Overview

overview

10

Static

static

kayx.exe

windows7_x64

10

kayx.exe

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    30-04-2021 13:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    kayx.exe

  • Size

    563KB

  • MD5

    129e1d37b93430b4bd894b16c53cd6bc

  • SHA1

    9ce52826f988b0702ad49e9b1da94f8e3d044c9b

  • SHA256

    28e0affe70d48a6c6fe89b76dc56c59f93521a4b606dbb6fff60a84d382e9ceb

  • SHA512

    9639f5982cc0f2a56c8806a56309aa2daf6960d3a1c9bbd0e478198efd51ed425cedbd8f82a6fbe53cb80914f0b3d1ba8f6fd2c9b319b64452dae4937858edd5

Score
10/10
formbookagilenetratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.semenovdmitriik.club/bwk/

Decoy

alexrabus.com

education618.com

nelivo.com

gosanispire.com

cdaboozecruise.com

lovenfys.com

wellsleyarts.com

madcord.net

aadiventura.com

prideglobalholdings.com

tu-aviso.com

rjroof.com

upthehilldogwalking.com

ultraletefit.com

opinetree.com

retiredalsolovingit.com

oculensweb.com

laurartproductions.com

uncontenido.com

elisabethchin.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Suspicious use of SetThreadContext 3 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1204
    • C:\Users\Admin\AppData\Local\Temp\kayx.exe
      "C:\Users\Admin\AppData\Local\Temp\kayx.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:788
      • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
        "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:864
    • C:\Windows\SysWOW64\ipconfig.exe
      "C:\Windows\SysWOW64\ipconfig.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Gathers network information
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:616
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
        3⤵
          PID:1784

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Command-Line Interface

    1
    T1059

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
      MD5

      6a673bfc3b67ae9782cb31af2f234c68

      SHA1

      7544e89566d91e84e3cd437b9a073e5f6b56566e

      SHA256

      978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

      SHA512

      72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
      MD5

      6a673bfc3b67ae9782cb31af2f234c68

      SHA1

      7544e89566d91e84e3cd437b9a073e5f6b56566e

      SHA256

      978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

      SHA512

      72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

      Download Submit
    • \Users\Admin\AppData\Local\Temp\AddInProcess32.exe
      MD5

      6a673bfc3b67ae9782cb31af2f234c68

      SHA1

      7544e89566d91e84e3cd437b9a073e5f6b56566e

      SHA256

      978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

      SHA512

      72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

      Download Submit
    • memory/616-82-0x00000000004B0000-0x0000000000543000-memory.dmp
      Filesize

      588KB

      Download
    • memory/616-81-0x0000000002050000-0x0000000002353000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/616-78-0x0000000000920000-0x000000000092A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/616-80-0x00000000000D0000-0x00000000000FE000-memory.dmp
      Filesize

      184KB

      Download
    • memory/616-76-0x0000000075551000-0x0000000075553000-memory.dmp
      Filesize

      8KB

      Download
    • memory/616-75-0x0000000000000000-mapping.dmp
      Download
    • memory/788-66-0x00000000009C0000-0x00000000009C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/788-59-0x0000000000210000-0x0000000000211000-memory.dmp
      Filesize

      4KB

      Download
    • memory/788-65-0x00000000007A0000-0x00000000007AB000-memory.dmp
      Filesize

      44KB

      Download
    • memory/788-64-0x0000000004CF1000-0x0000000004CF2000-memory.dmp
      Filesize

      4KB

      Download
    • memory/788-63-0x0000000000670000-0x0000000000691000-memory.dmp
      Filesize

      132KB

      Download
    • memory/788-61-0x0000000004CF0000-0x0000000004CF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/864-73-0x0000000000200000-0x0000000000214000-memory.dmp
      Filesize

      80KB

      Download
    • memory/864-72-0x0000000000800000-0x0000000000B03000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/864-69-0x000000000041EB50-mapping.dmp
      Download
    • memory/864-68-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/1204-74-0x0000000007C30000-0x0000000007D93000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1204-83-0x0000000005F00000-0x0000000006010000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/1784-79-0x0000000000000000-mapping.dmp
      Download