Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
01-12-2021 09:48
Static task
static1
Behavioral task
behavioral1
Sample
fbc3f3a7f0f45884391344b59f3be525~.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
fbc3f3a7f0f45884391344b59f3be525~.exe
Resource
win10-en-20211104
General
-
Target
fbc3f3a7f0f45884391344b59f3be525~.exe
-
Size
685KB
-
MD5
545a4dd9df628154e366b4d6d2cd0d8a
-
SHA1
8f4119a2b2dbfbd30176fe1dac214f6cad5c4561
-
SHA256
b04bbb925d5f966d67fbfe7bbd2531e8891b1eb275ef8140006bc48d10e66171
-
SHA512
ff7fe6d0aae893226bd277c13509584f0169a8804fa85ece1de149e49d9dde379cb1d50990636a5592bbf9abf175e5d5c00344b632183c020ba16556406676f1
Malware Config
Extracted
formbook
4.1
n7ak
http://www.kmresults.com/n7ak/
modischoolcbse.com
theneverwinter.com
rszkjx-vps-hosting.website
fnihil.com
1pbet.com
nnowzscorrez.com
uaotgvjl.icu
starmapsqatar.com
ekisilani.com
extradeepsheets.com
jam-nins.com
buranly.com
orixentertainment.com
rawtech.energy
myol.guru
utex.club
jiapie.com
wowig.store
wweidlyyl.com
systaskautomation.com
citromudas3a.com
plasticstone.icu
pawchamamapet.com
beautybybby.com
mor-n-mor.com
getoffyourhighhorses.com
chieucaochoban9.xyz
grahamevansmp.com
amplaassessoria.net
nutricookindia.com
wazymbex.icu
joansironing.com
hallforless.com
mycourseprofits.com
precps.com
cookislandstourismpodcast.com
bestonlinedealslive.com
bug.chat
ptjbtoqonjtrwpvkfgmjvwp.com
tortniespodzianka.store
qxkbjgj.icu
aurashape.com
guinealive.com
mondialeresources.com
offthebreak.site
maxamproductivity.com
thebiztip.com
thelocalrea.com
laeducacionadistancia.com
inpakgroup.com
lvgang360.com
allvegangoods.com
tymudanzaramos.com
simpleframeswork.com
thehappycars.com
directfenetres.net
norskatferdsterapi.com
hostingcnx.com
ksmh5x.com
thespiritworldinvitational.com
jetsetwilly3.com
gameflexdev.com
tryhuge.com
vaporvspaper.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1860-62-0x0000000000000000-mapping.dmp formbook behavioral1/memory/1860-66-0x0000000072480000-0x00000000724AE000-memory.dmp formbook behavioral1/memory/1808-73-0x00000000000D0000-0x00000000000FE000-memory.dmp formbook -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
fbc3f3a7f0f45884391344b59f3be525~.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\Juknwfue = "C:\\Users\\Admin\\Contacts\\eufwnkuJ.url" fbc3f3a7f0f45884391344b59f3be525~.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
DpiScaling.exemsiexec.exedescription pid process target process PID 1860 set thread context of 1200 1860 DpiScaling.exe Explorer.EXE PID 1808 set thread context of 1200 1808 msiexec.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
DpiScaling.exemsiexec.exepid process 1860 DpiScaling.exe 1860 DpiScaling.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
DpiScaling.exemsiexec.exepid process 1860 DpiScaling.exe 1860 DpiScaling.exe 1860 DpiScaling.exe 1808 msiexec.exe 1808 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DpiScaling.exemsiexec.exedescription pid process Token: SeDebugPrivilege 1860 DpiScaling.exe Token: SeDebugPrivilege 1808 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1200 Explorer.EXE 1200 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1200 Explorer.EXE 1200 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
