Analysis
-
max time kernel
147s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 12:01
Static task
static1
Behavioral task
behavioral1
Sample
PO #78574764 June 4-2020.exe
Resource
win7-20220414-en
General
-
Target
PO #78574764 June 4-2020.exe
-
Size
422KB
-
MD5
130322a1fd284d7d585221381038c584
-
SHA1
620933b28bb9de45a0f72a415c0bfc85efcbb442
-
SHA256
2bd1995c8c2b3f35906807ce4697151cf801af339579cd7b86e467df6474dafa
-
SHA512
3eaacdf8edd846d27059a04217540f561f8e592b537ce57412b45b67f797b7b25f8f76b7158ada512567a6f642911aa425475da656c29d7524d0995684d466d5
Malware Config
Extracted
formbook
4.1
i0qi
mytakeawaybox.com
goutaihuo.com
kuzey.site
uppertenpiercings.amsterdam
honeygrandpa.com
jenniferabramslaw.com
ncarian.com
heavilymeditatedhouston.com
gsbjyzx.com
akisanblog.com
taoyuanreed.com
jasperrvservices.com
yabbanet.com
myhealthfuldiet.com
flipdigitalcoins.com
toes.photos
shoottillyoumiss.com
maserental.com
smarteacher.net
hamdimagdeco.com
wuxifanggang.com
alamediationtraining.com
vfoe.team
kms-sp.com
gfidevfight.net
anomadbackpacker.com
21oms.us
australianseniorpreneur.com
valuereceipt.com
superbetbahis.com
rsrgoup.com
hoidonghuongkimson.com
parmedpharma.com
discoveryoverload.com
livetv247.win
jepekha.com
6o5ttvst.biz
netcorrespondents.com
cscycorp.com
emonkeygraphics.com
tillyaeva-lola.news
dgx9.com
jiucai5.com
justwoodsouthern.com
dentalexpertstraining.com
amazoncarpet.com
xsxnet.net
androidaso.com
jinhucai.com
wellnessitaly.store
clashrayalefreebies.com
wxvbill.com
quantun.network
allnaturalcbdshampton.com
mobo.technology
livinglifeawakened.com
canliarkadas.net
littlealohadaycare.com
wendyoei.com
kaz.site
puremind.info
queenscrossingneurosurgery.com
theworldexams.com
taptrips.com
joomlas123.com
Signatures
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1932-57-0x0000000000630000-0x000000000065D000-memory.dmp formbook behavioral1/memory/1328-65-0x00000000000C0000-0x00000000000ED000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1896 cmd.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
PO #78574764 June 4-2020.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum PO #78574764 June 4-2020.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 PO #78574764 June 4-2020.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
PO #78574764 June 4-2020.exewininit.exedescription pid process target process PID 1932 set thread context of 1356 1932 PO #78574764 June 4-2020.exe Explorer.EXE PID 1328 set thread context of 1356 1328 wininit.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
PO #78574764 June 4-2020.exewininit.exepid process 1932 PO #78574764 June 4-2020.exe 1932 PO #78574764 June 4-2020.exe 1328 wininit.exe 1328 wininit.exe 1328 wininit.exe 1328 wininit.exe 1328 wininit.exe 1328 wininit.exe 1328 wininit.exe 1328 wininit.exe 1328 wininit.exe 1328 wininit.exe 1328 wininit.exe 1328 wininit.exe 1328 wininit.exe 1328 wininit.exe 1328 wininit.exe 1328 wininit.exe 1328 wininit.exe 1328 wininit.exe 1328 wininit.exe 1328 wininit.exe 1328 wininit.exe 1328 wininit.exe 1328 wininit.exe 1328 wininit.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
PO #78574764 June 4-2020.exewininit.exepid process 1932 PO #78574764 June 4-2020.exe 1932 PO #78574764 June 4-2020.exe 1932 PO #78574764 June 4-2020.exe 1328 wininit.exe 1328 wininit.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PO #78574764 June 4-2020.exewininit.exedescription pid process Token: SeDebugPrivilege 1932 PO #78574764 June 4-2020.exe Token: SeDebugPrivilege 1328 wininit.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1356 Explorer.EXE 1356 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1356 Explorer.EXE 1356 Explorer.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Explorer.EXEwininit.exedescription pid process target process PID 1356 wrote to memory of 1328 1356 Explorer.EXE wininit.exe PID 1356 wrote to memory of 1328 1356 Explorer.EXE wininit.exe PID 1356 wrote to memory of 1328 1356 Explorer.EXE wininit.exe PID 1356 wrote to memory of 1328 1356 Explorer.EXE wininit.exe PID 1328 wrote to memory of 1896 1328 wininit.exe cmd.exe PID 1328 wrote to memory of 1896 1328 wininit.exe cmd.exe PID 1328 wrote to memory of 1896 1328 wininit.exe cmd.exe PID 1328 wrote to memory of 1896 1328 wininit.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO #78574764 June 4-2020.exe"C:\Users\Admin\AppData\Local\Temp\PO #78574764 June 4-2020.exe"2⤵
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wininit.exe"C:\Windows\SysWOW64\wininit.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PO #78574764 June 4-2020.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1328-62-0x0000000000000000-mapping.dmp
-
memory/1328-67-0x0000000000630000-0x00000000006C3000-memory.dmpFilesize
588KB
-
memory/1328-66-0x0000000002010000-0x0000000002313000-memory.dmpFilesize
3.0MB
-
memory/1328-65-0x00000000000C0000-0x00000000000ED000-memory.dmpFilesize
180KB
-
memory/1328-64-0x00000000003E0000-0x00000000003FA000-memory.dmpFilesize
104KB
-
memory/1356-61-0x0000000006AE0000-0x0000000006C41000-memory.dmpFilesize
1.4MB
-
memory/1356-68-0x0000000006D70000-0x0000000006E75000-memory.dmpFilesize
1.0MB
-
memory/1896-63-0x0000000000000000-mapping.dmp
-
memory/1932-54-0x0000000000F20000-0x0000000000F8E000-memory.dmpFilesize
440KB
-
memory/1932-60-0x0000000000890000-0x00000000008A4000-memory.dmpFilesize
80KB
-
memory/1932-59-0x0000000005050000-0x0000000005353000-memory.dmpFilesize
3.0MB
-
memory/1932-57-0x0000000000630000-0x000000000065D000-memory.dmpFilesize
180KB
-
memory/1932-56-0x0000000000450000-0x000000000048C000-memory.dmpFilesize
240KB
-
memory/1932-55-0x0000000000590000-0x00000000005DE000-memory.dmpFilesize
312KB