Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 06:59
Static task
static1
General
-
Target
697864448562120dd68a9b3a4c36f294292626999e3c80d3217206544e3f91b1.exe
-
Size
304KB
-
MD5
60d9730a7f59ab1fd59f0714ef881b06
-
SHA1
ca8d63135460836a001a38b50c28eae975a2a36c
-
SHA256
697864448562120dd68a9b3a4c36f294292626999e3c80d3217206544e3f91b1
-
SHA512
ef6c2bb3fcb705da66416bee8191c9ec7f8992aef9bc5bc108742f15cfc132d2887062e3a85977b0ae005ea8796fb3670517da834534107454957209a851bac4
-
SSDEEP
6144:U5SuupRIxrjvwT97hu1nbuTnFlzFeVuQqJa64BUR3XR0Ah0eZXBp6bS0fhr8w:UghhwbuTFlzF0uQqCidR0AJrcS0fhr8w
Malware Config
Extracted
formbook
pgnt
0WG18LbM4lR9iqMRa4nlBzTb
jcfGYzPgZTqFZVO9FV2yIw==
laIfrdSC8/4CNg==
Q73ilev5GIWuOrAAFV2yIw==
Q2u/pMw7pv4sPA==
TbqvIUHwlQscPo0HFV2yIw==
8PNWfGPyE8n0IQ==
WtgROxXzvY2L
PryaRBNjm4eP
Y9Hdi06Cry1um9Sj68YAu1o=
3Gulyp7CMQtR78jvLkk=
JJ3GasTVTCRQT6Tfz6S6GlI=
RnS42bhb9tI0R6UpD6wOxriNxw==
he1mi2sOGfzTRGHnuA==
eaYjCtjxVjdU5XLRtBMBLKk9quA=
k9rTeEqYzzw8WaTfz6S6GlI=
5luVQwe2vJWKEAiMdF4=
MGW14L9OVk5Y5TaR6w/DqdhYxXVY
mAsYz6k6sQkDC0/DoHj9t1RPWLSgFQ==
y5klhuMbE8n0IQ==
u/NKcEKARatNn/dT
ZJaHJQCvzDWRuPPmMsEVxriNxw==
nRhddlcPOegWrv5R
/njA0TJ1U+osPA==
pi8az6AySKlNn/dT
e/k+YjN+U+osPA==
kMAZ36lMWa3gRGHnuA==
wfX0nGsGE1yUJb1Jq33LoDdDWLSgFQ==
wfk35UJcfeHoRGHnuA==
dbzljekZ3ka2QYCYOP1I
Nq3kDeMNNJWDMnWYOP1I
Sa0SN/04cNje8xbaJLgUxriNxw==
yDejyZiQ/X/BQYiYOP1I
UIPN7ckznp2W
s/HtqJNKdmtv88jvLkk=
KanG2bhM0CsdiNrNF0E=
QLrtp3svzjcsTaJ9y5kPopyQzQ==
syhbC2iJZ8obK2Y7nHSa7CmdUuA=
HZXK676zo5OV
5WFoCWeuxqekcHx5YkE=
PbX1H/gmE8n0IQ==
3HTB6Asznp2W
9HGhWLLyrJXPcq4FRecyGU247XBS
/oW437jofmJ8DQiMdF4=
sh415lJ8q3cL3XJvaEA=
XucfBGWzVEg=
PKWeQgpB1cUHprue4sYAu1o=
MXFzDmuO/nBtmjc6g5elIVMbQeWFjyMN
q+v2lgI9Vb0rC2juug==
WYvkDdX8kEjU73U=
6BJjmWGiizGT
fLHageH29Ex1m8jvLkk=
3D+hsVkFtIyr5WI=
ntIbRgolp0jU73U=
GGGJMpC3pJPdQ8ZGkpxA
8FtjHvNDiICP
L63yFOor5uMdLqnrNNblBzTb
Gav/MgU4AByfuddW
xek7Tm3lhlY=
n2sDng5BBdtNn/dT
LZsINfoQH6dNn/dT
Io+SQh7ak0Ti7Gg=
T8Xci1oCP63aRGHnuA==
bZX0DnWMqxcyQ39hzOH+7U0BvmhP
hf9blwwuwpx7j8k.live
Signatures
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
697864448562120dd68a9b3a4c36f294292626999e3c80d3217206544e3f91b1.exeregsvcs.exesvchost.exedescription pid process target process PID 1088 set thread context of 4532 1088 697864448562120dd68a9b3a4c36f294292626999e3c80d3217206544e3f91b1.exe regsvcs.exe PID 4532 set thread context of 1040 4532 regsvcs.exe Explorer.EXE PID 4532 set thread context of 1040 4532 regsvcs.exe Explorer.EXE PID 4920 set thread context of 1040 4920 svchost.exe Explorer.EXE -
Processes:
svchost.exedescription ioc process Key created \Registry\User\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
697864448562120dd68a9b3a4c36f294292626999e3c80d3217206544e3f91b1.exeregsvcs.exesvchost.exepid process 1088 697864448562120dd68a9b3a4c36f294292626999e3c80d3217206544e3f91b1.exe 1088 697864448562120dd68a9b3a4c36f294292626999e3c80d3217206544e3f91b1.exe 4532 regsvcs.exe 4532 regsvcs.exe 4532 regsvcs.exe 4532 regsvcs.exe 4532 regsvcs.exe 4532 regsvcs.exe 4532 regsvcs.exe 4532 regsvcs.exe 4532 regsvcs.exe 4532 regsvcs.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1040 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
regsvcs.exesvchost.exepid process 4532 regsvcs.exe 4532 regsvcs.exe 4532 regsvcs.exe 4532 regsvcs.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe 4920 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
697864448562120dd68a9b3a4c36f294292626999e3c80d3217206544e3f91b1.exeregsvcs.exesvchost.exedescription pid process Token: SeDebugPrivilege 1088 697864448562120dd68a9b3a4c36f294292626999e3c80d3217206544e3f91b1.exe Token: SeDebugPrivilege 4532 regsvcs.exe Token: SeDebugPrivilege 4920 svchost.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