fbc3f3a7f0f45884391344b59f3be525~.exeExplorer.EXEmsiexec.exedescription pid process target process PID 1584 wrote to memory of 1860 1584 fbc3f3a7f0f45884391344b59f3be525~.exe DpiScaling.exe PID 1584 wrote to memory of 1860 1584 fbc3f3a7f0f45884391344b59f3be525~.exe DpiScaling.exe PID 1584 wrote to memory of 1860 1584 fbc3f3a7f0f45884391344b59f3be525~.exe DpiScaling.exe PID 1584 wrote to memory of 1860 1584 fbc3f3a7f0f45884391344b59f3be525~.exe DpiScaling.exe PID 1584 wrote to memory of 1860 1584 fbc3f3a7f0f45884391344b59f3be525~.exe DpiScaling.exe PID 1584 wrote to memory of 1860 1584 fbc3f3a7f0f45884391344b59f3be525~.exe DpiScaling.exe PID 1584 wrote to memory of 1860 1584 fbc3f3a7f0f45884391344b59f3be525~.exe DpiScaling.exe PID 1200 wrote to memory of 1808 1200 Explorer.EXE msiexec.exe PID 1200 wrote to memory of 1808 1200 Explorer.EXE msiexec.exe PID 1200 wrote to memory of 1808 1200 Explorer.EXE msiexec.exe PID 1200 wrote to memory of 1808 1200 Explorer.EXE msiexec.exe PID 1200 wrote to memory of 1808 1200 Explorer.EXE msiexec.exe PID 1200 wrote to memory of 1808 1200 Explorer.EXE msiexec.exe PID 1200 wrote to memory of 1808 1200 Explorer.EXE msiexec.exe PID 1808 wrote to memory of 1408 1808 msiexec.exe cmd.exe PID 1808 wrote to memory of 1408 1808 msiexec.exe cmd.exe PID 1808 wrote to memory of 1408 1808 msiexec.exe cmd.exe PID 1808 wrote to memory of 1408 1808 msiexec.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fbc3f3a7f0f45884391344b59f3be525~.exe"C:\Users\Admin\AppData\Local\Temp\fbc3f3a7f0f45884391344b59f3be525~.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\DpiScaling.exeC:\Windows\System32\DpiScaling.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\DpiScaling.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1200-77-0x00000000067D0000-0x00000000068FD000-memory.dmpFilesize
1.2MB
-
memory/1200-69-0x0000000007570000-0x00000000076A9000-memory.dmpFilesize
1.2MB
-
memory/1408-75-0x0000000000000000-mapping.dmp
-
memory/1584-57-0x0000000000342000-0x0000000000343000-memory.dmpFilesize
4KB
-
memory/1584-56-0x0000000000331000-0x0000000000342000-memory.dmpFilesize
68KB
-
memory/1584-58-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1584-55-0x0000000074F21000-0x0000000074F23000-memory.dmpFilesize
8KB
-
memory/1808-70-0x0000000000000000-mapping.dmp
-
memory/1808-76-0x0000000001EA0000-0x0000000001F33000-memory.dmpFilesize
588KB
-
memory/1808-74-0x0000000002170000-0x0000000002473000-memory.dmpFilesize
3.0MB
-
memory/1808-73-0x00000000000D0000-0x00000000000FE000-memory.dmpFilesize
184KB
-
memory/1808-72-0x0000000000A80000-0x0000000000A94000-memory.dmpFilesize
80KB
-
memory/1860-59-0x0000000072480000-0x00000000724AE000-memory.dmpFilesize
184KB
-
memory/1860-68-0x0000000000290000-0x00000000002A4000-memory.dmpFilesize
80KB
-
memory/1860-67-0x0000000002030000-0x0000000002333000-memory.dmpFilesize
3.0MB
-
memory/1860-66-0x0000000072480000-0x00000000724AE000-memory.dmpFilesize
184KB
-
memory/1860-65-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/1860-62-0x0000000000000000-mapping.dmp
-
memory/1860-60-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB