Analysis
-
max time kernel
21s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
26-07-2021 11:38
Static task
static1
Behavioral task
behavioral1
Sample
PO LS632911DX.exe
Resource
win7v20210410
General
-
Target
PO LS632911DX.exe
-
Size
823KB
-
MD5
27816f5bbff9bb6d4cc2e1be225a435b
-
SHA1
fd1f06a502d374711697015cc897fdb28e402e16
-
SHA256
c2a7767b9323fd3630a56a3fb09a7884bd7dfb0f7146d5caafff472205e1ebdc
-
SHA512
4bee32d2df168aeba05ceb9e511f84d4a7aa5d08c96047cf6ca0f3241e6d4fb8e4cf5e1cee3e6389e9ceaca400769032bd85b5f323975fdbed4963a3e5a7a217
Malware Config
Extracted
formbook
4.1
http://www.survivai.com/bsdd/
533dh.com
galerisikayet.xyz
tipsyalligator.com
crystalwellnessstudio.com
moovaap.com
lelfie.network
speedy-trips.com
prospectsolucoes.com
24x7customersservice.com
szbinsen.com
shikhardeals.com
totaldenta.com
ayksjx.com
avxrja.online
24kyule888.com
ufaw.net
spinozone.com
castvoicesmsreg.com
lajollawoodworks.com
renetyson.com
stephanieodennewsletter.com
tuben8.com
thescriptshack.com
macooperativeinc.com
franklinmachado.com
breezeescape.com
conv2app.com
kreditkarten-profi.com
czscjx.com
pvj2019.com
boosagroup.com
inesperienced.com
leschenaultpottery.com
sitvsfit.net
dwsykj.com
touchsquad.com
healthythomas.com
lphomeinspections.com
officialbondandunion.com
snowgreerfamilymemories.com
superheroesindisguise.com
topimportant.com
drillinginsider.com
esflog.net
baliyogacruise.net
sdys999.com
rugpat.com
solarpollo.com
kindrehearts.com
marijuana-medicine.com
thefinal7.com
guardiadeorixa.com
kayeducates.com
francorp.business
wegatherwegrow.com
quientequitalobailado.net
ghostridercreative.com
rachaeveal.com
sourcesysstems.com
xiuli100.com
xmjer.com
support-center-login.network
conversoronlline.com
misinformationnationmovie.com
Signatures
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1172-129-0x000000000041EB30-mapping.dmp formbook behavioral2/memory/1172-130-0x0000000000610000-0x000000000063E000-memory.dmp formbook -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/3008-122-0x0000000007090000-0x00000000070B1000-memory.dmp agile_net behavioral2/memory/3008-125-0x0000000005890000-0x0000000005D8E000-memory.dmp agile_net -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO LS632911DX.exedescription pid process target process PID 3008 set thread context of 1172 3008 PO LS632911DX.exe PO LS632911DX.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 580 1172 WerFault.exe PO LS632911DX.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
PO LS632911DX.exeWerFault.exepid process 3008 PO LS632911DX.exe 3008 PO LS632911DX.exe 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
PO LS632911DX.exeWerFault.exedescription pid process Token: SeDebugPrivilege 3008 PO LS632911DX.exe Token: SeRestorePrivilege 580 WerFault.exe Token: SeBackupPrivilege 580 WerFault.exe Token: SeDebugPrivilege 580 WerFault.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
PO LS632911DX.exedescription pid process target process PID 3008 wrote to memory of 1172 3008 PO LS632911DX.exe PO LS632911DX.exe PID 3008 wrote to memory of 1172 3008 PO LS632911DX.exe PO LS632911DX.exe PID 3008 wrote to memory of 1172 3008 PO LS632911DX.exe PO LS632911DX.exe PID 3008 wrote to memory of 1172 3008 PO LS632911DX.exe PO LS632911DX.exe PID 3008 wrote to memory of 1172 3008 PO LS632911DX.exe PO LS632911DX.exe PID 3008 wrote to memory of 1172 3008 PO LS632911DX.exe PO LS632911DX.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO LS632911DX.exe"C:\Users\Admin\AppData\Local\Temp\PO LS632911DX.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO LS632911DX.exe"C:\Users\Admin\AppData\Local\Temp\PO LS632911DX.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 1883⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1172-129-0x000000000041EB30-mapping.dmp
-
memory/1172-130-0x0000000000610000-0x000000000063E000-memory.dmpFilesize
184KB
-
memory/3008-122-0x0000000007090000-0x00000000070B1000-memory.dmpFilesize
132KB
-
memory/3008-118-0x00000000059D0000-0x00000000059D1000-memory.dmpFilesize
4KB
-
memory/3008-119-0x0000000006290000-0x0000000006291000-memory.dmpFilesize
4KB
-
memory/3008-120-0x0000000005890000-0x0000000005D8E000-memory.dmpFilesize
5.0MB
-
memory/3008-114-0x0000000000E50000-0x0000000000E51000-memory.dmpFilesize
4KB
-
memory/3008-123-0x0000000007160000-0x0000000007161000-memory.dmpFilesize
4KB
-
memory/3008-124-0x0000000007130000-0x0000000007131000-memory.dmpFilesize
4KB
-
memory/3008-125-0x0000000005890000-0x0000000005D8E000-memory.dmpFilesize
5.0MB
-
memory/3008-126-0x00000000079E0000-0x00000000079EB000-memory.dmpFilesize
44KB
-
memory/3008-127-0x000000000A000000-0x000000000A001000-memory.dmpFilesize
4KB
-
memory/3008-117-0x0000000005930000-0x0000000005931000-memory.dmpFilesize
4KB
-
memory/3008-116-0x0000000005D90000-0x0000000005D91000-memory.dmpFilesize
4KB