Analysis
-
max time kernel
120s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
19-06-2022 19:47
Static task
static1
Behavioral task
behavioral1
Sample
34dccb3834daf8ababcf35c58e995e322cd5edd5780bfc944ce1a46a07e2b2c8.exe
Resource
win7-20220414-en
General
-
Target
34dccb3834daf8ababcf35c58e995e322cd5edd5780bfc944ce1a46a07e2b2c8.exe
-
Size
476KB
-
MD5
ea607d1b385e45422cc153a5f732e98a
-
SHA1
8dee62a8a8e22bfc9245ea2700146a78894f28f2
-
SHA256
34dccb3834daf8ababcf35c58e995e322cd5edd5780bfc944ce1a46a07e2b2c8
-
SHA512
12785f1957cab60b3e24ed0c4150d7ba1a4095410cd3697ea44ae0233284398a51787b0f6a53bdfb33d26fb5a116323a103082d19dcd263ba9b9bbee48133279
Malware Config
Extracted
formbook
3.9
sh
ziyafetkebaprize.com
minigirl69.com
emmashawbarry.com
resolving-an-issue.info
chefmorn.com
positivelypeach.com
industrial-plc.com
news3102.pictures
robinhunghau.com
cookarevegan.online
4hlf3uvgl6v.biz
eurekaposters.com
widenewtown.life
snprovidedengineering.com
elpcb.com
kabinet-megafon.info
roturapuentetermico.com
hao641.com
freshness.farm
casino1.info
extratickets.biz
jimeijing.net
mythincream.com
1m9sevenbecause.loan
kusindekas.com
academyeditions.info
maitressekimmy.com
wwwi6455.com
shoelopment.net
xn--xhqs8j2re8ss.com
sakamakidc.com
bernasc0ni.com
irandutch.com
319cb.com
abideplumbing.net
smarite.com
marijuanapainmeds.com
ossiandesign.com
maxk.tech
uirang.com
emailsservices.com
tilu.ltd
029xcx.com
sleighttrimml.info
nomadawhoo.com
wctnyuv.download
mygamecheats.net
shariahcrypto.com
bluerock-upload.com
croccocucine.com
homegardenusa.com
nuclearenergyprosandcons.com
shamanssacredtools.com
blitzmarketing.net
watevers.com
warriorcandy.com
srlvb.info
aljzx.link
theultra.party
xn--hg4bnij0utlm.com
loushangwang.com
formsbus.com
delicityabidjan.com
copykeystone.com
bolipy.com
Signatures
-
Formbook Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4972-135-0x0000000000400000-0x000000000042A000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
Processes:
34dccb3834daf8ababcf35c58e995e322cd5edd5780bfc944ce1a46a07e2b2c8.exedescription pid process target process PID 4560 set thread context of 4972 4560 34dccb3834daf8ababcf35c58e995e322cd5edd5780bfc944ce1a46a07e2b2c8.exe 34dccb3834daf8ababcf35c58e995e322cd5edd5780bfc944ce1a46a07e2b2c8.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
34dccb3834daf8ababcf35c58e995e322cd5edd5780bfc944ce1a46a07e2b2c8.exepid process 4972 34dccb3834daf8ababcf35c58e995e322cd5edd5780bfc944ce1a46a07e2b2c8.exe 4972 34dccb3834daf8ababcf35c58e995e322cd5edd5780bfc944ce1a46a07e2b2c8.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
34dccb3834daf8ababcf35c58e995e322cd5edd5780bfc944ce1a46a07e2b2c8.exedescription pid process Token: SeDebugPrivilege 4560 34dccb3834daf8ababcf35c58e995e322cd5edd5780bfc944ce1a46a07e2b2c8.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
34dccb3834daf8ababcf35c58e995e322cd5edd5780bfc944ce1a46a07e2b2c8.exedescription pid process target process PID 4560 wrote to memory of 4972 4560 34dccb3834daf8ababcf35c58e995e322cd5edd5780bfc944ce1a46a07e2b2c8.exe 34dccb3834daf8ababcf35c58e995e322cd5edd5780bfc944ce1a46a07e2b2c8.exe PID 4560 wrote to memory of 4972 4560 34dccb3834daf8ababcf35c58e995e322cd5edd5780bfc944ce1a46a07e2b2c8.exe 34dccb3834daf8ababcf35c58e995e322cd5edd5780bfc944ce1a46a07e2b2c8.exe PID 4560 wrote to memory of 4972 4560 34dccb3834daf8ababcf35c58e995e322cd5edd5780bfc944ce1a46a07e2b2c8.exe 34dccb3834daf8ababcf35c58e995e322cd5edd5780bfc944ce1a46a07e2b2c8.exe PID 4560 wrote to memory of 4972 4560 34dccb3834daf8ababcf35c58e995e322cd5edd5780bfc944ce1a46a07e2b2c8.exe 34dccb3834daf8ababcf35c58e995e322cd5edd5780bfc944ce1a46a07e2b2c8.exe PID 4560 wrote to memory of 4972 4560 34dccb3834daf8ababcf35c58e995e322cd5edd5780bfc944ce1a46a07e2b2c8.exe 34dccb3834daf8ababcf35c58e995e322cd5edd5780bfc944ce1a46a07e2b2c8.exe PID 4560 wrote to memory of 4972 4560 34dccb3834daf8ababcf35c58e995e322cd5edd5780bfc944ce1a46a07e2b2c8.exe 34dccb3834daf8ababcf35c58e995e322cd5edd5780bfc944ce1a46a07e2b2c8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\34dccb3834daf8ababcf35c58e995e322cd5edd5780bfc944ce1a46a07e2b2c8.exe"C:\Users\Admin\AppData\Local\Temp\34dccb3834daf8ababcf35c58e995e322cd5edd5780bfc944ce1a46a07e2b2c8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Users\Admin\AppData\Local\Temp\34dccb3834daf8ababcf35c58e995e322cd5edd5780bfc944ce1a46a07e2b2c8.exe"C:\Users\Admin\AppData\Local\Temp\34dccb3834daf8ababcf35c58e995e322cd5edd5780bfc944ce1a46a07e2b2c8.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4972
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4560-130-0x0000000000390000-0x000000000040E000-memory.dmpFilesize
504KB
-
memory/4560-131-0x0000000005240000-0x00000000057E4000-memory.dmpFilesize
5.6MB
-
memory/4560-132-0x0000000004C90000-0x0000000004D22000-memory.dmpFilesize
584KB
-
memory/4560-133-0x0000000000C00000-0x0000000000C9C000-memory.dmpFilesize
624KB
-
memory/4972-134-0x0000000000000000-mapping.dmp
-
memory/4972-135-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/4972-136-0x0000000001110000-0x000000000145A000-memory.dmpFilesize
3.3MB