Analysis
-
max time kernel
147s -
max time network
138s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
30-04-2021 13:49
Static task
static1
Behavioral task
behavioral1
Sample
kayx.exe
Resource
win7v20210410
General
-
Target
kayx.exe
-
Size
563KB
-
MD5
129e1d37b93430b4bd894b16c53cd6bc
-
SHA1
9ce52826f988b0702ad49e9b1da94f8e3d044c9b
-
SHA256
28e0affe70d48a6c6fe89b76dc56c59f93521a4b606dbb6fff60a84d382e9ceb
-
SHA512
9639f5982cc0f2a56c8806a56309aa2daf6960d3a1c9bbd0e478198efd51ed425cedbd8f82a6fbe53cb80914f0b3d1ba8f6fd2c9b319b64452dae4937858edd5
Malware Config
Extracted
formbook
4.1
http://www.semenovdmitriik.club/bwk/
alexrabus.com
education618.com
nelivo.com
gosanispire.com
cdaboozecruise.com
lovenfys.com
wellsleyarts.com
madcord.net
aadiventura.com
prideglobalholdings.com
tu-aviso.com
rjroof.com
upthehilldogwalking.com
ultraletefit.com
opinetree.com
retiredalsolovingit.com
oculensweb.com
laurartproductions.com
uncontenido.com
elisabethchin.com
fefffisce.info
radicallymessy.church
ufdzbhrxk.icu
nerdtoysuk.xyz
alibbv.com
wellness-sense.com
northernirelandcustoms.academy
propointcleaning.com
essentials19.com
ethereumlp.com
campustore.net
dubai-tlv.com
videoadprofits.com
getblackops2hack.com
jawwal.xyz
sacpanel.com
statiajewels.com
moveincyprus.com
skip3-akjsdn.com
psychedelicsnail.com
linkitmexico.com
legalmktexas.net
kickitfashion.com
jphomedecor-01.com
iyogyl.com
wester.zone
freightlogins.com
mytinyhometips.com
shaunmdurrantbooks.com
weretheshepards.com
rigwelllifetimeonline.com
artistssupportpledge.com
hymingfeng.com
konbeca.com
mack-soldenfx.com
xywedding.com
hg62988.com
wirebeevehicles.com
barnettmt5.com
businesspartner360.com
financesdigital.com
thejadedopal.com
fragrancecollector.com
pigpigworld.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/864-68-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/864-69-0x000000000041EB50-mapping.dmp formbook behavioral1/memory/616-80-0x00000000000D0000-0x00000000000FE000-memory.dmp formbook -
Executes dropped EXE 1 IoCs
Processes:
AddInProcess32.exepid process 864 AddInProcess32.exe -
Loads dropped DLL 1 IoCs
Processes:
kayx.exepid process 788 kayx.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/788-63-0x0000000000670000-0x0000000000691000-memory.dmp agile_net -
Suspicious use of SetThreadContext 3 IoCs
Processes:
kayx.exeAddInProcess32.exeipconfig.exedescription pid process target process PID 788 set thread context of 864 788 kayx.exe AddInProcess32.exe PID 864 set thread context of 1204 864 AddInProcess32.exe Explorer.EXE PID 616 set thread context of 1204 616 ipconfig.exe Explorer.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 616 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
kayx.exeAddInProcess32.exeipconfig.exepid process 788 kayx.exe 788 kayx.exe 864 AddInProcess32.exe 864 AddInProcess32.exe 616 ipconfig.exe 616 ipconfig.exe 616 ipconfig.exe 616 ipconfig.exe 616 ipconfig.exe 616 ipconfig.exe 616 ipconfig.exe 616 ipconfig.exe 616 ipconfig.exe 616 ipconfig.exe 616 ipconfig.exe 616 ipconfig.exe 616 ipconfig.exe 616 ipconfig.exe 616 ipconfig.exe 616 ipconfig.exe 616 ipconfig.exe 616 ipconfig.exe 616 ipconfig.exe 616 ipconfig.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
AddInProcess32.exeipconfig.exepid process 864 AddInProcess32.exe 864 AddInProcess32.exe 864 AddInProcess32.exe 616 ipconfig.exe 616 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
kayx.exeAddInProcess32.exeipconfig.exedescription pid process Token: SeDebugPrivilege 788 kayx.exe Token: SeDebugPrivilege 864 AddInProcess32.exe Token: SeDebugPrivilege 616 ipconfig.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
kayx.exeExplorer.EXEipconfig.exedescription pid process target process PID 788 wrote to memory of 864 788 kayx.exe AddInProcess32.exe PID 788 wrote to memory of 864 788 kayx.exe AddInProcess32.exe PID 788 wrote to memory of 864 788 kayx.exe AddInProcess32.exe PID 788 wrote to memory of 864 788 kayx.exe AddInProcess32.exe PID 788 wrote to memory of 864 788 kayx.exe AddInProcess32.exe PID 788 wrote to memory of 864 788 kayx.exe AddInProcess32.exe PID 788 wrote to memory of 864 788 kayx.exe AddInProcess32.exe PID 1204 wrote to memory of 616 1204 Explorer.EXE ipconfig.exe PID 1204 wrote to memory of 616 1204 Explorer.EXE ipconfig.exe PID 1204 wrote to memory of 616 1204 Explorer.EXE ipconfig.exe PID 1204 wrote to memory of 616 1204 Explorer.EXE ipconfig.exe PID 616 wrote to memory of 1784 616 ipconfig.exe cmd.exe PID 616 wrote to memory of 1784 616 ipconfig.exe cmd.exe PID 616 wrote to memory of 1784 616 ipconfig.exe cmd.exe PID 616 wrote to memory of 1784 616 ipconfig.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kayx.exe"C:\Users\Admin\AppData\Local\Temp\kayx.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exeMD5
6a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exeMD5
6a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
\Users\Admin\AppData\Local\Temp\AddInProcess32.exeMD5
6a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
memory/616-82-0x00000000004B0000-0x0000000000543000-memory.dmpFilesize
588KB
-
memory/616-81-0x0000000002050000-0x0000000002353000-memory.dmpFilesize
3.0MB
-
memory/616-78-0x0000000000920000-0x000000000092A000-memory.dmpFilesize
40KB
-
memory/616-80-0x00000000000D0000-0x00000000000FE000-memory.dmpFilesize
184KB
-
memory/616-76-0x0000000075551000-0x0000000075553000-memory.dmpFilesize
8KB
-
memory/616-75-0x0000000000000000-mapping.dmp
-
memory/788-66-0x00000000009C0000-0x00000000009C1000-memory.dmpFilesize
4KB
-
memory/788-59-0x0000000000210000-0x0000000000211000-memory.dmpFilesize
4KB
-
memory/788-65-0x00000000007A0000-0x00000000007AB000-memory.dmpFilesize
44KB
-
memory/788-64-0x0000000004CF1000-0x0000000004CF2000-memory.dmpFilesize
4KB
-
memory/788-63-0x0000000000670000-0x0000000000691000-memory.dmpFilesize
132KB
-
memory/788-61-0x0000000004CF0000-0x0000000004CF1000-memory.dmpFilesize
4KB
-
memory/864-73-0x0000000000200000-0x0000000000214000-memory.dmpFilesize
80KB
-
memory/864-72-0x0000000000800000-0x0000000000B03000-memory.dmpFilesize
3.0MB
-
memory/864-69-0x000000000041EB50-mapping.dmp
-
memory/864-68-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1204-74-0x0000000007C30000-0x0000000007D93000-memory.dmpFilesize
1.4MB
-
memory/1204-83-0x0000000005F00000-0x0000000006010000-memory.dmpFilesize
1.1MB
-
memory/1784-79-0x0000000000000000-mapping.dmp