Analysis
-
max time kernel
157s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
05/05/2023, 21:00 UTC
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
General
-
Target
tmp.exe
-
Size
605KB
-
MD5
cb62322bf94c2372c0c4c0383f3c2a23
-
SHA1
7b628d08dde66fe82002c908a1cdca11db5d54ed
-
SHA256
f641f1a87ee2a760b79417b410c52137c114e2618529bb90a0f281967975476e
-
SHA512
8a43cc7a3d2f6ebd5bd3bddc6577d435ac421697a3a8ca34074a29bdc716b589e87684e1cc5ae8d1007ef22e69e72cb0393c45c2f9f681fee3e0a7acec7f4237
-
SSDEEP
12288:FYmXlA7G3NFi0b7BMAsSMMT6sOhOIbw9SopRGdovnyo6VNglbXT:F5aS9Fi0b7BPl569I4p4G6vn32SbXT
Malware Config
Extracted
formbook
4.1
tf6p
poolcleanerskingsland.com
nieveslandscapee.com
wb263.com
smartlubetrading.com
linuowen.com
fna-seattle.com
jobgenie-ai.com
mycocktailmind.com
openai-invite.com
tnndjf5kyxz.com
mclane.attorney
somwear.xyz
spliffstudios.com
grupofaace.com
wuuwo.com
bigtimerushcharlotte.com
yourercchecks.com
arportablepottyrentals.biz
sbtsanantonio.com
explantationsbegleitung.com
nuovoclean.com
quarrybay.info
artworktile.com
excellprint-promotions.com
boogle.house
viewr.studio
bookkeeper4doctors.com
ecliq.info
thebestforyouofficial.site
jempropertylogistics.com
qthereumgift.cards
gejayaninnova.com
hadiyahofficial.com
muenz-schuhfabrik.com
humbledogs.net
gratisknolpowermerch.online
h6myq213wmg.net
fsig.net
eventrevolution.agency
winelandtv.com
cascadesoundscapes.com
sqpsora.london
bmcinternet.com
suafaturashipercard.com
aproaremos.click
cision.care
678w.vip
prologictechnologiesinc.com
clarasecurity.com
consomieux.net
privatemessengerapp.com
rentandgoponce.com
recharge-band.com
amtasguopmn.buzz
cemarkt.net
jfqa.top
sonicproton.com
modisolve.com
5rg1osts3.cfd
flweber.online
only1hookups.online
simplysmell.com
cj-life.art
hallspropertyenhancements.com
danvillehousecleaning.com
Signatures
-
Formbook payload 3 IoCs
resource yara_rule behavioral1/memory/336-64-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/336-67-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1368-72-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Deletes itself 1 IoCs
pid Process 2016 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1568 set thread context of 336 1568 tmp.exe 28 PID 336 set thread context of 1200 336 tmp.exe 16 PID 1368 set thread context of 1200 1368 NETSTAT.EXE 16 -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 1368 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 336 tmp.exe 336 tmp.exe 1368 NETSTAT.EXE 1368 NETSTAT.EXE 1368 NETSTAT.EXE 1368 NETSTAT.EXE 1368 NETSTAT.EXE 1368 NETSTAT.EXE 1368 NETSTAT.EXE 1368 NETSTAT.EXE 1368 NETSTAT.EXE 1368 NETSTAT.EXE 1368 NETSTAT.EXE 1368 NETSTAT.EXE 1368 NETSTAT.EXE 1368 NETSTAT.EXE 1368 NETSTAT.EXE 1368 NETSTAT.EXE 1368 NETSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1200 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 336 tmp.exe 336 tmp.exe 336 tmp.exe 1368 NETSTAT.EXE 1368 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 336 tmp.exe Token: SeDebugPrivilege 1368 NETSTAT.