Analysis
-
max time kernel
46s -
max time network
71s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
19-04-2021 10:29
Static task
static1
Behavioral task
behavioral1
Sample
6.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
6.exe
Resource
win10v20210408
General
-
Target
6.exe
-
Size
906KB
-
MD5
69802992de34a4988baf0045a2d1dccf
-
SHA1
5a568d6d7a56a1f1bd81a6dd5a7487a7b7b6dff3
-
SHA256
de9d32e10118cdc282e1e20d42c53c061f0d9c727c88af95f8d9059ea163e2f6
-
SHA512
a1a5e73f86ab933256a3689c1ad06f17534a06ac0cc8446a5e23c462e787d56b9887399660823ebfed7b0069745624e48a8acd1575e98efcb273dbe006dfe202
Malware Config
Extracted
formbook
4.1
http://www.joomlas123.info/n7ak/
audereventur.com
huro14.com
wwwjinsha155.com
antiquevendor.com
samuraisoulfood.net
traffic4updates.download
hypersarv.com
rapport-happy-wedding.com
rokutechnosupport.online
allworljob.com
hanaleedossmann.com
kauai-marathon.com
bepbosch.com
kangen-international.com
zoneshopemenowz.com
belviderewrestling.com
ipllink.com
sellingforcreators.com
wwwswty6655.com
qtumboa.com
bazarmoney.net
librosdecienciaficcion.com
shopmomsthebomb.com
vanjacob.com
tgyaa.com
theporncollective.net
hydrabadproperties.com
brindesecologicos.com
sayagayrimenkul.net
4btoken.com
shycedu.com
overall789.top
maison-pierre-bayle.com
elitemediamasters.com
sharmasfabrics.com
hoshamp.com
myultimateleadgenerator.com
office4u.info
thaimart1.com
ultimatewindowusa.com
twoblazesartworks.com
airteloffer.com
shoupaizhao.com
741dakotadr.info
books4arab.net
artedelcioccolato.biz
tjqcu.info
teccoop.net
maturebridesdressguide.com
excelcapfunding.com
bitcoinak.com
profileorderflow.com
unbelievabowboutique.com
midlandshomesolutionsltd.com
healthywithhook.com
stirlingpiper.com
manfast.online
arikorin.com
texastrustedinsurance.com
moodandmystery.com
yh77808.com
s-immotanger.com
runzexd.com
meteoannecy.net
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3908-115-0x0000000000000000-mapping.dmp formbook behavioral2/memory/3908-117-0x0000000010410000-0x000000001043D000-memory.dmp formbook behavioral2/memory/1276-123-0x0000000003250000-0x000000000327D000-memory.dmp formbook -
Adds policy Run key to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \Registry\User\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run explorer.exe -
Modifies Installed Components in the registry 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \Registry\User\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\FDU0FTBPXZC = "C:\\Program Files (x86)\\internet explorer\\ieinstal.exe" explorer.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
ieinstal.exeexplorer.exedescription pid process target process PID 3908 set thread context of 3092 3908 ieinstal.exe Explorer.EXE PID 1276 set thread context of 3092 1276 explorer.exe Explorer.EXE -
Processes:
explorer.exedescription ioc process Key created \Registry\User\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 explorer.exe -
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
ieinstal.exeexplorer.exepid process 3908 ieinstal.exe 3908 ieinstal.exe 3908 ieinstal.exe 3908 ieinstal.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3092 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
ieinstal.exeexplorer.exepid process 3908 ieinstal.exe 3908 ieinstal.exe 3908 ieinstal.exe 1276 explorer.exe 1276 explorer.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
