Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
15-10-2021 06:43
Behavioral task
behavioral1
Sample
2.exe
Resource
win7-en-20210920
General
-
Target
2.exe
-
Size
184KB
-
MD5
57fc9c24357ac2cde150537ae8a42884
-
SHA1
70fdc837d404f465f4af739d7415c24023f437ed
-
SHA256
eab2de096cfe890da97a654fb7c14097b1c15242cca986d90811c5722c95b416
-
SHA512
52e6f1d1a6aa7862de48add0b1f1a06d83b72efa5c8856256e3caf2110a457f42c45f54ba8a85776779e201bd12fc8176cd31c1bd8ab500b076096da89adee27
Malware Config
Extracted
formbook
4.1
bc3s
http://www.topei-products.com/bc3s/
anna-ng.com
mariangelamata.com
szqnbl.com
nesherguitars.com
mysekrit.com
againbeautyviensui.xyz
appf.life
bilalsolution.com
technoratii.com
11restoran.com
birthingly.com
crystalcarrillo.com
cohenasset.info
bunchofdesign.com
highstreetmag.com
talentkerning.com
outdoor-glassesadvice.com
aliceeety.com
habbuhot.info
pao91.com
resgatarpontosparavoce.com
tuancai.net
cnynckcrw.com
visaza.com
paulettecallen.com
kandmfinancialgroup.com
malibuclassix.com
thespoonteller.com
vidyaxyp.com
xn--gmsepetim-q9ab20j.com
saudesexualdoshomens.com
safehandmarketing.com
yebimhieu.site
alimitchellmedia.com
andrewpatrickpiette.com
astro-paradise.com
domainechoquet.com
navihealthpartners.com
detroitveganseafood.com
spankingandpunishment.com
magalu-queromais.com
mallsinup.com
rmsnidlogini.cloud
lifeisveryessential.com
stolzfus.com
iniciala.com
designslayers.com
clinivahq.com
ubersms.com
welenb.com
skyegroupllc.com
happyburger.net
moredate-s.com
alon-mail.com
voceprofessor.com
dokadveri.com
lafabricadisseny.com
westwooddesign.net
blossoms-boutique.com
jumtix.xyz
dietgulfport.com
soccerstreamer.com
lapurtcedd.com
secret-mall.com
Signatures
-
Formbook Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3436-121-0x00000000029D0000-0x00000000029FE000-memory.dmp formbook -
Suspicious use of SetThreadContext 2 IoCs
Processes:
2.execontrol.exedescription pid process target process PID 1892 set thread context of 2872 1892 2.exe Explorer.EXE PID 3436 set thread context of 2872 3436 control.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
2.execontrol.exepid process 1892 2.exe 1892 2.exe 1892 2.exe 1892 2.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2872 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
2.execontrol.exepid process 1892 2.exe 1892 2.exe 1892 2.exe 3436 control.exe 3436 control.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2.execontrol.exedescription pid process Token: SeDebugPrivilege 1892 2.exe Token: SeDebugPrivilege 3436 control.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Explorer.EXEcontrol.exedescription pid process target process PID 2872 wrote to memory of 3436 2872 Explorer.EXE control.exe PID 2872 wrote to memory of 3436 2872 Explorer.EXE control.exe PID 2872 wrote to memory of 3436 2872 Explorer.EXE control.exe PID 3436 wrote to memory of 3572 3436 control.exe cmd.exe PID 3436 wrote to memory of 3572 3436 control.exe cmd.exe PID 3436 wrote to memory of 3572 3436 control.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\2.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1892-116-0x0000000000C00000-0x0000000000CAE000-memory.dmpFilesize
696KB
-
memory/1892-115-0x0000000000D40000-0x0000000000E8A000-memory.dmpFilesize
1.3MB
-
memory/2872-117-0x0000000004AE0000-0x0000000004C4C000-memory.dmpFilesize
1.4MB
-
memory/2872-124-0x0000000004C50000-0x0000000004DD3000-memory.dmpFilesize
1.5MB
-
memory/3436-118-0x0000000000000000-mapping.dmp
-
memory/3436-120-0x0000000000340000-0x0000000000360000-memory.dmpFilesize
128KB
-
memory/3436-121-0x00000000029D0000-0x00000000029FE000-memory.dmpFilesize
184KB
-
memory/3436-122-0x00000000045C0000-0x00000000048E0000-memory.dmpFilesize
3.1MB
-
memory/3436-123-0x0000000004360000-0x00000000043F3000-memory.dmpFilesize
588KB
-
memory/3572-119-0x0000000000000000-mapping.dmp