Analysis
-
max time kernel
40s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15-07-2021 09:51
Static task
static1
Behavioral task
behavioral1
Sample
9ea8f0cefae38838925df14a6f2a29d6.exe
Resource
win7v20210408
General
-
Target
9ea8f0cefae38838925df14a6f2a29d6.exe
-
Size
917KB
-
MD5
9ea8f0cefae38838925df14a6f2a29d6
-
SHA1
39e17f53087911a9d716f7e1d4c93789995de4de
-
SHA256
7d46e9015525b4cc3c23cd864847208ec36bad8ddfadb56b672d8c0acbfeae6a
-
SHA512
e5fb01e53387ae415ff66b091ef6687ae0319d0abb117028c4123e2187488a8252ebeafbc96f5ff135498b10fa622399a4f37bda963cd884a3e517ffe32b7815
Malware Config
Extracted
formbook
4.1
http://www.survivai.com/bsdd/
533dh.com
galerisikayet.xyz
tipsyalligator.com
crystalwellnessstudio.com
moovaap.com
lelfie.network
speedy-trips.com
prospectsolucoes.com
24x7customersservice.com
szbinsen.com
shikhardeals.com
totaldenta.com
ayksjx.com
avxrja.online
24kyule888.com
ufaw.net
spinozone.com
castvoicesmsreg.com
lajollawoodworks.com
renetyson.com
stephanieodennewsletter.com
tuben8.com
thescriptshack.com
macooperativeinc.com
franklinmachado.com
breezeescape.com
conv2app.com
kreditkarten-profi.com
czscjx.com
pvj2019.com
boosagroup.com
inesperienced.com
leschenaultpottery.com
sitvsfit.net
dwsykj.com
touchsquad.com
healthythomas.com
lphomeinspections.com
officialbondandunion.com
snowgreerfamilymemories.com
superheroesindisguise.com
topimportant.com
drillinginsider.com
esflog.net
baliyogacruise.net
sdys999.com
rugpat.com
solarpollo.com
kindrehearts.com
marijuana-medicine.com
thefinal7.com
guardiadeorixa.com
kayeducates.com
francorp.business
wegatherwegrow.com
quientequitalobailado.net
ghostridercreative.com
rachaeveal.com
sourcesysstems.com
xiuli100.com
xmjer.com
support-center-login.network
conversoronlline.com
misinformationnationmovie.com
Signatures
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1096-128-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/1096-129-0x000000000041EB30-mapping.dmp formbook -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/3948-122-0x0000000005CE0000-0x0000000005D01000-memory.dmp agile_net -
Suspicious use of SetThreadContext 1 IoCs
Processes:
9ea8f0cefae38838925df14a6f2a29d6.exedescription pid process target process PID 3948 set thread context of 1096 3948 9ea8f0cefae38838925df14a6f2a29d6.exe 9ea8f0cefae38838925df14a6f2a29d6.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
9ea8f0cefae38838925df14a6f2a29d6.exe9ea8f0cefae38838925df14a6f2a29d6.exepid process 3948 9ea8f0cefae38838925df14a6f2a29d6.exe 3948 9ea8f0cefae38838925df14a6f2a29d6.exe 1096 9ea8f0cefae38838925df14a6f2a29d6.exe 1096 9ea8f0cefae38838925df14a6f2a29d6.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
9ea8f0cefae38838925df14a6f2a29d6.exedescription pid process Token: SeDebugPrivilege 3948 9ea8f0cefae38838925df14a6f2a29d6.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
9ea8f0cefae38838925df14a6f2a29d6.exedescription pid process target process PID 3948 wrote to memory of 1096 3948 9ea8f0cefae38838925df14a6f2a29d6.exe 9ea8f0cefae38838925df14a6f2a29d6.exe PID 3948 wrote to memory of 1096 3948 9ea8f0cefae38838925df14a6f2a29d6.exe 9ea8f0cefae38838925df14a6f2a29d6.exe PID 3948 wrote to memory of 1096 3948 9ea8f0cefae38838925df14a6f2a29d6.exe 9ea8f0cefae38838925df14a6f2a29d6.exe PID 3948 wrote to memory of 1096 3948 9ea8f0cefae38838925df14a6f2a29d6.exe 9ea8f0cefae38838925df14a6f2a29d6.exe PID 3948 wrote to memory of 1096 3948 9ea8f0cefae38838925df14a6f2a29d6.exe 9ea8f0cefae38838925df14a6f2a29d6.exe PID 3948 wrote to memory of 1096 3948 9ea8f0cefae38838925df14a6f2a29d6.exe 9ea8f0cefae38838925df14a6f2a29d6.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ea8f0cefae38838925df14a6f2a29d6.exe"C:\Users\Admin\AppData\Local\Temp\9ea8f0cefae38838925df14a6f2a29d6.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9ea8f0cefae38838925df14a6f2a29d6.exe"C:\Users\Admin\AppData\Local\Temp\9ea8f0cefae38838925df14a6f2a29d6.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1096-128-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1096-130-0x0000000001A00000-0x0000000001D20000-memory.dmpFilesize
3.1MB
-
memory/1096-129-0x000000000041EB30-mapping.dmp
-
memory/3948-122-0x0000000005CE0000-0x0000000005D01000-memory.dmpFilesize
132KB
-
memory/3948-119-0x0000000005C40000-0x0000000005C41000-memory.dmpFilesize
4KB
-
memory/3948-120-0x0000000005D10000-0x0000000005D11000-memory.dmpFilesize
4KB
-
memory/3948-114-0x0000000000900000-0x0000000000901000-memory.dmpFilesize
4KB
-
memory/3948-123-0x0000000006BE0000-0x0000000006BE1000-memory.dmpFilesize
4KB
-
memory/3948-124-0x0000000006BA0000-0x0000000006BA1000-memory.dmpFilesize
4KB
-
memory/3948-125-0x0000000005D11000-0x0000000005D12000-memory.dmpFilesize
4KB
-
memory/3948-126-0x0000000006DF0000-0x0000000006DFB000-memory.dmpFilesize
44KB
-
memory/3948-127-0x0000000006E00000-0x0000000006E01000-memory.dmpFilesize
4KB
-
memory/3948-118-0x00000000052E0000-0x00000000052E1000-memory.dmpFilesize
4KB
-
memory/3948-117-0x0000000005240000-0x0000000005241000-memory.dmpFilesize
4KB
-
memory/3948-116-0x00000000056A0000-0x00000000056A1000-memory.dmpFilesize
4KB