Analysis
-
max time kernel
36s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-11-2022 18:26
Static task
static1
Behavioral task
behavioral1
Sample
10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe
Resource
win7-20220812-en
General
-
Target
10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe
-
Size
2.5MB
-
MD5
3b2839138c381fe2901d2daa9290b462
-
SHA1
4ccb206f3f9be21d42c588be9a65417da11706fe
-
SHA256
10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1
-
SHA512
2c171f522f9721003fd98e0f718152338e27475dda29f635484c36b6a8e69a74a21e00e26d7c0c106b2651069d8bf8b0f0fc23e2a4dc905a751a1cfc7f3e6113
-
SSDEEP
49152:WtoZ0ajbQzlq5O+l4QOnn8jeX+l8uvlhfNf5lWLPNyeL9+hw/USGy7Xk/51HwgGh:W6X0zlC6mc98IQ1a7
Malware Config
Extracted
formbook
4.1
u3q
wingenomics.com
malwaredeepdive.com
uvdxkup.icu
safeweb-url624.com
lighthousetan.com
liumeilin.com
thaiexpressnyc.com
primedperspective.com
georgekwalker.com
purelife-gt.com
theboseproject.com
moralalaska.icu
anthonysoflittleitaly.com
talahadavi.com
waterbrooksacademy.com
aluneaproaieauayauwpalaua.com
mytshirtforlife.com
penerbitlayung.com
chainslugs.com
bhbgsc.com
blessux.com
jacqueselegantbling.jewelry
nautradio.com
taolife365.com
dreamteammortage.com
starboardvalueac.com
konstantiuk.com
plataformamultireweb-1bn.xyz
prime-deliveries19.com
articulationcrew.com
xdtee.com
collegeadmissions.xyz
diabetesdirective.com
rgyabogadas.com
getxpro.com
hydrogrowlife.com
confirmacionesrfea.com
caleighsmacarons.com
swiftnearby.com
timliadiwasi.com
odonyenicoleboutique.com
mydomainaccounts.com
dietanutricional.com
agilecoaching30.com
carbeloy.com
coinflip259.com
jsinekovo.com
carazone.com
huaweilabs.com
bestsonomahomesearch.com
myproductteam.com
amct-tony.com
thecleanstones.com
gunrangesonline.com
njywy.com
aboutourwellness.com
futebolpleyhd.com
devotedfootwear.com
parkpatent.com
pqlon.com
commercialinsuranceclaims.guru
conjureandcharm.com
greenracksolar.com
gwtguardwell.com
fptableau.com
Signatures
-
Beds Protector Packer 1 IoCs
Detects Beds Protector packer used to load .NET malware.
Processes:
resource yara_rule behavioral1/memory/1880-56-0x00000000052F0000-0x000000000555E000-memory.dmp beds_protector -
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1176-62-0x000000000041EB70-mapping.dmp formbook behavioral1/memory/1176-61-0x0000000000400000-0x000000000042E000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
Processes:
10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exedescription pid process target process PID 1880 set thread context of 1176 1880 10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe 10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exepid process 1176 10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exedescription pid process target process PID 1880 wrote to memory of 1176 1880 10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe 10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe PID 1880 wrote to memory of 1176 1880 10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe 10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe PID 1880 wrote to memory of 1176 1880 10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe 10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe PID 1880 wrote to memory of 1176 1880 10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe 10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe PID 1880 wrote to memory of 1176 1880 10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe 10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe PID 1880 wrote to memory of 1176 1880 10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe 10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe PID 1880 wrote to memory of 1176 1880 10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe 10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe"C:\Users\Admin\AppData\Local\Temp\10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Users\Admin\AppData\Local\Temp\10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe"C:\Users\Admin\AppData\Local\Temp\10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1176
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1176-58-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1176-59-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1176-62-0x000000000041EB70-mapping.dmp
-
memory/1176-61-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1176-63-0x0000000000830000-0x0000000000B33000-memory.dmpFilesize
3.0MB
-
memory/1880-54-0x0000000000CA0000-0x0000000000F32000-memory.dmpFilesize
2.6MB
-
memory/1880-55-0x0000000075201000-0x0000000075203000-memory.dmpFilesize
8KB
-
memory/1880-56-0x00000000052F0000-0x000000000555E000-memory.dmpFilesize
2.4MB
-
memory/1880-57-0x0000000000320000-0x0000000000336000-memory.dmpFilesize
88KB