Analysis
-
max time kernel
142s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-06-2022 06:52
Static task
static1
Behavioral task
behavioral1
Sample
133ae28bce4d3af3eaf5c07b5e9f3174db465afcf33693a4382f8798d1e9e62d.exe
Resource
win7-20220414-en
General
-
Target
133ae28bce4d3af3eaf5c07b5e9f3174db465afcf33693a4382f8798d1e9e62d.exe
-
Size
456KB
-
MD5
4d338da1a2c3facd8a4eb70c2ff76791
-
SHA1
168ee5eddcd1e5f0c75d21860e68833eba0ef3e5
-
SHA256
133ae28bce4d3af3eaf5c07b5e9f3174db465afcf33693a4382f8798d1e9e62d
-
SHA512
cfa69717296e87fb67e745d8c3a468418bd0d9ba988f0bb078954bb4284c0452b95a4ef7067b730d37c81322ee68240be03ed3130338e11f98e19f6d064d126a
Malware Config
Extracted
formbook
3.1
private
hyeyumplus.com
amananature.com
anhuixinshang.com
wxxfaeyfi.biz
wwwitb18.com
fanshu365.com
xxh333666.com
xn--kcr98bq47b.com
opnfi.com
shekblog.com
hurricanehelpcenter.com
qdqtsw.com
videojos.online
seguir.link
webstudio-friendly.com
vacationrentalsofthedessert.com
ccdhxxzx.com
kaihangtools.com
jl.link
teesncaps.com
neuro-empoderamiento.com
brojimmyhill.net
jueceba.com
semwebdns.com
bradmmiller.net
michaelkniginart.com
cdn-network24-server10.biz
knot-highlight.review
tjyililai.com
idyllic-hotels.com
tiktokburger.com
fckdd.com
tokimeki-renove.com
jiangxisy.com
voxiphone.com
famousnews7.info
761hpe.info
frrufc.com
giantknife.com
zmuijc.win
hkzlqzyy.com
genealogyofwater.com
pourlesenfantsdesrizieres.com
construccionessanluis.com
lodha-codename-bulls-eye.com
online-paymentservice.com
uj841.com
ionbaton.com
88fu.net
waicg.com
korennareynard.info
adultdanceintensives.com
stiffylube.biz
godwebdesign.com
ramconstructionwa.com
cdsinsight.net
chicagorefinanceking.com
menalnfrastructure.com
niftynecessaties.com
womenwhosidehustle.com
thepsquare.com
maternityclothings.com
xioushang.com
superfeet-help.com
rs4nd.com
Signatures
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/5000-133-0x0000000000000000-mapping.dmp formbook behavioral2/memory/5000-136-0x0000000000400000-0x0000000000428000-memory.dmp formbook -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
133ae28bce4d3af3eaf5c07b5e9f3174db465afcf33693a4382f8798d1e9e62d.exepid process 5000 133ae28bce4d3af3eaf5c07b5e9f3174db465afcf33693a4382f8798d1e9e62d.exe 5000 133ae28bce4d3af3eaf5c07b5e9f3174db465afcf33693a4382f8798d1e9e62d.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
133ae28bce4d3af3eaf5c07b5e9f3174db465afcf33693a4382f8798d1e9e62d.exepid process 312 133ae28bce4d3af3eaf5c07b5e9f3174db465afcf33693a4382f8798d1e9e62d.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
