Analysis
-
max time kernel
149s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
10-05-2023 13:17
Static task
static1
Behavioral task
behavioral1
Sample
PAYMENT BANK DETAILS.exe
Resource
win7-20230220-en
General
-
Target
PAYMENT BANK DETAILS.exe
-
Size
775KB
-
MD5
d9e05b26e4ba8db84e61e1042d22b920
-
SHA1
13fd6f491b1cafd46e51a2a53b5d62f02cdc9e53
-
SHA256
3fe2c04c33423019af7464d50b3df0775a565e9a31e1a289b49e4e180585ab00
-
SHA512
5fd8a4f1a1d632d4f8ecc51cddf34d550abbd0fee36c5c4a05431f62b36685041389c68c981a7d9a1da9f4b201f518da79aa0d8cecee4d3aa89927a115219d9a
-
SSDEEP
12288:4IZfTA1Bgt9byODL/qAn4zlwUhGmkkEgxV3i/js2kDXHqt7A:42LA4tNyGzq4hUhG5u5Mjkb
Malware Config
Extracted
formbook
4.1
m82
jamesdevereux.com
artificialturfminneapolis.com
hongmeiyan.com
lojaderoupasbr.com
yit.africa
austinrelocationexpert.com
saiva.page
exitsategy.com
chochonux.com
klosterbraeu-unterliezheim.com
byseymanur.com
sblwarwickshire.co.uk
brazimaid.com
ciogame.com
bronzesailing.com
dwkapl.xyz
022dyd.com
compassandpathwriting.com
alphabet1x.com
selfcleaninghairbrush.co.uk
power-bank.co.uk
kickskaart.com
baumanbilliardsnv.com
bestcp.net
doghospitalnearme.com
mixano.africa
helarybaber.online
illubio.com
ciutas.com
ldpr33.ru
killtheblacks.com
cassino-portugal.com
danhaii.com
gvtowingservice.com
let-travel.africa
dental-implants-67128.com
facetaxi.xyz
ctjh9u8e.vip
kyosaiohruri.com
executivepresencetrainer.com
greatharmony.africa
feelingsarereal.com
devopsuday.club
happiestminds-udemy.com
fittingstands.com
happyhousegarment.com
24daysofheaven.com
herhustlenation.com
xn--oy2b27nt6b.net
hothotcogixem.online
hausmeisterservice-berlin.net
hjddbb.com
stoutfamilychiro.com
bookishthoughtsbychristy.com
gibellinaheartquake.com
8cf1utrb6.xyz
patrick-daggitt.com
ebcbank.net
angel909reviews.com
arcteryxsouthafricaonline.com
cutematvhy.com
art2z.com
bulkforeverstamps.com
heatbling.com
despachocontablequinsa.com
Signatures
-
Formbook payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1536-71-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1220-74-0x0000000002460000-0x00000000024A0000-memory.dmp formbook behavioral1/memory/1536-76-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1672-83-0x0000000000090000-0x00000000000BF000-memory.dmp formbook behavioral1/memory/1672-85-0x0000000000090000-0x00000000000BF000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
PAYMENT BANK DETAILS.exeRegSvcs.exewuapp.exedescription pid process target process PID 824 set thread context of 1536 824 PAYMENT BANK DETAILS.exe RegSvcs.exe PID 1536 set thread context of 1204 1536 RegSvcs.exe Explorer.EXE PID 1672 set thread context of 1204 1672 wuapp.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
PAYMENT BANK DETAILS.exeRegSvcs.exepowershell.exewuapp.exepid process 824 PAYMENT BANK DETAILS.exe 824 PAYMENT BANK DETAILS.exe 824 PAYMENT BANK DETAILS.exe 824 PAYMENT BANK DETAILS.exe 1536 RegSvcs.exe 1536 RegSvcs.exe 1220 powershell.exe 1672 wuapp.exe 1672 wuapp.exe 1672 wuapp.exe 1672 wuapp.exe 1672 wuapp.exe 1672 wuapp.exe 1672 wuapp.exe 1672 wuapp.exe 1672 wuapp.exe 1672 wuapp.exe 1672 wuapp.exe 1672 wuapp.exe 1672 wuapp.exe 1672 wuapp.exe 1672 wuapp.exe 1672 wuapp.exe 1672 wuapp.exe 1672 wuapp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1204 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
