Analysis
-
max time kernel
178s -
max time network
195s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 22:56
Static task
static1
Behavioral task
behavioral1
Sample
Alpha 7763826639.exe
Resource
win7-20220414-en
General
-
Target
Alpha 7763826639.exe
-
Size
496KB
-
MD5
9e3db9c40093f7a159827ab2a9de640e
-
SHA1
e9a5ae757342e4ac6d21bc0e33f0e703104dcf03
-
SHA256
31f02d35e3e941b42298936bd026b39a5d682825bc4b4277945f9f0143617931
-
SHA512
6a57ac5b688e2bc8a0a24230bdf60a3146216e54a986ba0c6083b400582e5f94ba6dcd14b95458f8a1bef53076ba32d74d663222e7e82600d454c720134adda1
Malware Config
Extracted
formbook
4.1
q5e
2177.ltd
thanxiety.com
max-width.com
fixti.net
mostmaj.com
mobilteknolojiuzmani.com
historyannals.com
wheelchairmotion.com
mossandmoonstonestudio.com
kastellifournis.com
axokey.net
peekl.com
metsteeshirt.com
abcfinancial-inc.com
btxrsp.com
amydh.com
ccoauthority.com
lumacorretora.com
kimfelixrealtor.com
iconext.biz
giftstgg.com
imonsanto.com
invoicefor.com
qfhxlw.com
wsykyy.com
gladius.network
peliculaslatino.online
timookflour.com
gxkuangjian.com
utvklj.men
rabota-v-avon.online
sheashealingway.com
thoitrangaoda.com
rytechweb.com
circuit69.com
crowd-design.biz
carosiandrhee.com
778d88.com
calvinkl.com
cjkit.com
jgkwhgxe.com
sanitascuadromedico.com
mellorangello.com
whiteinnocence.com
medtechdesignstudio.net
nurturingskin.com
guardyourweb.net
juw2017.com
jnheroes.com
damicosoftwaresystems.com
gesband.com
onwardsandupwards.info
gopropackaging.com
centerforaunts.com
sarrahshewdesign.com
intelligentcoach.net
iasisf.agency
products-news.com
calvinspring.com
100zan.site
9mahina.com
saleaustralianboots.com
floatinginfotech.com
calcinoneweek.com
yofdyk.com
Signatures
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/704-135-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral2/memory/4400-143-0x00000000001D0000-0x00000000001FD000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Alpha 7763826639.exeAlpha 7763826639.execmd.exedescription pid process target process PID 3308 set thread context of 704 3308 Alpha 7763826639.exe Alpha 7763826639.exe PID 704 set thread context of 3252 704 Alpha 7763826639.exe Explorer.EXE PID 4400 set thread context of 3252 4400 cmd.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 37 IoCs
Processes:
Alpha 7763826639.exeAlpha 7763826639.execmd.exepid process 3308 Alpha 7763826639.exe 3308 Alpha 7763826639.exe 3308 Alpha 7763826639.exe 3308 Alpha 7763826639.exe 3308 Alpha 7763826639.exe 3308 Alpha 7763826639.exe 3308 Alpha 7763826639.exe 704 Alpha 7763826639.exe 704 Alpha 7763826639.exe 704 Alpha 7763826639.exe 704 Alpha 7763826639.exe 4400 cmd.exe 4400 cmd.exe 4400 cmd.exe 4400 cmd.exe 4400 cmd.exe 4400 cmd.exe 4400 cmd.exe 4400 cmd.exe 4400 cmd.exe 4400 cmd.exe 4400 cmd.exe 4400 cmd.exe 4400 cmd.exe 4400 cmd.exe 4400 cmd.exe 4400 cmd.exe 4400 cmd.exe 4400 cmd.exe 4400 cmd.exe 4400 cmd.exe 4400 cmd.exe 4400 cmd.exe 4400 cmd.exe 4400 cmd.exe 4400 cmd.exe 4400 cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3252 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Alpha 7763826639.execmd.exepid process 704 Alpha 7763826639.exe 704 Alpha 7763826639.exe 704 Alpha 7763826639.exe 4400 cmd.exe 4400 cmd.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Alpha 7763826639.exeAlpha 7763826639.execmd.exedescription pid process Token: SeDebugPrivilege 3308 Alpha 7763826639.exe Token: SeDebugPrivilege 704 Alpha 7763826639.exe Token: SeDebugPrivilege 4400 cmd.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
