Analysis
-
max time kernel
140s -
max time network
141s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
18-04-2021 07:27
Static task
static1
Behavioral task
behavioral1
Sample
a1775a2476e688c996883a990c5d2447.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
a1775a2476e688c996883a990c5d2447.exe
Resource
win10v20210408
General
-
Target
a1775a2476e688c996883a990c5d2447.exe
-
Size
508KB
-
MD5
a1775a2476e688c996883a990c5d2447
-
SHA1
44f49ab707ef24b3b24c9b17da1dae2ccf7faa67
-
SHA256
c06d84a04de7e2e2300b5a5de7e531d26e67e2f7bcaf29c34b9f15dada38f502
-
SHA512
a4a426591faf22232b59837d53d02f9adf1ff84babee469a7a3ce831fcaccf9dd1996a3715e160495309791ef53c0e5b3424646a019895fa44eff26a8084cb46
Malware Config
Extracted
formbook
3.9
http://www.mansiobbok.info/i19/
carolinahempandhops.com
produkdigitalstore.com
fortmargins.com
freemycall.com
duan-sceniabaynhatrang.com
aymarka.site
americanstanardtubs.com
noritzas.com
plasticprintingservices.com
nb-junhong.com
joindanbrown.com
yy319.com
techjobschicago.com
soldamed.com
rybctushu.com
139139062.com
casasychaletspamplona.com
grupohman.com
letsomelightin.com
inspiredinteriorsco.com
younirou.com
overcomingnow.info
z04r.com
schuster-partner.net
jthurstonmusic.net
meridian-yu.com
laurelcanyonmusicroom.com
s5615.com
tatil-bizden.com
trangsucgadoshop.com
gunslinger.biz
lavishnailswrentham.com
b0xed.com
haustechnik-wuppertal.info
prym-newey-asia.com
kkdz94.com
aecll.com
kokoandkiki.com
betdoosra.com
syntrwave.com
outsourceelearningservices.com
thermalmanagementfluids.com
connevate.com
xn--pdk6a2776a.com
salontechniqueshamilton.com
utwebservice.com
johnarmstrong.scot
engineeringbooks.info
bicyclepartschina.com
xuongnoithatphongtho.com
iminei.com
cocoding.net
exospore.com
kingbadges.com
monstervanityphonenumber.com
healthygutfood.com
qoqobo.com
gavzp.win
09hq7.com
istanbulsosyetehalkpazari.net
junioridentity.com
internationalfbasellers.com
fydm115.com
theprimalzone.com
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Formbook Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/576-67-0x0000000000100000-0x000000000012A000-memory.dmp formbook -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
a1775a2476e688c996883a990c5d2447.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sazb = "C:\\Users\\Admin\\Sazb\\Sazb.hta" a1775a2476e688c996883a990c5d2447.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
a1775a2476e688c996883a990c5d2447.exedescription pid process target process PID 1640 set thread context of 576 1640 a1775a2476e688c996883a990c5d2447.exe ieinstal.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 668 576 WerFault.exe ieinstal.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
a1775a2476e688c996883a990c5d2447.exeWerFault.exepid process 1640 a1775a2476e688c996883a990c5d2447.exe 1640 a1775a2476e688c996883a990c5d2447.exe 1640 a1775a2476e688c996883a990c5d2447.exe 668 WerFault.exe 668 WerFault.exe 668 WerFault.exe 668 WerFault.exe 668 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 668 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 668 WerFault.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
a1775a2476e688c996883a990c5d2447.exeieinstal.exedescription pid process target process PID 1640 wrote to memory of 576 1640 a1775a2476e688c996883a990c5d2447.exe ieinstal.exe PID 1640 wrote to memory of 576 1640 a1775a2476e688c996883a990c5d2447.exe ieinstal.exe PID 1640 wrote to memory of 576 1640 a1775a2476e688c996883a990c5d2447.exe ieinstal.exe PID 1640 wrote to memory of 576 1640 a1775a2476e688c996883a990c5d2447.exe ieinstal.exe PID 1640 wrote to memory of 576 1640 a1775a2476e688c996883a990c5d2447.exe ieinstal.exe PID 1640 wrote to memory of 576 1640 a1775a2476e688c996883a990c5d2447.exe ieinstal.exe PID 1640 wrote to memory of 576 1640 a1775a2476e688c996883a990c5d2447.exe ieinstal.exe PID 1640 wrote to memory of 576 1640 a1775a2476e688c996883a990c5d2447.exe ieinstal.exe PID 1640 wrote to memory of 576 1640 a1775a2476e688c996883a990c5d2447.exe ieinstal.exe PID 576 wrote to memory of 668 576 ieinstal.exe WerFault.exe PID 576 wrote to memory of 668 576 ieinstal.exe WerFault.exe PID 576 wrote to memory of 668 576 ieinstal.exe WerFault.exe PID 576 wrote to memory of 668 576 ieinstal.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1775a2476e688c996883a990c5d2447.exe"C:\Users\Admin\AppData\Local\Temp\a1775a2476e688c996883a990c5d2447.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 403⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/576-63-0x00000000005315C0-mapping.dmp
-
memory/576-62-0x0000000000530000-0x000000000055F000-memory.dmpFilesize
188KB
-
memory/576-66-0x0000000000530000-0x000000000055F000-memory.dmpFilesize
188KB
-
memory/576-67-0x0000000000100000-0x000000000012A000-memory.dmpFilesize
168KB
-
memory/668-64-0x0000000000000000-mapping.dmp
-
memory/668-68-0x00000000002E0000-0x00000000002E1000-memory.dmpFilesize
4KB
-
memory/1640-60-0x0000000075631000-0x0000000075633000-memory.dmpFilesize
8KB
-
memory/1640-61-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB