Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
04-10-2021 09:21
Static task
static1
Behavioral task
behavioral1
Sample
Lettera di restituzione per Siberia LLC.jpeg.exe
Resource
win7-en-20210920
General
-
Target
Lettera di restituzione per Siberia LLC.jpeg.exe
-
Size
893KB
-
MD5
6e2732d297f1666f6c9eed9de730c39e
-
SHA1
54df8b2dc7352b75dd09103f2a399fde314e4e53
-
SHA256
a93b39035f5ae1ace569c25759239f8c0361bf2462cb22f2a780c14de2821fe4
-
SHA512
0ea8f7a145129ba54132b4833952b66783ade6d28cf9f551800018de6b946e661f7c903405e22136acd037335f43ae8668fd27a3419985f3f932e50b8e6d86d8
Malware Config
Extracted
formbook
4.1
n7ak
http://www.kmresults.com/n7ak/
modischoolcbse.com
theneverwinter.com
rszkjx-vps-hosting.website
fnihil.com
1pbet.com
nnowzscorrez.com
uaotgvjl.icu
starmapsqatar.com
ekisilani.com
extradeepsheets.com
jam-nins.com
buranly.com
orixentertainment.com
rawtech.energy
myol.guru
utex.club
jiapie.com
wowig.store
wweidlyyl.com
systaskautomation.com
citromudas3a.com
plasticstone.icu
pawchamamapet.com
beautybybby.com
mor-n-mor.com
getoffyourhighhorses.com
chieucaochoban9.xyz
grahamevansmp.com
amplaassessoria.net
nutricookindia.com
wazymbex.icu
joansironing.com
hallforless.com
mycourseprofits.com
precps.com
cookislandstourismpodcast.com
bestonlinedealslive.com
bug.chat
ptjbtoqonjtrwpvkfgmjvwp.com
tortniespodzianka.store
qxkbjgj.icu
aurashape.com
guinealive.com
mondialeresources.com
offthebreak.site
maxamproductivity.com
thebiztip.com
thelocalrea.com
laeducacionadistancia.com
inpakgroup.com
lvgang360.com
allvegangoods.com
tymudanzaramos.com
simpleframeswork.com
thehappycars.com
directfenetres.net
norskatferdsterapi.com
hostingcnx.com
ksmh5x.com
thespiritworldinvitational.com
jetsetwilly3.com
gameflexdev.com
tryhuge.com
vaporvspaper.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1168-116-0x0000000000000000-mapping.dmp formbook behavioral2/memory/1168-118-0x0000000073D80000-0x0000000073DAE000-memory.dmp formbook behavioral2/memory/1324-125-0x0000000000750000-0x000000000077E000-memory.dmp formbook -
Suspicious use of SetThreadContext 2 IoCs
Processes:
mobsync.exenetsh.exedescription pid process target process PID 1168 set thread context of 3024 1168 mobsync.exe Explorer.EXE PID 1324 set thread context of 3024 1324 netsh.exe Explorer.EXE -
Modifies registry class 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 56 IoCs
Processes:
mobsync.exenetsh.exepid process 1168 mobsync.exe 1168 mobsync.exe 1168 mobsync.exe 1168 mobsync.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe 1324 netsh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3024 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
mobsync.exenetsh.exepid process 1168 mobsync.exe 1168 mobsync.exe 1168 mobsync.exe 1324 netsh.exe 1324 netsh.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
mobsync.exenetsh.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1168 mobsync.exe Token: SeDebugPrivilege 1324 netsh.exe Token: SeShutdownPrivilege 3024 Explorer.EXE Token: SeCreatePagefilePrivilege 3024 Explorer.EXE Token: SeShutdownPrivilege 3024 Explorer.EXE Token: SeCreatePagefilePrivilege 3024 Explorer.EXE Token: SeShutdownPrivilege 3024 Explorer.EXE Token: SeCreatePagefilePrivilege 3024 Explorer.EXE Token: SeShutdownPrivilege 3024 Explorer.EXE Token: SeCreatePagefilePrivilege 3024 Explorer.EXE Token: SeShutdownPrivilege 3024 Explorer.EXE Token: SeCreatePagefilePrivilege 3024 Explorer.EXE -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 3024 Explorer.EXE 3024 Explorer.EXE 3024 Explorer.EXE 3024 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Lettera di restituzione per Siberia LLC.jpeg.exeExplorer.EXEnetsh.exedescription pid process target process PID 900 wrote to memory of 1168 900 Lettera di restituzione per Siberia LLC.jpeg.exe mobsync.exe PID 900 wrote to memory of 1168 900 Lettera di restituzione per Siberia LLC.jpeg.exe mobsync.exe PID 900 wrote to memory of 1168 900 Lettera di restituzione per Siberia LLC.jpeg.exe mobsync.exe PID 900 wrote to memory of 1168 900 Lettera di restituzione per Siberia LLC.jpeg.exe mobsync.exe PID 900 wrote to memory of 1168 900 Lettera di restituzione per Siberia LLC.jpeg.exe mobsync.exe PID 900 wrote to memory of 1168 900 Lettera di restituzione per Siberia LLC.jpeg.exe mobsync.exe PID 3024 wrote to memory of 1324 3024 Explorer.EXE netsh.exe PID 3024 wrote to memory of 1324 3024 Explorer.EXE netsh.exe PID 3024 wrote to memory of 1324 3024 Explorer.EXE netsh.exe PID 1324 wrote to memory of 1428 1324 netsh.exe cmd.exe PID 1324 wrote to memory of 1428 1324 netsh.exe cmd.exe PID 1324 wrote to memory of 1428 1324 netsh.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Lettera di restituzione per Siberia LLC.jpeg.exe"C:\Users\Admin\AppData\Local\Temp\Lettera di restituzione per Siberia LLC.jpeg.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mobsync.exeC:\Windows\System32\mobsync.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\mobsync.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/900-114-0x0000000002310000-0x0000000002311000-memory.dmpFilesize
4KB
-
memory/1168-120-0x0000000004E40000-0x0000000004E54000-memory.dmpFilesize
80KB
-
memory/1168-118-0x0000000073D80000-0x0000000073DAE000-memory.dmpFilesize
184KB
-
memory/1168-117-0x00000000030B0000-0x00000000030B1000-memory.dmpFilesize
4KB
-
memory/1168-119-0x0000000004F90000-0x00000000052B0000-memory.dmpFilesize
3.1MB
-
memory/1168-116-0x0000000000000000-mapping.dmp
-
memory/1324-122-0x0000000000000000-mapping.dmp
-
memory/1324-124-0x0000000001520000-0x000000000153E000-memory.dmpFilesize
120KB
-
memory/1324-125-0x0000000000750000-0x000000000077E000-memory.dmpFilesize
184KB
-
memory/1324-126-0x0000000003540000-0x0000000003860000-memory.dmpFilesize
3.1MB
-
memory/1324-127-0x0000000001160000-0x00000000011F3000-memory.dmpFilesize
588KB
-
memory/1428-123-0x0000000000000000-mapping.dmp
-
memory/3024-121-0x0000000004DA0000-0x0000000004E7F000-memory.dmpFilesize
892KB
-
memory/3024-128-0x0000000002630000-0x00000000026E5000-memory.dmpFilesize
724KB