Alpha 7763826639.exeExplorer.EXEcmd.exedescription pid process target process PID 3308 wrote to memory of 444 3308 Alpha 7763826639.exe Alpha 7763826639.exe PID 3308 wrote to memory of 444 3308 Alpha 7763826639.exe Alpha 7763826639.exe PID 3308 wrote to memory of 444 3308 Alpha 7763826639.exe Alpha 7763826639.exe PID 3308 wrote to memory of 2496 3308 Alpha 7763826639.exe Alpha 7763826639.exe PID 3308 wrote to memory of 2496 3308 Alpha 7763826639.exe Alpha 7763826639.exe PID 3308 wrote to memory of 2496 3308 Alpha 7763826639.exe Alpha 7763826639.exe PID 3308 wrote to memory of 980 3308 Alpha 7763826639.exe Alpha 7763826639.exe PID 3308 wrote to memory of 980 3308 Alpha 7763826639.exe Alpha 7763826639.exe PID 3308 wrote to memory of 980 3308 Alpha 7763826639.exe Alpha 7763826639.exe PID 3308 wrote to memory of 704 3308 Alpha 7763826639.exe Alpha 7763826639.exe PID 3308 wrote to memory of 704 3308 Alpha 7763826639.exe Alpha 7763826639.exe PID 3308 wrote to memory of 704 3308 Alpha 7763826639.exe Alpha 7763826639.exe PID 3308 wrote to memory of 704 3308 Alpha 7763826639.exe Alpha 7763826639.exe PID 3308 wrote to memory of 704 3308 Alpha 7763826639.exe Alpha 7763826639.exe PID 3308 wrote to memory of 704 3308 Alpha 7763826639.exe Alpha 7763826639.exe PID 3252 wrote to memory of 4400 3252 Explorer.EXE cmd.exe PID 3252 wrote to memory of 4400 3252 Explorer.EXE cmd.exe PID 3252 wrote to memory of 4400 3252 Explorer.EXE cmd.exe PID 4400 wrote to memory of 4344 4400 cmd.exe cmd.exe PID 4400 wrote to memory of 4344 4400 cmd.exe cmd.exe PID 4400 wrote to memory of 4344 4400 cmd.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Alpha 7763826639.exe"C:\Users\Admin\AppData\Local\Temp\Alpha 7763826639.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Alpha 7763826639.exe"{path}"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Alpha 7763826639.exe"{path}"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Alpha 7763826639.exe"{path}"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Alpha 7763826639.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Alpha 7763826639.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/444-131-0x0000000000000000-mapping.dmp
-
memory/704-138-0x00000000012E0000-0x00000000012F4000-memory.dmpFilesize
80KB
-
memory/704-134-0x0000000000000000-mapping.dmp
-
memory/704-135-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/704-136-0x0000000000EA0000-0x00000000011EA000-memory.dmpFilesize
3.3MB
-
memory/980-133-0x0000000000000000-mapping.dmp
-
memory/2496-132-0x0000000000000000-mapping.dmp
-
memory/3252-139-0x0000000002B00000-0x0000000002BEC000-memory.dmpFilesize
944KB
-
memory/3252-146-0x00000000084F0000-0x000000000860C000-memory.dmpFilesize
1.1MB
-
memory/3308-130-0x0000000075000000-0x00000000755B1000-memory.dmpFilesize
5.7MB
-
memory/4344-141-0x0000000000000000-mapping.dmp
-
memory/4400-140-0x0000000000000000-mapping.dmp
-
memory/4400-142-0x0000000000C20000-0x0000000000C7A000-memory.dmpFilesize
360KB
-
memory/4400-143-0x00000000001D0000-0x00000000001FD000-memory.dmpFilesize
180KB
-
memory/4400-144-0x0000000000E30000-0x000000000117A000-memory.dmpFilesize
3.3MB
-
memory/4400-145-0x0000000000C80000-0x0000000000D13000-memory.dmpFilesize
588KB