ieinstal.exeExplorer.EXEexplorer.exeexplorer.exedescription pid process Token: SeDebugPrivilege 3908 ieinstal.exe Token: SeShutdownPrivilege 3092 Explorer.EXE Token: SeCreatePagefilePrivilege 3092 Explorer.EXE Token: SeDebugPrivilege 1276 explorer.exe Token: SeShutdownPrivilege 3092 Explorer.EXE Token: SeCreatePagefilePrivilege 3092 Explorer.EXE Token: SeShutdownPrivilege 3092 Explorer.EXE Token: SeCreatePagefilePrivilege 3092 Explorer.EXE Token: SeShutdownPrivilege 3092 Explorer.EXE Token: SeCreatePagefilePrivilege 3092 Explorer.EXE Token: SeShutdownPrivilege 3092 Explorer.EXE Token: SeCreatePagefilePrivilege 3092 Explorer.EXE Token: SeShutdownPrivilege 3092 Explorer.EXE Token: SeCreatePagefilePrivilege 3092 Explorer.EXE Token: SeShutdownPrivilege 3732 explorer.exe Token: SeCreatePagefilePrivilege 3732 explorer.exe Token: SeShutdownPrivilege 3732 explorer.exe Token: SeCreatePagefilePrivilege 3732 explorer.exe Token: SeShutdownPrivilege 3732 explorer.exe Token: SeCreatePagefilePrivilege 3732 explorer.exe Token: SeShutdownPrivilege 3732 explorer.exe Token: SeCreatePagefilePrivilege 3732 explorer.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
explorer.exepid process 3732 explorer.exe 3732 explorer.exe 3732 explorer.exe 3732 explorer.exe 3732 explorer.exe -
Suspicious use of SendNotifyMessage 8 IoCs
Processes:
explorer.exepid process 3732 explorer.exe 3732 explorer.exe 3732 explorer.exe 3732 explorer.exe 3732 explorer.exe 3732 explorer.exe 3732 explorer.exe 3732 explorer.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
6.exeExplorer.EXEdescription pid process target process PID 656 wrote to memory of 3908 656 6.exe ieinstal.exe PID 656 wrote to memory of 3908 656 6.exe ieinstal.exe PID 656 wrote to memory of 3908 656 6.exe ieinstal.exe PID 656 wrote to memory of 3908 656 6.exe ieinstal.exe PID 656 wrote to memory of 3908 656 6.exe ieinstal.exe PID 656 wrote to memory of 3908 656 6.exe ieinstal.exe PID 3092 wrote to memory of 1276 3092 Explorer.EXE explorer.exe PID 3092 wrote to memory of 1276 3092 Explorer.EXE explorer.exe PID 3092 wrote to memory of 1276 3092 Explorer.EXE explorer.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6.exe"C:\Users\Admin\AppData\Local\Temp\6.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\7efeb39eb73b4ec79b320d71139ac639 /t 3096 /p 30921⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/656-114-0x00000000005E0000-0x000000000072A000-memory.dmpFilesize
1.3MB
-
memory/1276-123-0x0000000003250000-0x000000000327D000-memory.dmpFilesize
180KB
-
memory/1276-125-0x0000000004FA0000-0x0000000005033000-memory.dmpFilesize
588KB
-
memory/1276-124-0x0000000005250000-0x0000000005570000-memory.dmpFilesize
3.1MB
-
memory/1276-121-0x0000000000000000-mapping.dmp
-
memory/1276-122-0x0000000000AB0000-0x0000000000EEF000-memory.dmpFilesize
4.2MB
-
memory/3092-126-0x0000000006230000-0x0000000006386000-memory.dmpFilesize
1.3MB
-
memory/3092-120-0x0000000008AB0000-0x0000000008C4F000-memory.dmpFilesize
1.6MB
-
memory/3732-127-0x0000000000EC0000-0x0000000000EC1000-memory.dmpFilesize
4KB
-
memory/3908-117-0x0000000010410000-0x000000001043D000-memory.dmpFilesize
180KB
-
memory/3908-118-0x0000000005060000-0x0000000005380000-memory.dmpFilesize
3.1MB
-
memory/3908-119-0x0000000005040000-0x0000000005054000-memory.dmpFilesize
80KB
-
memory/3908-116-0x0000000002FE0000-0x0000000002FE1000-memory.dmpFilesize
4KB
-
memory/3908-115-0x0000000000000000-mapping.dmp