133ae28bce4d3af3eaf5c07b5e9f3174db465afcf33693a4382f8798d1e9e62d.exedescription pid process target process PID 312 wrote to memory of 5000 312 133ae28bce4d3af3eaf5c07b5e9f3174db465afcf33693a4382f8798d1e9e62d.exe 133ae28bce4d3af3eaf5c07b5e9f3174db465afcf33693a4382f8798d1e9e62d.exe PID 312 wrote to memory of 5000 312 133ae28bce4d3af3eaf5c07b5e9f3174db465afcf33693a4382f8798d1e9e62d.exe 133ae28bce4d3af3eaf5c07b5e9f3174db465afcf33693a4382f8798d1e9e62d.exe PID 312 wrote to memory of 5000 312 133ae28bce4d3af3eaf5c07b5e9f3174db465afcf33693a4382f8798d1e9e62d.exe 133ae28bce4d3af3eaf5c07b5e9f3174db465afcf33693a4382f8798d1e9e62d.exe PID 312 wrote to memory of 5000 312 133ae28bce4d3af3eaf5c07b5e9f3174db465afcf33693a4382f8798d1e9e62d.exe 133ae28bce4d3af3eaf5c07b5e9f3174db465afcf33693a4382f8798d1e9e62d.exe PID 312 wrote to memory of 5000 312 133ae28bce4d3af3eaf5c07b5e9f3174db465afcf33693a4382f8798d1e9e62d.exe 133ae28bce4d3af3eaf5c07b5e9f3174db465afcf33693a4382f8798d1e9e62d.exe PID 312 wrote to memory of 5000 312 133ae28bce4d3af3eaf5c07b5e9f3174db465afcf33693a4382f8798d1e9e62d.exe 133ae28bce4d3af3eaf5c07b5e9f3174db465afcf33693a4382f8798d1e9e62d.exe PID 312 wrote to memory of 5000 312 133ae28bce4d3af3eaf5c07b5e9f3174db465afcf33693a4382f8798d1e9e62d.exe 133ae28bce4d3af3eaf5c07b5e9f3174db465afcf33693a4382f8798d1e9e62d.exe PID 312 wrote to memory of 5000 312 133ae28bce4d3af3eaf5c07b5e9f3174db465afcf33693a4382f8798d1e9e62d.exe 133ae28bce4d3af3eaf5c07b5e9f3174db465afcf33693a4382f8798d1e9e62d.exe PID 312 wrote to memory of 5000 312 133ae28bce4d3af3eaf5c07b5e9f3174db465afcf33693a4382f8798d1e9e62d.exe 133ae28bce4d3af3eaf5c07b5e9f3174db465afcf33693a4382f8798d1e9e62d.exe PID 312 wrote to memory of 5000 312 133ae28bce4d3af3eaf5c07b5e9f3174db465afcf33693a4382f8798d1e9e62d.exe 133ae28bce4d3af3eaf5c07b5e9f3174db465afcf33693a4382f8798d1e9e62d.exe PID 312 wrote to memory of 5000 312 133ae28bce4d3af3eaf5c07b5e9f3174db465afcf33693a4382f8798d1e9e62d.exe 133ae28bce4d3af3eaf5c07b5e9f3174db465afcf33693a4382f8798d1e9e62d.exe PID 312 wrote to memory of 5000 312 133ae28bce4d3af3eaf5c07b5e9f3174db465afcf33693a4382f8798d1e9e62d.exe 133ae28bce4d3af3eaf5c07b5e9f3174db465afcf33693a4382f8798d1e9e62d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\133ae28bce4d3af3eaf5c07b5e9f3174db465afcf33693a4382f8798d1e9e62d.exe"C:\Users\Admin\AppData\Local\Temp\133ae28bce4d3af3eaf5c07b5e9f3174db465afcf33693a4382f8798d1e9e62d.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\133ae28bce4d3af3eaf5c07b5e9f3174db465afcf33693a4382f8798d1e9e62d.exe"C:\Users\Admin\AppData\Local\Temp\133ae28bce4d3af3eaf5c07b5e9f3174db465afcf33693a4382f8798d1e9e62d.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/312-132-0x00000000022A0000-0x00000000022A7000-memory.dmpFilesize
28KB
-
memory/312-134-0x00000000022A0000-0x00000000022A7000-memory.dmpFilesize
28KB
-
memory/5000-133-0x0000000000000000-mapping.dmp
-
memory/5000-135-0x0000000000AA0000-0x0000000000DEA000-memory.dmpFilesize
3.3MB
-
memory/5000-136-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB