Analysis
-
max time kernel
147s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-08-2022 03:48
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220812-en
General
-
Target
tmp.exe
-
Size
185KB
-
MD5
b714b6e24d1d6e4951f4c83173412575
-
SHA1
509ae497a7349827f4bbd9085e15b9e3cfc8f53e
-
SHA256
86741510935fc30581a17848b7d391461c8aa3c749fd8c7998682c637f7486c0
-
SHA512
e087aea2bb327f70a83b75bc81217c1c3041bb9d7e79f915b10af3fff1a9031bf6dce0d93a5a9564b99787ec5396fae23c9f024c56d747f7230604f8048ca89d
-
SSDEEP
3072:tdpPkgyUnaoZ3G/UeoeIkqD47iVCAErfoHgcT5mEZB25EcJZ+2FAdqh:bzFGMhkqD47i0rfgv1nU5njh
Malware Config
Extracted
formbook
4.1
ba17
zoltaron.tech
exopets.online
trippingtravel.com
banded.top
shinebrightdesigns.co.uk
djlbb.com
abcsofmindfulness.com
linkaktifasialive88.club
185068.sbs
tjhongguo.com
portaldigi.store
theshoe.club
r-ceive.app
kmwww.top
search-publishing.com
banksmanlights.net
flyonthewallmovie.com
congrulations.website
trnt.store
udajabojka.xyz
bet365p6.com
purecleannyc.com
tripod.app
chesmol.xyz
gestuethollerbusch.com
longhuipet.com
noktasutesisati.com
voucherkita.xyz
paca-uk.co.uk
denizonlinekontrol.com
suresthuerta.xyz
trendingproduct.co.uk
mvkstore.com
taoseav33.top
estudiooteroyasociados.store
gandlautosalesinc.com
32ee62dd0110.info
hmrazk.website
qzbpckdo.com
solman.store
slavlavka.site
elemansepetim.xyz
btr.ltd
bjyfzssj.com
yildizanpresskomuru.com
careebroutique.com
artsirchen.com
286412.com
tradingpostatprieslake.com
aisccenter.net
tensenfarms.site
troublecolor.online
paring-deification.net
rhy6.com
zgjys888web.xyz
allhallowsluxe.com
stefanierinza.com
needy-me.online
0755aite.net
cbfashion.uk
sunrisequilts.com
rswll.com
khanaphongmamam123.xyz
nsdclub.com
pricehistory.website
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1228-61-0x0000000000090000-0x00000000000BF000-memory.dmp formbook behavioral1/memory/1228-65-0x0000000000090000-0x00000000000BF000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1728 cmd.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
tmp.exemsiexec.exedescription pid process target process PID 1684 set thread context of 1384 1684 tmp.exe Explorer.EXE PID 1228 set thread context of 1384 1228 msiexec.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
tmp.exemsiexec.exepid process 1684 tmp.exe 1684 tmp.exe 1228 msiexec.exe 1228 msiexec.exe 1228 msiexec.exe 1228 msiexec.exe 1228 msiexec.exe 1228 msiexec.exe 1228 msiexec.exe 1228 msiexec.exe 1228 msiexec.exe 1228 msiexec.exe 1228 msiexec.exe 1228 msiexec.exe 1228 msiexec.exe 1228 msiexec.exe 1228 msiexec.exe 1228 msiexec.exe 1228 msiexec.exe 1228 msiexec.exe 1228 msiexec.exe 1228 msiexec.exe 1228 msiexec.exe 1228 msiexec.exe 1228 msiexec.exe 1228 msiexec.exe 1228 msiexec.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
tmp.exemsiexec.exepid process 1684 tmp.exe 1684 tmp.exe 1684 tmp.exe 1228 msiexec.exe 1228 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tmp.exemsiexec.exedescription pid process Token: SeDebugPrivilege 1684 tmp.exe Token: SeDebugPrivilege 1228 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1384 Explorer.EXE 1384 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1384 Explorer.EXE 1384 Explorer.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Explorer.EXEmsiexec.exedescription pid process target process PID 1384 wrote to memory of 1228 1384 Explorer.EXE msiexec.exe PID 1384 wrote to memory of 1228 1384 Explorer.EXE msiexec.exe PID 1384 wrote to memory of 1228 1384 Explorer.EXE msiexec.exe PID 1384 wrote to memory of 1228 1384 Explorer.EXE msiexec.exe PID 1384 wrote to memory of 1228 1384 Explorer.EXE msiexec.exe PID 1384 wrote to memory of 1228 1384 Explorer.EXE msiexec.exe PID 1384 wrote to memory of 1228 1384 Explorer.EXE msiexec.exe PID 1228 wrote to memory of 1728 1228 msiexec.exe cmd.exe PID 1228 wrote to memory of 1728 1228 msiexec.exe cmd.exe PID 1228 wrote to memory of 1728 1228 msiexec.exe cmd.exe PID 1228 wrote to memory of 1728 1228 msiexec.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\tmp.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1228-61-0x0000000000090000-0x00000000000BF000-memory.dmpFilesize
188KB
-
memory/1228-57-0x0000000000000000-mapping.dmp
-
memory/1228-58-0x0000000076401000-0x0000000076403000-memory.dmpFilesize
8KB
-
memory/1228-62-0x00000000023E0000-0x00000000026E3000-memory.dmpFilesize
3.0MB
-
memory/1228-60-0x0000000000E00000-0x0000000000E14000-memory.dmpFilesize
80KB
-
memory/1228-63-0x0000000000B70000-0x0000000000C03000-memory.dmpFilesize
588KB
-
memory/1228-65-0x0000000000090000-0x00000000000BF000-memory.dmpFilesize
188KB
-
memory/1384-56-0x0000000006980000-0x0000000006A83000-memory.dmpFilesize
1.0MB
-
memory/1384-64-0x00000000070A0000-0x00000000071DE000-memory.dmpFilesize
1.2MB
-
memory/1384-66-0x00000000070A0000-0x00000000071DE000-memory.dmpFilesize
1.2MB
-
memory/1684-55-0x0000000000420000-0x0000000000434000-memory.dmpFilesize
80KB
-
memory/1684-54-0x00000000007D0000-0x0000000000AD3000-memory.dmpFilesize
3.0MB
-
memory/1728-59-0x0000000000000000-mapping.dmp