Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-08-2022 03:48
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220812-en
General
-
Target
tmp.exe
-
Size
185KB
-
MD5
b714b6e24d1d6e4951f4c83173412575
-
SHA1
509ae497a7349827f4bbd9085e15b9e3cfc8f53e
-
SHA256
86741510935fc30581a17848b7d391461c8aa3c749fd8c7998682c637f7486c0
-
SHA512
e087aea2bb327f70a83b75bc81217c1c3041bb9d7e79f915b10af3fff1a9031bf6dce0d93a5a9564b99787ec5396fae23c9f024c56d747f7230604f8048ca89d
-
SSDEEP
3072:tdpPkgyUnaoZ3G/UeoeIkqD47iVCAErfoHgcT5mEZB25EcJZ+2FAdqh:bzFGMhkqD47i0rfgv1nU5njh
Malware Config
Extracted
formbook
4.1
ba17
zoltaron.tech
exopets.online
trippingtravel.com
banded.top
shinebrightdesigns.co.uk
djlbb.com
abcsofmindfulness.com
linkaktifasialive88.club
185068.sbs
tjhongguo.com
portaldigi.store
theshoe.club
r-ceive.app
kmwww.top
search-publishing.com
banksmanlights.net
flyonthewallmovie.com
congrulations.website
trnt.store
udajabojka.xyz
bet365p6.com
purecleannyc.com
tripod.app
chesmol.xyz
gestuethollerbusch.com
longhuipet.com
noktasutesisati.com
voucherkita.xyz
paca-uk.co.uk
denizonlinekontrol.com
suresthuerta.xyz
trendingproduct.co.uk
mvkstore.com
taoseav33.top
estudiooteroyasociados.store
gandlautosalesinc.com
32ee62dd0110.info
hmrazk.website
qzbpckdo.com
solman.store
slavlavka.site
elemansepetim.xyz
btr.ltd
bjyfzssj.com
yildizanpresskomuru.com
careebroutique.com
artsirchen.com
286412.com
tradingpostatprieslake.com
aisccenter.net
tensenfarms.site
troublecolor.online
paring-deification.net
rhy6.com
zgjys888web.xyz
allhallowsluxe.com
stefanierinza.com
needy-me.online
0755aite.net
cbfashion.uk
sunrisequilts.com
rswll.com
khanaphongmamam123.xyz
nsdclub.com
pricehistory.website
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/540-137-0x0000000000700000-0x000000000072F000-memory.dmp formbook behavioral2/memory/540-143-0x0000000000700000-0x000000000072F000-memory.dmp formbook -
Suspicious use of SetThreadContext 2 IoCs
Processes:
tmp.exeWWAHost.exedescription pid process target process PID 4484 set thread context of 900 4484 tmp.exe Explorer.EXE PID 540 set thread context of 900 540 WWAHost.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
tmp.exeWWAHost.exepid process 4484 tmp.exe 4484 tmp.exe 4484 tmp.exe 4484 tmp.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe 540 WWAHost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 900 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
tmp.exeWWAHost.exepid process 4484 tmp.exe 4484 tmp.exe 4484 tmp.exe 540 WWAHost.exe 540 WWAHost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tmp.exeWWAHost.exedescription pid process Token: SeDebugPrivilege 4484 tmp.exe Token: SeDebugPrivilege 540 WWAHost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Explorer.EXEWWAHost.exedescription pid process target process PID 900 wrote to memory of 540 900 Explorer.EXE WWAHost.exe PID 900 wrote to memory of 540 900 Explorer.EXE WWAHost.exe PID 900 wrote to memory of 540 900 Explorer.EXE WWAHost.exe PID 540 wrote to memory of 3864 540 WWAHost.exe cmd.exe PID 540 wrote to memory of 3864 540 WWAHost.exe cmd.exe PID 540 wrote to memory of 3864 540 WWAHost.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WWAHost.exe"C:\Windows\SysWOW64\WWAHost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\tmp.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/540-139-0x0000000001980000-0x0000000001CCA000-memory.dmpFilesize
3.3MB
-
memory/540-143-0x0000000000700000-0x000000000072F000-memory.dmpFilesize
188KB
-
memory/540-141-0x00000000016F0000-0x0000000001783000-memory.dmpFilesize
588KB
-
memory/540-135-0x0000000000000000-mapping.dmp
-
memory/540-136-0x0000000000AD0000-0x0000000000BAC000-memory.dmpFilesize
880KB
-
memory/540-137-0x0000000000700000-0x000000000072F000-memory.dmpFilesize
188KB
-
memory/900-142-0x0000000003580000-0x000000000366A000-memory.dmpFilesize
936KB
-
memory/900-140-0x0000000003260000-0x0000000003377000-memory.dmpFilesize
1.1MB
-
memory/900-134-0x0000000003260000-0x0000000003377000-memory.dmpFilesize
1.1MB
-
memory/900-144-0x0000000003580000-0x000000000366A000-memory.dmpFilesize
936KB
-
memory/3864-138-0x0000000000000000-mapping.dmp
-
memory/4484-132-0x0000000000D40000-0x000000000108A000-memory.dmpFilesize
3.3MB
-
memory/4484-133-0x0000000000810000-0x0000000000824000-memory.dmpFilesize
80KB