Analysis
-
max time kernel
187s -
max time network
203s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 21:20
Static task
static1
Behavioral task
behavioral1
Sample
PO KIPO000903 KIND122822.exe
Resource
win7-20220812-en
General
-
Target
PO KIPO000903 KIND122822.exe
-
Size
636KB
-
MD5
3b61d04e555f74f42e22c71a5885ac71
-
SHA1
9c774e98b87394627d311a552d8bde85d57b327c
-
SHA256
ab2af768a15bf36f36de51389f4ee62cb0816779473a53716cee76734bda7538
-
SHA512
f7363fa7857e791e6fd9320fba7c1d3927fd4c0aa6a7935a88ffabd747323f0e93d12a8f3c4be2625606e86c8f612e4271ef9ee41848d3bf2a8bdc4fed328f70
-
SSDEEP
12288:yucKpbKbf92TXwpL3sMcIobFB5BD8tVvkwkrscPA3QR+:yF4bKOORcIoxBDr1P/
Malware Config
Extracted
formbook
4.1
d94i
drain-pipe-cleaning-74655.com
culligandiiy.com
lknja.shop
salon-atmosfera.ru
steamgeneratorboilers.com
drain-pipe-cleaning-30896.com
dinoton.fun
feed-v.com
aym-brum.co.uk
bxztil.xyz
infinite-transformation.com
caticmicro.com
abrahamgranda.com
cleaninggem.com
hi5279.com
jainsdigitalservices.com
cglsuperset.com
kephatonrx.com
babyhandmold.com
braceelet.com
binotel.online
hengyangwangc.com
177787.com
dapperexperiences.com
perfectlyvintage.co.uk
ivoneartes.com
freightbyu.com
hotelvillaverdehn.com
igor-paixao.com
packmask.co.uk
lotuslandticketspice.com
mgkmanufacturing.com
casamollyshop.com
euterpe-paris-violin.com
imfeelingluckyongoogle.com
1wwxbc.top
9pdygwqg.com
akinsoftayvalik.xyz
kicoat.com
badgescottage.co.uk
bigbagsale.shop
scintillatecreative.com
thisguycancook.africa
truevision.africa
aapainternational.com
andrea-fuchs.com
thetrendshop.co.uk
pinkshea.co.uk
historiafilia.com
imaginationlbrary.com
electionfactsnc.com
cyberparkbhutani.com
freshcouponz.com
altyazili90.xyz
lidraulico.info
cardedeuweb.com
chacossandalsuk.com
10bconsulting.com
koziime.com
peek-a.boo
iuwamz.top
stonebridgetops.co.uk
heck-akunwso.xyz
helveticabold.co.uk
schoolcut.org.uk
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4460-138-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4460-143-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Suspicious use of SetThreadContext 2 IoCs
Processes:
PO KIPO000903 KIND122822.exePO KIPO000903 KIND122822.exedescription pid process target process PID 4524 set thread context of 4460 4524 PO KIPO000903 KIND122822.exe PO KIPO000903 KIND122822.exe PID 4460 set thread context of 772 4460 PO KIPO000903 KIND122822.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
PO KIPO000903 KIND122822.exepid process 4460 PO KIPO000903 KIND122822.exe 4460 PO KIPO000903 KIND122822.exe 4460 PO KIPO000903 KIND122822.exe 4460 PO KIPO000903 KIND122822.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
PO KIPO000903 KIND122822.exepid process 4460 PO KIPO000903 KIND122822.exe 4460 PO KIPO000903 KIND122822.exe 4460 PO KIPO000903 KIND122822.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
PO KIPO000903 KIND122822.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 4460 PO KIPO000903 KIND122822.exe Token: SeShutdownPrivilege 772 Explorer.EXE Token: SeCreatePagefilePrivilege 772 Explorer.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
PO KIPO000903 KIND122822.exeExplorer.EXEdescription pid process target process PID 4524 wrote to memory of 4460 4524 PO KIPO000903 KIND122822.exe PO KIPO000903 KIND122822.exe PID 4524 wrote to memory of 4460 4524 PO KIPO000903 KIND122822.exe PO KIPO000903 KIND122822.exe PID 4524 wrote to memory of 4460 4524 PO KIPO000903 KIND122822.exe PO KIPO000903 KIND122822.exe PID 4524 wrote to memory of 4460 4524 PO KIPO000903 KIND122822.exe PO KIPO000903 KIND122822.exe PID 4524 wrote to memory of 4460 4524 PO KIPO000903 KIND122822.exe PO KIPO000903 KIND122822.exe PID 4524 wrote to memory of 4460 4524 PO KIPO000903 KIND122822.exe PO KIPO000903 KIND122822.exe PID 772 wrote to memory of 3268 772 Explorer.EXE mstsc.exe PID 772 wrote to memory of 3268 772 Explorer.EXE mstsc.exe PID 772 wrote to memory of 3268 772 Explorer.EXE mstsc.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Users\Admin\AppData\Local\Temp\PO KIPO000903 KIND122822.exe"C:\Users\Admin\AppData\Local\Temp\PO KIPO000903 KIND122822.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Users\Admin\AppData\Local\Temp\PO KIPO000903 KIND122822.exe"C:\Users\Admin\AppData\Local\Temp\PO KIPO000903 KIND122822.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4460 -
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵PID:3268
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/772-142-0x0000000008690000-0x00000000087C7000-memory.dmpFilesize
1.2MB
-
memory/3268-144-0x0000000000000000-mapping.dmp
-
memory/4460-137-0x0000000000000000-mapping.dmp
-
memory/4460-138-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4460-140-0x00000000018A0000-0x0000000001BEA000-memory.dmpFilesize
3.3MB
-
memory/4460-141-0x0000000001860000-0x0000000001874000-memory.dmpFilesize
80KB
-
memory/4460-143-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4524-132-0x0000000000530000-0x00000000005D6000-memory.dmpFilesize
664KB
-
memory/4524-133-0x0000000005720000-0x0000000005CC4000-memory.dmpFilesize
5.6MB
-
memory/4524-134-0x0000000005250000-0x00000000052E2000-memory.dmpFilesize
584KB
-
memory/4524-135-0x0000000005220000-0x000000000522A000-memory.dmpFilesize
40KB
-
memory/4524-136-0x0000000000EC0000-0x0000000000F5C000-memory.dmpFilesize
624KB