Analysis
-
max time kernel
75s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
08-12-2022 11:00
Static task
static1
Behavioral task
behavioral1
Sample
f4a9a76e7a18ea2e2dcf234b006be09f9fdf1cbd4ac7d88bdf0dced5cb453374.exe
Resource
win7-20220812-en
General
-
Target
f4a9a76e7a18ea2e2dcf234b006be09f9fdf1cbd4ac7d88bdf0dced5cb453374.exe
-
Size
1.0MB
-
MD5
559e7d00549bbb00fd6454f597b6ec69
-
SHA1
5a5547c9f5328c4d73458c27a4841b5ff9b5738b
-
SHA256
f4a9a76e7a18ea2e2dcf234b006be09f9fdf1cbd4ac7d88bdf0dced5cb453374
-
SHA512
7c37b3cc0772ea7e849a3915fffac89db5d4303c33e9a7ab883c0e59732d79027fadebe3db2dc9ea669bbfe3f7203c2d7dfe0541cc440d04f8ba19293fc2ad52
-
SSDEEP
24576:y1uCqdOSSQJs9a79QrjAuu7w+QJID2k9mc1sfu3:yzqdOSS2s9aqrauJNWsf
Malware Config
Extracted
formbook
4.1
lt63
fortrantelecom.africa
ffafa.buzz
bullybrain.com
ekeisolutions.com
lamiamira.com
noahsark.xyz
beautyby-eve.com
cloudfatory.com
12443.football
hataykultur.online
donqu3.sexy
breakthroughaustralia.com
havengpe.com
cpxlocatup.info
corefourpartners.com
amonefintech.com
thithombo.africa
bassmaty.store
fdshdsr.top
lifesoapsimple.com
divaproportugal.com
footwearbags.com
ivbusinessservices.com
93215.vip
livescorenona123.online
ablulu109.xyz
chuyunfang.com
fogofwar.quest
weimingpian.net
getmowico.com
hability.xyz
brightmachineary.com
precious-sawdaa.com
nochewing.net
fruihcon.xyz
hue-fame.com
egordizain.ru
tutastrading.africa
deansroofingandconstruction.com
arabianroadstech.com
family-doctor-41501.com
233969.com
9898svip1.com
yonggunkim.net
illminded.com
gemlikguventasevdeneve.com
fiberlazertamir.com
kimia.boo
skinnectar.uk
leve-tech.co.uk
just3pages.com
wristnoe.co.uk
e-suxiu.com
evri-deiivery.com
storageredbox.net
grdpy.com
darkblissclothing.com
functionful.com
bestinvestorcorporation.info
com-prostaclear.com
91yqm.com
districthvacs.com
floridasoftware.biz
cocredcaixaaqui.com
gooqoo.xyz
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1188-63-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1188-64-0x000000000041F0B0-mapping.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
Processes:
f4a9a76e7a18ea2e2dcf234b006be09f9fdf1cbd4ac7d88bdf0dced5cb453374.exedescription pid process target process PID 1672 set thread context of 1188 1672 f4a9a76e7a18ea2e2dcf234b006be09f9fdf1cbd4ac7d88bdf0dced5cb453374.exe f4a9a76e7a18ea2e2dcf234b006be09f9fdf1cbd4ac7d88bdf0dced5cb453374.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
f4a9a76e7a18ea2e2dcf234b006be09f9fdf1cbd4ac7d88bdf0dced5cb453374.exef4a9a76e7a18ea2e2dcf234b006be09f9fdf1cbd4ac7d88bdf0dced5cb453374.exepid process 1672 f4a9a76e7a18ea2e2dcf234b006be09f9fdf1cbd4ac7d88bdf0dced5cb453374.exe 1672 f4a9a76e7a18ea2e2dcf234b006be09f9fdf1cbd4ac7d88bdf0dced5cb453374.exe 1188 f4a9a76e7a18ea2e2dcf234b006be09f9fdf1cbd4ac7d88bdf0dced5cb453374.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
f4a9a76e7a18ea2e2dcf234b006be09f9fdf1cbd4ac7d88bdf0dced5cb453374.exedescription pid process Token: SeDebugPrivilege 1672 f4a9a76e7a18ea2e2dcf234b006be09f9fdf1cbd4ac7d88bdf0dced5cb453374.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
f4a9a76e7a18ea2e2dcf234b006be09f9fdf1cbd4ac7d88bdf0dced5cb453374.exedescription pid process target process PID 1672 wrote to memory of 1188 1672 f4a9a76e7a18ea2e2dcf234b006be09f9fdf1cbd4ac7d88bdf0dced5cb453374.exe f4a9a76e7a18ea2e2dcf234b006be09f9fdf1cbd4ac7d88bdf0dced5cb453374.exe PID 1672 wrote to memory of 1188 1672 f4a9a76e7a18ea2e2dcf234b006be09f9fdf1cbd4ac7d88bdf0dced5cb453374.exe f4a9a76e7a18ea2e2dcf234b006be09f9fdf1cbd4ac7d88bdf0dced5cb453374.exe PID 1672 wrote to memory of 1188 1672 f4a9a76e7a18ea2e2dcf234b006be09f9fdf1cbd4ac7d88bdf0dced5cb453374.exe f4a9a76e7a18ea2e2dcf234b006be09f9fdf1cbd4ac7d88bdf0dced5cb453374.exe PID 1672 wrote to memory of 1188 1672 f4a9a76e7a18ea2e2dcf234b006be09f9fdf1cbd4ac7d88bdf0dced5cb453374.exe f4a9a76e7a18ea2e2dcf234b006be09f9fdf1cbd4ac7d88bdf0dced5cb453374.exe PID 1672 wrote to memory of 1188 1672 f4a9a76e7a18ea2e2dcf234b006be09f9fdf1cbd4ac7d88bdf0dced5cb453374.exe f4a9a76e7a18ea2e2dcf234b006be09f9fdf1cbd4ac7d88bdf0dced5cb453374.exe PID 1672 wrote to memory of 1188 1672 f4a9a76e7a18ea2e2dcf234b006be09f9fdf1cbd4ac7d88bdf0dced5cb453374.exe f4a9a76e7a18ea2e2dcf234b006be09f9fdf1cbd4ac7d88bdf0dced5cb453374.exe PID 1672 wrote to memory of 1188 1672 f4a9a76e7a18ea2e2dcf234b006be09f9fdf1cbd4ac7d88bdf0dced5cb453374.exe f4a9a76e7a18ea2e2dcf234b006be09f9fdf1cbd4ac7d88bdf0dced5cb453374.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f4a9a76e7a18ea2e2dcf234b006be09f9fdf1cbd4ac7d88bdf0dced5cb453374.exe"C:\Users\Admin\AppData\Local\Temp\f4a9a76e7a18ea2e2dcf234b006be09f9fdf1cbd4ac7d88bdf0dced5cb453374.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\f4a9a76e7a18ea2e2dcf234b006be09f9fdf1cbd4ac7d88bdf0dced5cb453374.exe"C:\Users\Admin\AppData\Local\Temp\f4a9a76e7a18ea2e2dcf234b006be09f9fdf1cbd4ac7d88bdf0dced5cb453374.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1188
-