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1200 Explorer.EXE 1200 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1200 Explorer.EXE 1200 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1568 wrote to memory of 336 1568 tmp.exe 28 PID 1568 wrote to memory of 336 1568 tmp.exe 28 PID 1568 wrote to memory of 336 1568 tmp.exe 28 PID 1568 wrote to memory of 336 1568 tmp.exe 28 PID 1568 wrote to memory of 336 1568 tmp.exe 28 PID 1568 wrote to memory of 336 1568 tmp.exe 28 PID 1568 wrote to memory of 336 1568 tmp.exe 28 PID 1200 wrote to memory of 1368 1200 Explorer.EXE 29 PID 1200 wrote to memory of 1368 1200 Explorer.EXE 29 PID 1200 wrote to memory of 1368 1200 Explorer.EXE 29 PID 1200 wrote to memory of 1368 1200 Explorer.EXE 29 PID 1368 wrote to memory of 2016 1368 NETSTAT.EXE 30 PID 1368 wrote to memory of 2016 1368 NETSTAT.EXE 30 PID 1368 wrote to memory of 2016 1368 NETSTAT.EXE 30 PID 1368 wrote to memory of 2016 1368 NETSTAT.EXE 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:336
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\tmp.exe"3⤵
- Deletes itself
PID:2016
-
-
Network
-
Remote address:8.8.8.8:53Requestwww.clarasecurity.comIN AResponsewww.clarasecurity.comIN CNAMEproxy-ssl.webflow.comproxy-ssl.webflow.comIN CNAMEproxy-ssl-geo.webflow.comproxy-ssl-geo.webflow.comIN A35.79.138.241proxy-ssl-geo.webflow.comIN A13.115.92.205proxy-ssl-geo.webflow.comIN A13.115.182.240
-
GEThttp://www.clarasecurity.com/tf6p/?8pFx=EL7vYuPxrp+WqwxVFEBG40mNBIXJDBlJpFSQVsJ9fO9xyvSpu5Fr0h5v80X7BEc+&sF=WpeHzFiExplorer.EXERemote address:35.79.138.241:80RequestGET /tf6p/?8pFx=EL7vYuPxrp+WqwxVFEBG40mNBIXJDBlJpFSQVsJ9fO9xyvSpu5Fr0h5v80X7BEc+&sF=WpeHzFi HTTP/1.1
Host: www.clarasecurity.com
Connection: close
ResponseHTTP/1.1 301 Moved Permanently
Content-Type: text/html
Content-Length: 166
Connection: close
Location: https://www.clarasecurity.com/tf6p?8pFx=EL7vYuPxrp+WqwxVFEBG40mNBIXJDBlJpFSQVsJ9fO9xyvSpu5Fr0h5v80X7BEc+&sF=WpeHzFi
-
Remote address:8.8.8.8:53Requestwww.hallspropertyenhancements.comIN AResponsewww.hallspropertyenhancements.comIN CNAMEgcdn0.wixdns.netgcdn0.wixdns.netIN CNAMEtd-ccm-168-233.wixdns.nettd-ccm-168-233.wixdns.netIN A34.117.168.233
-
GEThttp://www.hallspropertyenhancements.com/tf6p/?8pFx=JbQ+I8x4UnBSL8G4n3uT3ckl1a9T8798V6l4YCxKpmmTFCI/IapS1bdDsDtXHRJr&sF=WpeHzFiExplorer.EXERemote address:34.117.168.233:80RequestGET /tf6p/?8pFx=JbQ+I8x4UnBSL8G4n3uT3ckl1a9T8798V6l4YCxKpmmTFCI/IapS1bdDsDtXHRJr&sF=WpeHzFi HTTP/1.1
Host: www.hallspropertyenhancements.com
Connection: close
ResponseHTTP/1.1 301 Moved Permanently
Content-Length: 0
location: https://www.hallspropertyenhancements.com/tf6p?8pFx=JbQ+I8x4UnBSL8G4n3uT3ckl1a9T8798V6l4YCxKpmmTFCI%2FIapS1bdDsDtXHRJr&sF=WpeHzFi
strict-transport-security: max-age=3600
