Analysis
-
max time kernel
135s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2023 03:54
Static task
static1
Behavioral task
behavioral1
Sample
ce1c55a5196da204d9f949b097e67060.exe
Resource
win7-20230220-en
General
-
Target
ce1c55a5196da204d9f949b097e67060.exe
-
Size
690KB
-
MD5
ce1c55a5196da204d9f949b097e67060
-
SHA1
bee3d05da7b8913368f16f34306dbfbd1bf4fab7
-
SHA256
bca5d8c8e6b1abbf2f9ed462fda3dc22c4f3b37ef2bd6f2bd6772c00fe7dc1af
-
SHA512
0ce30e590cb2c5703c316e94792af9a5ea691caf132fbde1d9794564aeb2eb94c72e4c272139fbec632e062f9564ab40e3b74bcbe2b363c03db18f983f2f351e
-
SSDEEP
12288:V0hmzZBEP85JpsN74ypvfv3jVTGEbaZwqje4Arb++mZfFGB1v:D9BEP8jmN7tHPRT1beP1Ar23GB1v
Malware Config
Extracted
formbook
4.1
ca82
idunresearch.com
loiioo1.site
aimobilify.com
limousineswebdesign.com
darshan-enterprises.online
javad.top
dd-spy.com
metamysme.co.uk
earticlesdirect.com
ldkj78v.vip
dariusevory.com
bestyoutubepromoter.com
dogcoinacademy.com
mestredosexo.net
mrnofree.africa
plan.rsvp
hoangnam.site
cadcamperform.com
091888.net
artwaylogistics.com
bigsky1roofing.net
kr-eats.com
millenniumtutors.africa
clarebushire.com
amazonnews.top
farmacoachdigital.com
lasmeralda.net
baochuanlp.com
golf-break100again.com
kgconstrucoes.com
anamaciasdeharo.com
callgaryz.com
dbfsolutely.net
193yz96.xyz
yetcox.online
bet168.plus
lobbyspace.net
kui693.com
athm-consulting.com
warrenlee.africa
kellnovaglobalfood.info
premierpath.net
floffly.art
alaiatech.net
motherpearl.africa
daxiangya.com
mandytelecoms.africa
mbtglobal.africa
dazzleexchange.com
jacksontcpsettlement.com
gadjet1111.com
indiciacompany.com
artistpu.com
colonbroom-reviews.com
leaptrainings.com
harataka.com
athma.xyz
id6w.xyz
hakilakingllc.com
getripay.africa
comedyescape.show
lieblingsmusik.events
bridgerenvm.com
allard-electrical.com
kode-promo.com
Signatures
-
Formbook payload 1 IoCs
resource yara_rule behavioral2/memory/4552-143-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4764 set thread context of 4552 4764 ce1c55a5196da204d9f949b097e67060.exe 90 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4552 ce1c55a5196da204d9f949b097e67060.exe 4552 ce1c55a5196da204d9f949b097e67060.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4764 wrote to memory of 4552 4764 ce1c55a5196da204d9f949b097e67060.exe 90 PID 4764 wrote to memory of 4552 4764 ce1c55a5196da204d9f949b097e67060.exe 90 PID 4764 wrote to memory of 4552 4764 ce1c55a5196da204d9f949b097e67060.exe 90 PID 4764 wrote to memory of 4552 4764 ce1c55a5196da204d9f949b097e67060.exe 90 PID 4764 wrote to memory of 4552 4764 ce1c55a5196da204d9f949b097e67060.exe 90 PID 4764 wrote to memory of 4552 4764 ce1c55a5196da204d9f949b097e67060.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce1c55a5196da204d9f949b097e67060.exe"C:\Users\Admin\AppData\Local\Temp\ce1c55a5196da204d9f949b097e67060.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Users\Admin\AppData\Local\Temp\ce1c55a5196da204d9f949b097e67060.exe"C:\Users\Admin\AppData\Local\Temp\ce1c55a5196da204d9f949b097e67060.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4552
-