Analysis
-
max time kernel
104s -
max time network
9s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
20-04-2021 12:04
Static task
static1
Behavioral task
behavioral1
Sample
a47c9823ccdf9e53c683ea1cc9b68caf.exe
Resource
win7v20210410
General
-
Target
a47c9823ccdf9e53c683ea1cc9b68caf.exe
-
Size
636KB
-
MD5
a47c9823ccdf9e53c683ea1cc9b68caf
-
SHA1
59b28ad9022478f383b3244ba254d30a3355258d
-
SHA256
a87d0fe01c64e340eb6cb2aa36e4d27dcc5002b85573b0e9933e709e4e388621
-
SHA512
9c04637631f58023f123cb2c58eb736b1047bf2c494e70c9c3e4f6395d63898d9cae0281f050b044f21f52ab3eeab9f40b7a1aad9c6621054d833faba3295aa8
Malware Config
Extracted
formbook
4.1
http://www.contactodirectoseguros.com/x0h/
recyclenara.com
digirryte.com
hesora.com
friendnancial.com
togetherepiscopal.com
gabilan.net
caribbeanjewelz.com
innovativeiclass.com
weddingrebels.com
underarmoutteamuniforms.com
buettner-freierede.com
3dxeroxprint.com
nationaltaekwondomuseum.com
specnazshow.com
yongle52844253.com
netacradle.com
tiffany-michellebodywhipt.com
goltrongame.com
yunusenvironmenthub.com
shopbirdbutique.com
andyhf.com
xiju.pro
poterbox.com
shaddai-landscaping.com
dhgfhhhg.com
qianwanshang.com
electronicsreycling.online
garbagecanad.com
wuyuejz.com
haarbal.com
pinewoodinteriors.com
antojosconcausa.com
cndzysw.com
gthb2u.com
135494.com
tws-rr.xyz
thelifeprotectgroup.com
furtheless.website
forenvid.com
brettfordoraville.com
gsrfwy.com
taichistressreliefonline.com
mana.land
epicedutainmentclub.com
bigfacebetting.com
hireblkcreatives.com
onlyjohnsons.com
zibodcy.com
sisterhoods.online
hdsmyyz.com
58xiyang.com
consciousdanceevent.com
cotillionclubsmv.com
circleofmillionaires.com
jamesdec.com
cavingchina.com
gsconserv.co.uk
soulardfranklinroom.com
3585385.com
ondayswr.club
estudioquintal.com
myriamward.com
sumantrabasu.com
concretedmv.com
Signatures
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1004-67-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1004-68-0x000000000041EB90-mapping.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a47c9823ccdf9e53c683ea1cc9b68caf.exedescription pid process target process PID 1092 set thread context of 1004 1092 a47c9823ccdf9e53c683ea1cc9b68caf.exe a47c9823ccdf9e53c683ea1cc9b68caf.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
a47c9823ccdf9e53c683ea1cc9b68caf.exea47c9823ccdf9e53c683ea1cc9b68caf.exepid process 1092 a47c9823ccdf9e53c683ea1cc9b68caf.exe 1092 a47c9823ccdf9e53c683ea1cc9b68caf.exe 1004 a47c9823ccdf9e53c683ea1cc9b68caf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a47c9823ccdf9e53c683ea1cc9b68caf.exedescription pid process Token: SeDebugPrivilege 1092 a47c9823ccdf9e53c683ea1cc9b68caf.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
a47c9823ccdf9e53c683ea1cc9b68caf.exedescription pid process target process PID 1092 wrote to memory of 1004 1092 a47c9823ccdf9e53c683ea1cc9b68caf.exe a47c9823ccdf9e53c683ea1cc9b68caf.exe PID 1092 wrote to memory of 1004 1092 a47c9823ccdf9e53c683ea1cc9b68caf.exe a47c9823ccdf9e53c683ea1cc9b68caf.exe PID 1092 wrote to memory of 1004 1092 a47c9823ccdf9e53c683ea1cc9b68caf.exe a47c9823ccdf9e53c683ea1cc9b68caf.exe PID 1092 wrote to memory of 1004 1092 a47c9823ccdf9e53c683ea1cc9b68caf.exe a47c9823ccdf9e53c683ea1cc9b68caf.exe PID 1092 wrote to memory of 1004 1092 a47c9823ccdf9e53c683ea1cc9b68caf.exe a47c9823ccdf9e53c683ea1cc9b68caf.exe PID 1092 wrote to memory of 1004 1092 a47c9823ccdf9e53c683ea1cc9b68caf.exe a47c9823ccdf9e53c683ea1cc9b68caf.exe PID 1092 wrote to memory of 1004 1092 a47c9823ccdf9e53c683ea1cc9b68caf.exe a47c9823ccdf9e53c683ea1cc9b68caf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a47c9823ccdf9e53c683ea1cc9b68caf.exe"C:\Users\Admin\AppData\Local\Temp\a47c9823ccdf9e53c683ea1cc9b68caf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a47c9823ccdf9e53c683ea1cc9b68caf.exe"C:\Users\Admin\AppData\Local\Temp\a47c9823ccdf9e53c683ea1cc9b68caf.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1004-67-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1004-68-0x000000000041EB90-mapping.dmp
-
memory/1004-70-0x0000000000850000-0x0000000000B53000-memory.dmpFilesize
3.0MB
-
memory/1092-60-0x0000000001350000-0x0000000001351000-memory.dmpFilesize
4KB
-
memory/1092-62-0x0000000004BE0000-0x0000000004BE1000-memory.dmpFilesize
4KB
-
memory/1092-63-0x0000000000870000-0x0000000000879000-memory.dmpFilesize
36KB
-
memory/1092-64-0x000000007EF40000-0x000000007EF41000-memory.dmpFilesize
4KB
-
memory/1092-65-0x0000000005190000-0x0000000005217000-memory.dmpFilesize
540KB
-
memory/1092-66-0x00000000012C0000-0x0000000001303000-memory.dmpFilesize
268KB