697864448562120dd68a9b3a4c36f294292626999e3c80d3217206544e3f91b1.exeExplorer.EXEsvchost.exedescription pid process target process PID 1088 wrote to memory of 4528 1088 697864448562120dd68a9b3a4c36f294292626999e3c80d3217206544e3f91b1.exe regsvcs.exe PID 1088 wrote to memory of 4528 1088 697864448562120dd68a9b3a4c36f294292626999e3c80d3217206544e3f91b1.exe regsvcs.exe PID 1088 wrote to memory of 4528 1088 697864448562120dd68a9b3a4c36f294292626999e3c80d3217206544e3f91b1.exe regsvcs.exe PID 1088 wrote to memory of 4532 1088 697864448562120dd68a9b3a4c36f294292626999e3c80d3217206544e3f91b1.exe regsvcs.exe PID 1088 wrote to memory of 4532 1088 697864448562120dd68a9b3a4c36f294292626999e3c80d3217206544e3f91b1.exe regsvcs.exe PID 1088 wrote to memory of 4532 1088 697864448562120dd68a9b3a4c36f294292626999e3c80d3217206544e3f91b1.exe regsvcs.exe PID 1088 wrote to memory of 4532 1088 697864448562120dd68a9b3a4c36f294292626999e3c80d3217206544e3f91b1.exe regsvcs.exe PID 1088 wrote to memory of 4532 1088 697864448562120dd68a9b3a4c36f294292626999e3c80d3217206544e3f91b1.exe regsvcs.exe PID 1088 wrote to memory of 4532 1088 697864448562120dd68a9b3a4c36f294292626999e3c80d3217206544e3f91b1.exe regsvcs.exe PID 1040 wrote to memory of 4920 1040 Explorer.EXE svchost.exe PID 1040 wrote to memory of 4920 1040 Explorer.EXE svchost.exe PID 1040 wrote to memory of 4920 1040 Explorer.EXE svchost.exe PID 4920 wrote to memory of 4156 4920 svchost.exe Firefox.exe PID 4920 wrote to memory of 4156 4920 svchost.exe Firefox.exe PID 4920 wrote to memory of 4156 4920 svchost.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\697864448562120dd68a9b3a4c36f294292626999e3c80d3217206544e3f91b1.exe"C:\Users\Admin\AppData\Local\Temp\697864448562120dd68a9b3a4c36f294292626999e3c80d3217206544e3f91b1.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1040-143-0x0000000007C40000-0x0000000007DA6000-memory.dmpFilesize
1.4MB
-
memory/1040-157-0x00000000033C0000-0x0000000003475000-memory.dmpFilesize
724KB
-
memory/1040-155-0x00000000033C0000-0x0000000003475000-memory.dmpFilesize
724KB
-
memory/1040-147-0x0000000008680000-0x00000000087E4000-memory.dmpFilesize
1.4MB
-
memory/1088-132-0x0000000000E80000-0x0000000000ED2000-memory.dmpFilesize
328KB
-
memory/4528-133-0x0000000000000000-mapping.dmp
-
memory/4532-146-0x0000000001A60000-0x0000000001A70000-memory.dmpFilesize
64KB
-
memory/4532-150-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/4532-141-0x0000000000422000-0x0000000000424000-memory.dmpFilesize
8KB
-
memory/4532-142-0x00000000011B0000-0x00000000011C0000-memory.dmpFilesize
64KB
-
memory/4532-139-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/4532-145-0x0000000000422000-0x0000000000424000-memory.dmpFilesize
8KB
-
memory/4532-138-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4532-137-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4532-134-0x0000000000000000-mapping.dmp
-
memory/4532-140-0x0000000001700000-0x0000000001A4A000-memory.dmpFilesize
3.3MB
-
memory/4532-149-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4532-135-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4920-152-0x00000000006E0000-0x000000000070D000-memory.dmpFilesize
180KB
-
memory/4920-153-0x0000000001200000-0x000000000154A000-memory.dmpFilesize
3.3MB
-
memory/4920-154-0x0000000001000000-0x000000000108F000-memory.dmpFilesize
572KB
-
memory/4920-151-0x00000000008F0000-0x00000000008FE000-memory.dmpFilesize
56KB
-
memory/4920-156-0x00000000006E0000-0x000000000070D000-memory.dmpFilesize
180KB
-
memory/4920-148-0x0000000000000000-mapping.dmp