x-wix-request-id: 1683328476.871880306155619668
Age: 0
X-Seen-By: GXNXSWFXisshliUcwO20NXdyD4zpCpFzpCPkLds0yMdZC7UaugUgerpaeZTvgu4f,qquldgcFrj2n046g4RNSVKTl6x/3To9sxSa0HYDttpo=,2d58ifebGbosy5xc+FRaltopQ9/hOUX/iGCnr+He7gE0q2b2Dt9FTx53GyRQNwLLEQ+kwAkbhrBM0pumcIm/ZbifaLV3vkcVsw4LEEhXxbM=,2UNV7KOq4oGjA5+PKsX47H9uI8JOdunVpSRDzMPCPTFYgeUJqUXtid+86vZww+nL,7npGRUZHWOtWoP0Si3wDp4lj1YeYp6WzYc638Kp14Hs=,xTu8fpDe3EKPsMR1jrheELutYhRjSyU//OgaNdL6scg=,ywkbhDzHLtjhjmon1ohv97r+RA+ENj/6/yls+DMVmwdT7tnkj/1IkxFu8UpERCLrmuOkfcTSJaUOHlD2KQbqrA==
Cache-Control: no-cache
server-timing: cache;desc=miss, varnish;desc=miss, dc;desc=euw1_g
X-Content-Type-Options: nosniff
Server: Pepyaka/1.19.10
Via: 1.1 google
Connection: close
-
Remote address:8.8.8.8:53Requestwww.arportablepottyrentals.bizIN AResponsewww.arportablepottyrentals.bizIN A104.21.37.151www.arportablepottyrentals.bizIN A172.67.209.187
-
GEThttp://www.arportablepottyrentals.biz/tf6p/?8pFx=7xjxzWQKGgcU/kBiYUQALfg39rCA/Zex7op0sPyorExEL43rYkojummfVQUWk46o&sF=WpeHzFiExplorer.EXERemote address:104.21.37.151:80RequestGET /tf6p/?8pFx=7xjxzWQKGgcU/kBiYUQALfg39rCA/Zex7op0sPyorExEL43rYkojummfVQUWk46o&sF=WpeHzFi HTTP/1.1
Host: www.arportablepottyrentals.biz
Connection: close
ResponseHTTP/1.1 403 Forbidden
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=4eNlxDNgHN5VOsLRqDl2CKgzuuUiC8vQe%2Fa3sBdKal19BeiV3%2F8gAJEtRHSkoiA1QMd5JlLDXNNoqX8faHY82OKfugugoYTussZJDlQjnDHnA3ASD7gnp%2BGdRiIuOs5rjm9o0ZfmpC0z2ZsCiRUCwrQ%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 7c2caed72824b77c-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
-
35.79.138.241:80http://www.clarasecurity.com/tf6p/?8pFx=EL7vYuPxrp+WqwxVFEBG40mNBIXJDBlJpFSQVsJ9fO9xyvSpu5Fr0h5v80X7BEc+&sF=WpeHzFihttpExplorer.EXE389 B 641 B 5 5
HTTP Request
GET http://www.clarasecurity.com/tf6p/?8pFx=EL7vYuPxrp+WqwxVFEBG40mNBIXJDBlJpFSQVsJ9fO9xyvSpu5Fr0h5v80X7BEc+&sF=WpeHzFiHTTP Response
301 -
34.117.168.233:80http://www.hallspropertyenhancements.com/tf6p/?8pFx=JbQ+I8x4UnBSL8G4n3uT3ckl1a9T8798V6l4YCxKpmmTFCI/IapS1bdDsDtXHRJr&sF=WpeHzFihttpExplorer.EXE401 B 1.2kB 5 5
HTTP Request
GET http://www.hallspropertyenhancements.com/tf6p/?8pFx=JbQ+I8x4UnBSL8G4n3uT3ckl1a9T8798V6l4YCxKpmmTFCI/IapS1bdDsDtXHRJr&sF=WpeHzFiHTTP Response
301 -
104.21.37.151:80http://www.arportablepottyrentals.biz/tf6p/?8pFx=7xjxzWQKGgcU/kBiYUQALfg39rCA/Zex7op0sPyorExEL43rYkojummfVQUWk46o&sF=WpeHzFihttpExplorer.EXE398 B 995 B 5 5
HTTP Request
GET http://www.arportablepottyrentals.biz/tf6p/?8pFx=7xjxzWQKGgcU/kBiYUQALfg39rCA/Zex7op0sPyorExEL43rYkojummfVQUWk46o&sF=WpeHzFiHTTP Response
403
-
67 B 175 B 1 1
DNS Request
www.clarasecurity.com
DNS Response
35.79.138.24113.115.92.20513.115.182.240
-
79 B 154 B 1 1
DNS Request
www.hallspropertyenhancements.com
DNS Response
34.117.168.233
-
76 B 108 B 1 1
DNS Request
www.arportablepottyrentals.biz
DNS Response
104.21.37.151172.67.209.187