Analysis
-
max time kernel
229s -
max time network
305s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
30-11-2022 16:29
Static task
static1
Behavioral task
behavioral1
Sample
40ee2027d06e0a2ed12888c0e64c43a501ac7f81709625eb1ed61e5b0e43f865.exe
Resource
win7-20221111-en
General
-
Target
40ee2027d06e0a2ed12888c0e64c43a501ac7f81709625eb1ed61e5b0e43f865.exe
-
Size
490KB
-
MD5
204da52ffbac84b1067d3ee2d06a8b15
-
SHA1
05672de9a26d7cb5cfd408f06bc50e71265f32f3
-
SHA256
40ee2027d06e0a2ed12888c0e64c43a501ac7f81709625eb1ed61e5b0e43f865
-
SHA512
0989cf3b1de4c71e664471cfb9ff783c250e8d251e1438dd01815f8ee3d7103b9b55dd8dfaf374e0ce1ec2c605efc3cb6f8f46df9a9e209ee5638fb0762296b5
-
SSDEEP
6144:MTDMAYloj1/L8YEAQwgG5hUf+uJ18yL3gfDj3f4acR2RzqmCGujxggwHDU1W8:+DMAzjN4YEAFKmE0fbcgcVwg1W8
Malware Config
Extracted
formbook
4.1
pep
whitelabelgraphics.pro
futureguidefilms.com
mission-duplex.com
rutherealty.com
acehardwaremall.com
potenb.com
tbhawt.com
momentum-ip.group
m8sr8s.com
cfwagner.com
umiyama-eri.com
klantenvinden.com
simplycasd.com
visionhomerecruiting.com
inkjet-material.com
banking-aib.com
fast1performance.com
eventsbyja.com
breuer.network
smartecelectronics.com
vtbunkie.com
lexingtonclarke.com
ayintapbaklava.com
sugarstyleearrings.com
caiyanxi.com
the2mblueprint.com
bakldx.com
7choicesar.com
jesusencounterminisries.com
lamptail.com
bobkeet.com
chasingplanet.com
obernix.com
managementgpus.mobi
tcunionnet.com
hydzonised.com
jennie-espy.com
animeinkcon.com
hesovery.cool
bvilifemagazine.com
medicareworldnewsreport.net
zdrowykon.com
atenmedilatam.com
dlasso.com
7si3.com
seasonedsupport.com
29essentials.com
cnpuhang.com
yyaa2.net
neocareadvisory.com
tblsportshoes.com
chohub.com
initiationpodcast.com
architex.info
jamietylerlee.com
diusae.com
sun-go24.com
rfeap.com
safunerepublic.com
juanluanzi.com
neptuneribs.com
defocasc.com
tatilingerie.com
all-env.com
triumphantlytransformedbk.com
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/924-64-0x000000000041EB90-mapping.dmp formbook behavioral1/memory/924-66-0x0000000000080000-0x00000000000AE000-memory.dmp formbook behavioral1/memory/1700-75-0x0000000000080000-0x00000000000AE000-memory.dmp formbook behavioral1/memory/1700-77-0x0000000000080000-0x00000000000AE000-memory.dmp formbook -
Executes dropped EXE 1 IoCs
Processes:
AddInProcess32.exepid process 924 AddInProcess32.exe -
Loads dropped DLL 1 IoCs
Processes:
40ee2027d06e0a2ed12888c0e64c43a501ac7f81709625eb1ed61e5b0e43f865.exepid process 752 40ee2027d06e0a2ed12888c0e64c43a501ac7f81709625eb1ed61e5b0e43f865.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/752-56-0x00000000051D0000-0x00000000051F8000-memory.dmp agile_net -
Suspicious use of SetThreadContext 3 IoCs
Processes:
40ee2027d06e0a2ed12888c0e64c43a501ac7f81709625eb1ed61e5b0e43f865.exeAddInProcess32.exesystray.exedescription pid process target process PID 752 set thread context of 924 752 40ee2027d06e0a2ed12888c0e64c43a501ac7f81709625eb1ed61e5b0e43f865.exe AddInProcess32.exe PID 924 set thread context of 1372 924 AddInProcess32.exe Explorer.EXE PID 1700 set thread context of 1372 1700 systray.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
40ee2027d06e0a2ed12888c0e64c43a501ac7f81709625eb1ed61e5b0e43f865.exeAddInProcess32.exesystray.exepid process 752 40ee2027d06e0a2ed12888c0e64c43a501ac7f81709625eb1ed61e5b0e43f865.exe 752 40ee2027d06e0a2ed12888c0e64c43a501ac7f81709625eb1ed61e5b0e43f865.exe 924 AddInProcess32.exe 924 AddInProcess32.exe 1700 systray.exe 1700 systray.exe 1700 systray.exe 1700 systray.exe 1700 systray.exe 1700 systray.exe 1700 systray.exe 1700 systray.exe 1700 systray.exe 1700 systray.exe 1700 systray.exe 1700 systray.exe 1700 systray.exe 1700 systray.exe 1700 systray.exe 1700 systray.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1372 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
AddInProcess32.exesystray.exepid process 924 AddInProcess32.exe 924 AddInProcess32.exe 924 AddInProcess32.exe 1700 systray.exe 1700 systray.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
40ee2027d06e0a2ed12888c0e64c43a501ac7f81709625eb1ed61e5b0e43f865.exeAddInProcess32.exesystray.exedescription pid process Token: SeDebugPrivilege 752 40ee2027d06e0a2ed12888c0e64c43a501ac7f81709625eb1ed61e5b0e43f865.exe Token: SeDebugPrivilege 924 AddInProcess32.exe Token: SeDebugPrivilege 1700 systray.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
40ee2027d06e0a2ed12888c0e64c43a501ac7f81709625eb1ed61e5b0e43f865.exeExplorer.EXEsystray.exedescription pid process target process PID 752 wrote to memory of 924 752 40ee2027d06e0a2ed12888c0e64c43a501ac7f81709625eb1ed61e5b0e43f865.exe AddInProcess32.exe PID 752 wrote to memory of 924 752 40ee2027d06e0a2ed12888c0e64c43a501ac7f81709625eb1ed61e5b0e43f865.exe AddInProcess32.exe PID 752 wrote to memory of 924 752 40ee2027d06e0a2ed12888c0e64c43a501ac7f81709625eb1ed61e5b0e43f865.exe AddInProcess32.exe PID 752 wrote to memory of 924 752 40ee2027d06e0a2ed12888c0e64c43a501ac7f81709625eb1ed61e5b0e43f865.exe AddInProcess32.exe PID 752 wrote to memory of 924 752 40ee2027d06e0a2ed12888c0e64c43a501ac7f81709625eb1ed61e5b0e43f865.exe AddInProcess32.exe PID 752 wrote to memory of 924 752 40ee2027d06e0a2ed12888c0e64c43a501ac7f81709625eb1ed61e5b0e43f865.exe AddInProcess32.exe PID 752 wrote to memory of 924 752 40ee2027d06e0a2ed12888c0e64c43a501ac7f81709625eb1ed61e5b0e43f865.exe AddInProcess32.exe PID 1372 wrote to memory of 1700 1372 Explorer.EXE systray.exe PID 1372 wrote to memory of 1700 1372 Explorer.EXE systray.exe PID 1372 wrote to memory of 1700 1372 Explorer.EXE systray.exe PID 1372 wrote to memory of 1700 1372 Explorer.EXE systray.exe PID 1700 wrote to memory of 1052 1700 systray.exe cmd.exe PID 1700 wrote to memory of 1052 1700 systray.exe cmd.exe PID 1700 wrote to memory of 1052 1700 systray.exe cmd.exe PID 1700 wrote to memory of 1052 1700 systray.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\40ee2027d06e0a2ed12888c0e64c43a501ac7f81709625eb1ed61e5b0e43f865.exe"C:\Users\Admin\AppData\Local\Temp\40ee2027d06e0a2ed12888c0e64c43a501ac7f81709625eb1ed61e5b0e43f865.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exeFilesize
41KB
MD56a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exeFilesize
41KB
MD56a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
\Users\Admin\AppData\Local\Temp\AddInProcess32.exeFilesize
41KB
MD56a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
memory/752-55-0x0000000074ED1000-0x0000000074ED3000-memory.dmpFilesize
8KB
-
memory/752-56-0x00000000051D0000-0x00000000051F8000-memory.dmpFilesize
160KB
-
memory/752-57-0x00000000006C0000-0x00000000006D4000-memory.dmpFilesize
80KB
-
memory/752-58-0x00000000006E0000-0x00000000006E6000-memory.dmpFilesize
24KB
-
memory/752-54-0x00000000013E0000-0x0000000001460000-memory.dmpFilesize
512KB
-
memory/924-69-0x0000000000320000-0x0000000000334000-memory.dmpFilesize
80KB
-
memory/924-60-0x0000000000080000-0x00000000000AE000-memory.dmpFilesize
184KB
-
memory/924-66-0x0000000000080000-0x00000000000AE000-memory.dmpFilesize
184KB
-
memory/924-68-0x0000000000990000-0x0000000000C93000-memory.dmpFilesize
3.0MB
-
memory/924-61-0x0000000000080000-0x00000000000AE000-memory.dmpFilesize
184KB
-
memory/924-64-0x000000000041EB90-mapping.dmp
-
memory/1052-76-0x0000000000000000-mapping.dmp
-
memory/1372-70-0x0000000006970000-0x0000000006A40000-memory.dmpFilesize
832KB
-
memory/1372-79-0x00000000077F0000-0x000000000796F000-memory.dmpFilesize
1.5MB
-
memory/1372-80-0x00000000077F0000-0x000000000796F000-memory.dmpFilesize
1.5MB
-
memory/1700-71-0x0000000000000000-mapping.dmp
-
memory/1700-73-0x00000000004B0000-0x00000000004B5000-memory.dmpFilesize
20KB
-
memory/1700-74-0x0000000001EB0000-0x00000000021B3000-memory.dmpFilesize
3.0MB
-
memory/1700-75-0x0000000000080000-0x00000000000AE000-memory.dmpFilesize
184KB
-
memory/1700-77-0x0000000000080000-0x00000000000AE000-memory.dmpFilesize
184KB
-
memory/1700-78-0x0000000001C80000-0x0000000001D13000-memory.dmpFilesize
588KB