RegSvcs.exewuapp.exepid process 1536 RegSvcs.exe 1536 RegSvcs.exe 1536 RegSvcs.exe 1672 wuapp.exe 1672 wuapp.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
PAYMENT BANK DETAILS.exeRegSvcs.exepowershell.exewuapp.exedescription pid process Token: SeDebugPrivilege 824 PAYMENT BANK DETAILS.exe Token: SeDebugPrivilege 1536 RegSvcs.exe Token: SeDebugPrivilege 1220 powershell.exe Token: SeDebugPrivilege 1672 wuapp.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1204 Explorer.EXE 1204 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1204 Explorer.EXE 1204 Explorer.EXE -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
PAYMENT BANK DETAILS.exeExplorer.EXEwuapp.exedescription pid process target process PID 824 wrote to memory of 1220 824 PAYMENT BANK DETAILS.exe powershell.exe PID 824 wrote to memory of 1220 824 PAYMENT BANK DETAILS.exe powershell.exe PID 824 wrote to memory of 1220 824 PAYMENT BANK DETAILS.exe powershell.exe PID 824 wrote to memory of 1220 824 PAYMENT BANK DETAILS.exe powershell.exe PID 824 wrote to memory of 1752 824 PAYMENT BANK DETAILS.exe schtasks.exe PID 824 wrote to memory of 1752 824 PAYMENT BANK DETAILS.exe schtasks.exe PID 824 wrote to memory of 1752 824 PAYMENT BANK DETAILS.exe schtasks.exe PID 824 wrote to memory of 1752 824 PAYMENT BANK DETAILS.exe schtasks.exe PID 824 wrote to memory of 872 824 PAYMENT BANK DETAILS.exe RegSvcs.exe PID 824 wrote to memory of 872 824 PAYMENT BANK DETAILS.exe RegSvcs.exe PID 824 wrote to memory of 872 824 PAYMENT BANK DETAILS.exe RegSvcs.exe PID 824 wrote to memory of 872 824 PAYMENT BANK DETAILS.exe RegSvcs.exe PID 824 wrote to memory of 872 824 PAYMENT BANK DETAILS.exe RegSvcs.exe PID 824 wrote to memory of 872 824 PAYMENT BANK DETAILS.exe RegSvcs.exe PID 824 wrote to memory of 872 824 PAYMENT BANK DETAILS.exe RegSvcs.exe PID 824 wrote to memory of 1536 824 PAYMENT BANK DETAILS.exe RegSvcs.exe PID 824 wrote to memory of 1536 824 PAYMENT BANK DETAILS.exe RegSvcs.exe PID 824 wrote to memory of 1536 824 PAYMENT BANK DETAILS.exe RegSvcs.exe PID 824 wrote to memory of 1536 824 PAYMENT BANK DETAILS.exe RegSvcs.exe PID 824 wrote to memory of 1536 824 PAYMENT BANK DETAILS.exe RegSvcs.exe PID 824 wrote to memory of 1536 824 PAYMENT BANK DETAILS.exe RegSvcs.exe PID 824 wrote to memory of 1536 824 PAYMENT BANK DETAILS.exe RegSvcs.exe PID 824 wrote to memory of 1536 824 PAYMENT BANK DETAILS.exe RegSvcs.exe PID 824 wrote to memory of 1536 824 PAYMENT BANK DETAILS.exe RegSvcs.exe PID 824 wrote to memory of 1536 824 PAYMENT BANK DETAILS.exe RegSvcs.exe PID 1204 wrote to memory of 1672 1204 Explorer.EXE wuapp.exe PID 1204 wrote to memory of 1672 1204 Explorer.EXE wuapp.exe PID 1204 wrote to memory of 1672 1204 Explorer.EXE wuapp.exe PID 1204 wrote to memory of 1672 1204 Explorer.EXE wuapp.exe PID 1204 wrote to memory of 1672 1204 Explorer.EXE wuapp.exe PID 1204 wrote to memory of 1672 1204 Explorer.EXE wuapp.exe PID 1204 wrote to memory of 1672 1204 Explorer.EXE wuapp.exe PID 1672 wrote to memory of 1684 1672 wuapp.exe cmd.exe PID 1672 wrote to memory of 1684 1672 wuapp.exe cmd.exe PID 1672 wrote to memory of 1684 1672 wuapp.exe cmd.exe PID 1672 wrote to memory of 1684 1672 wuapp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT BANK DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT BANK DETAILS.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dGruTf.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dGruTf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAC38.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wuapp.exe"C:\Windows\SysWOW64\wuapp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpAC38.tmpFilesize
1KB
MD5144257d0e1235857f6e887b6309af395
SHA1dda3da92a1ddb8b3ad464c48403f0487c1311165
SHA256140d4717ec94fd2b0fadb5f69c59424c3c8acd55111631424c5ff878e034b54f
SHA512bc39cdf2a959e7a863cf2e3203153a76e5975822cdf27d552dab39a568e5cce4ffb742437bbd6426c8681f26537fbde4c2a1c44ceaeb13439d3696aa82629fc1
-
memory/824-57-0x0000000004C80000-0x0000000004CC0000-memory.dmpFilesize
256KB
-
memory/824-56-0x00000000003E0000-0x00000000003F2000-memory.dmpFilesize
72KB
-
memory/824-54-0x00000000009A0000-0x0000000000A68000-memory.dmpFilesize
800KB
-
memory/824-58-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/824-59-0x0000000005900000-0x000000000598C000-memory.dmpFilesize
560KB
-
memory/824-55-0x0000000004C80000-0x0000000004CC0000-memory.dmpFilesize
256KB
-
memory/824-65-0x0000000005AB0000-0x0000000005B04000-memory.dmpFilesize
336KB
-
memory/1204-91-0x0000000004150000-0x0000000004204000-memory.dmpFilesize
720KB
-
memory/1204-89-0x0000000004150000-0x0000000004204000-memory.dmpFilesize
720KB
-
memory/1204-88-0x0000000004150000-0x0000000004204000-memory.dmpFilesize
720KB
-
memory/1204-79-0x0000000004D30000-0x0000000004E4B000-memory.dmpFilesize
1.1MB
-
memory/1220-80-0x0000000002460000-0x00000000024A0000-memory.dmpFilesize
256KB
-
memory/1220-74-0x0000000002460000-0x00000000024A0000-memory.dmpFilesize
256KB
-
memory/1220-75-0x0000000002460000-0x00000000024A0000-memory.dmpFilesize
256KB
-
memory/1536-76-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1536-78-0x00000000001B0000-0x00000000001C5000-memory.dmpFilesize
84KB
-
memory/1536-77-0x0000000000860000-0x0000000000B63000-memory.dmpFilesize
3.0MB
-
memory/1536-70-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1536-71-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1536-69-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1536-68-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1672-81-0x0000000001060000-0x000000000106B000-memory.dmpFilesize
44KB
-
memory/1672-82-0x0000000001060000-0x000000000106B000-memory.dmpFilesize
44KB
-
memory/1672-83-0x0000000000090000-0x00000000000BF000-memory.dmpFilesize
188KB
-
memory/1672-84-0x0000000000AD0000-0x0000000000DD3000-memory.dmpFilesize
3.0MB
-
memory/1672-85-0x0000000000090000-0x00000000000BF000-memory.dmpFilesize
188KB
-
memory/1672-87-0x00000000008F0000-0x0000000000984000-memory.dmpFilesize
592KB