad869ff6
SHA512470ac98a8db479ce06be50a09199f23fad29001bc434ac7b1e31b6609e5b80d8b1d4e311d7f7a43c14ef2fa2e75f5de42c4988ef67b76bd75f132b7909d73278
-
C:\Users\Admin\AppData\Roaming\-65A6372\-65logrf.iniMD5
2f245469795b865bdd1b956c23d7893d
SHA16ad80b974d3808f5a20ea1e766c7d2f88b9e5895
SHA2561662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361
SHA512909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f
-
C:\Users\Admin\AppData\Roaming\-65A6372\-65logri.iniMD5
d63a82e5d81e02e399090af26db0b9cb
SHA191d0014c8f54743bba141fd60c9d963f869d76c9
SHA256eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA51238afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad
-
C:\Users\Admin\AppData\Roaming\-65A6372\-65logrv.iniMD5
ba3b6bc807d4f76794c4b81b09bb9ba5
SHA124cb89501f0212ff3095ecc0aba97dd563718fb1
SHA2566eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507
SHA512ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf
-
\Users\Admin\AppData\Local\Temp\RarSFX0\order.exeMD5
a9b4ac2880dbc00edc0b62fb63b1e447
SHA1062ef6e5beac11ae5d408646a02d04e5e6e7cd8b
SHA2562b8c7e1fd94c1cbb024493f569dd13cf9dad1854d23866fb63b75a41836d845a
SHA51288d2bbebdd8a6bac05e62a375ad1da2cbe7bbbf5a2aaedabfa3bca36e353cd208d81d9432d506c3ea001e1c511a9be8984654a34e27bb219e81040caae94ace9
-
\Users\Admin\AppData\Local\Temp\RarSFX0\order.exeMD5
a9b4ac2880dbc00edc0b62fb63b1e447
SHA1062ef6e5beac11ae5d408646a02d04e5e6e7cd8b
SHA2562b8c7e1fd94c1cbb024493f569dd13cf9dad1854d23866fb63b75a41836d845a
SHA51288d2bbebdd8a6bac05e62a375ad1da2cbe7bbbf5a2aaedabfa3bca36e353cd208d81d9432d506c3ea001e1c511a9be8984654a34e27bb219e81040caae94ace9
-
\Users\Admin\AppData\Local\Temp\RarSFX0\order.exeMD5
a9b4ac2880dbc00edc0b62fb63b1e447
SHA1062ef6e5beac11ae5d408646a02d04e5e6e7cd8b
SHA2562b8c7e1fd94c1cbb024493f569dd13cf9dad1854d23866fb63b75a41836d845a
SHA51288d2bbebdd8a6bac05e62a375ad1da2cbe7bbbf5a2aaedabfa3bca36e353cd208d81d9432d506c3ea001e1c511a9be8984654a34e27bb219e81040caae94ace9
-
memory/528-20-0x00000000002D0000-0x00000000002E4000-memory.dmpFilesize
80KB
-
memory/528-15-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/528-16-0x0000000000000000-mapping.dmp
-
memory/528-18-0x0000000010410000-0x000000001043D000-memory.dmpFilesize
180KB
-
memory/528-19-0x0000000002070000-0x0000000002373000-memory.dmpFilesize
3.0MB
-
memory/828-27-0x000007FEF7BD0000-0x000007FEF7E4A000-memory.dmpFilesize
2.5MB
-
memory/1036-22-0x0000000000000000-mapping.dmp
-
memory/1036-23-0x00000000003D0000-0x00000000003D7000-memory.dmpFilesize
28KB
-
memory/1036-24-0x0000000000080000-0x00000000000AD000-memory.dmpFilesize
180KB
-
memory/1036-25-0x0000000001F40000-0x0000000002243000-memory.dmpFilesize
3.0MB
-
memory/1036-28-0x0000000001DE0000-0x0000000001E73000-memory.dmpFilesize
588KB
-
memory/1272-21-0x0000000003F30000-0x0000000003FE3000-memory.dmpFilesize
716KB
-
memory/1272-32-0x0000000006920000-0x0000000006A7A000-memory.dmpFilesize
1.4MB
-
memory/1292-12-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1292-9-0x0000000000000000-mapping.dmp
-
memory/1656-2-0x00000000765A1000-0x00000000765A3000-memory.dmpFilesize
8KB
-
memory/1656-4-0x0000000002290000-0x0000000002292000-memory.dmpFilesize
8KB
-
memory/1984-29-0x0000000000000000-mapping.dmp
-
memory/1984-31-0x0000000001260000-0x00000000013DA000-memory.dmpFilesize
1.5MB
-
memory/1984-30-0x000000013F7E0000-0x000000013F873000-memory.dmpFilesize
588KB
-
memory/2044-11-0x00000000005A0000-0x00000000005A1000-memory.dmpFilesize
4KB
-
memory/2044-5-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB