Analysis
-
max time kernel
131s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
12-12-2022 15:00
Static task
static1
Behavioral task
behavioral1
Sample
c797ec1e79935bb4186091dd2497ecb9.exe
Resource
win7-20221111-en
General
-
Target
c797ec1e79935bb4186091dd2497ecb9.exe
-
Size
902KB
-
MD5
c797ec1e79935bb4186091dd2497ecb9
-
SHA1
1183605174d54e31c90641de28693b690c1a7302
-
SHA256
484a773ea467d473190ad7c22e0c28ea84c14198dbfe22599508697c2df5773f
-
SHA512
78bc72ab135a9e1e9adca84ebc893c71782e2f4d072ea9b7252892f9200cf45fc3cbb8a2323179e8ab2963a78d616fc8984b6c2f177aa7f089c2542fe25caa6d
-
SSDEEP
24576:oWXvRemER/Q9GeYovTx4GRO3GxSY67GKTgG:oaGu9GLo7xLw3ASh
Malware Config
Extracted
formbook
4.1
ng04
tevimaq.com
easterspecialtystore.com
smartlever.tech
10312.uk
tanjawiharbi.co.uk
471338.com
horusventure.com
empress-care.com
sinrian.com
465951.com
aemsti.com
nxcourier.com
stargatefarms.com
lalyquainvestment.com
dailysportsadvice.com
justlistmoore.com
stoneonroll.online
tatianakolomiets.com
barcodebbm.com
protectorship.world
datingventure.info
aurora-body.com
sohomusicclub.com
postapudding.co.uk
mps-24.store
fengjianghu.com
fenostoreshop.site
julietterosebarney.com
1a-datenschutz.com
yejinxia.com
firstmortgagedebt.com
greengood.store
skynet-one.net
allianthrs.com
centralflfc.com
46caminosobrante.com
informatique07.com
keebu.net
gamebe.store
nicestartech.top
smbxd.com
dyadent.store
xiangmeihao.com
exac7.com
vesiensuojelu.com
youhaometal.com
jiewo.top
xmfaucet.com
avocadotaco.com
nicelove.online
beautytimelashesnails.com
domainand.site
tlqf.net
mentionevery.online
jeuxjetx.fr
device-track.co
re364t6.top
teamlepleiadi.com
againsubpackaddr.com
blemchi.xyz
yxzhcpa.com
cycle-xchange.store
medimattress.info
cosme-mochi.net
wekurd.com
Signatures
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/660-138-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{68C9613C-BC75-4C7D-B8B3-E85A7D954BDF}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{EC850C3E-802D-4E6D-82CB-B754FFF875DC}.catalogItem svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
c797ec1e79935bb4186091dd2497ecb9.exedescription pid process target process PID 1152 set thread context of 660 1152 c797ec1e79935bb4186091dd2497ecb9.exe c797ec1e79935bb4186091dd2497ecb9.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
c797ec1e79935bb4186091dd2497ecb9.exepid process 660 c797ec1e79935bb4186091dd2497ecb9.exe 660 c797ec1e79935bb4186091dd2497ecb9.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c797ec1e79935bb4186091dd2497ecb9.exedescription pid process target process PID 1152 wrote to memory of 660 1152 c797ec1e79935bb4186091dd2497ecb9.exe c797ec1e79935bb4186091dd2497ecb9.exe PID 1152 wrote to memory of 660 1152 c797ec1e79935bb4186091dd2497ecb9.exe c797ec1e79935bb4186091dd2497ecb9.exe PID 1152 wrote to memory of 660 1152 c797ec1e79935bb4186091dd2497ecb9.exe c797ec1e79935bb4186091dd2497ecb9.exe PID 1152 wrote to memory of 660 1152 c797ec1e79935bb4186091dd2497ecb9.exe c797ec1e79935bb4186091dd2497ecb9.exe PID 1152 wrote to memory of 660 1152 c797ec1e79935bb4186091dd2497ecb9.exe c797ec1e79935bb4186091dd2497ecb9.exe PID 1152 wrote to memory of 660 1152 c797ec1e79935bb4186091dd2497ecb9.exe c797ec1e79935bb4186091dd2497ecb9.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c797ec1e79935bb4186091dd2497ecb9.exe"C:\Users\Admin\AppData\Local\Temp\c797ec1e79935bb4186091dd2497ecb9.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c797ec1e79935bb4186091dd2497ecb9.exe"C:\Users\Admin\AppData\Local\Temp\c797ec1e79935bb4186091dd2497ecb9.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/660-137-0x0000000000000000-mapping.dmp
-
memory/660-138-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/660-139-0x0000000001800000-0x0000000001B4A000-memory.dmpFilesize
3.3MB
-
memory/1152-132-0x0000000000160000-0x0000000000248000-memory.dmpFilesize
928KB
-
memory/1152-133-0x0000000005170000-0x0000000005714000-memory.dmpFilesize
5.6MB
-
memory/1152-134-0x0000000004C60000-0x0000000004CF2000-memory.dmpFilesize
584KB
-
memory/1152-135-0x0000000004C00000-0x0000000004C0A000-memory.dmpFilesize
40KB
-
memory/1152-136-0x00000000078F0000-0x000000000798C000-memory.dmpFilesize
624KB