Analysis
-
max time kernel
55s -
max time network
68s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
23-06-2023 06:41
Static task
static1
Behavioral task
behavioral1
Sample
ORDER#KG23AG007_JUNE2023_SHYAM_GRSOUP_IND.exe
Resource
win7-20230621-en
General
-
Target
ORDER#KG23AG007_JUNE2023_SHYAM_GRSOUP_IND.exe
-
Size
318KB
-
MD5
7747a48635cb9f24aebd42ad05fcde93
-
SHA1
165a095cdb3c9b0591d04efb2ab8caecebbc667a
-
SHA256
c751b1369af3d6c58b101c6605dee97559f910f23c009cc41ddff70c0ab06a0f
-
SHA512
72942bebb56793385b73e22b3e870b1db40231792b5142d6b2098b6b5067b8e451e113b010b595a704d633f4cd246adf98f653529956db5ad18d0269bbc8610b
-
SSDEEP
6144:BYa6xMRpovPU7YD0MPQGndKuRFXro+r9LLR8uKB5Wgp2:BY7wKt0MBdlrt5nRHKB5R2
Malware Config
Extracted
formbook
4.1
ng04
christinegnigler.com
shukydeco.com
yuncaibg.com
eikjjs.cloud
cautamhouri.xyz
furtkagrsets.xyz
zhaoshang0197.shop
maraduncan.autos
aircleanlimited.com
simplificandotdah.com
ggs-1126.cyou
6848us.com
g1fx2.xyz
earnmoneyhelper.com
mbh123.xyz
1803734.com
blur-x-proof.xyz
dfwbusinessconnection.com
clubbeyyresorthotel.com
iittzz.com
njshimiaodao.com
baifumama.com
fortheoutside.com
dryoliteso.com
shudev.app
wwwmyshopytefi.com
lightingnano.com
xnnx054y6id9j7.xyz
mynieart.com
drligekrlezu.xyz
contenidoerotico.net
haahztnzbvbekr.xyz
sanguoyule.com
theravennacolt.com
tarairpex.xyz
bna-nc-e-tr-glbl.net
ochguana.cfd
92227m4.com
viberant.studio
3kk3tt.online
piringmelaminw.buzz
haah3zec1ce8pw.xyz
06gf.top
levydamara.xyz
lgbtcre.com
pusatpengecatan.com
goodwillbuys.com
ypredict-live.com
volpinoverde.online
mdlcode.dev
251879.club
nationalboatcharging.com
34sandycreekway.com
azxteri.xyz
colemanmcallister.com
jessespropertydoctors.com
richcrowdonline.com
schmidt-partners.com
gl-advice.com
gabbypaws.com
skalindiacongress.com
xn--26qx5po2r.com
haahtfbrs3xhuc.xyz
paddyspavingandmasonrynj.com
w77797.com
Signatures
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2140-139-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Loads dropped DLL 1 IoCs
Processes:
ORDER#KG23AG007_JUNE2023_SHYAM_GRSOUP_IND.exepid process 1400 ORDER#KG23AG007_JUNE2023_SHYAM_GRSOUP_IND.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ORDER#KG23AG007_JUNE2023_SHYAM_GRSOUP_IND.exedescription pid process target process PID 1400 set thread context of 2140 1400 ORDER#KG23AG007_JUNE2023_SHYAM_GRSOUP_IND.exe ORDER#KG23AG007_JUNE2023_SHYAM_GRSOUP_IND.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ORDER#KG23AG007_JUNE2023_SHYAM_GRSOUP_IND.exepid process 2140 ORDER#KG23AG007_JUNE2023_SHYAM_GRSOUP_IND.exe 2140 ORDER#KG23AG007_JUNE2023_SHYAM_GRSOUP_IND.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
ORDER#KG23AG007_JUNE2023_SHYAM_GRSOUP_IND.exepid process 1400 ORDER#KG23AG007_JUNE2023_SHYAM_GRSOUP_IND.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
ORDER#KG23AG007_JUNE2023_SHYAM_GRSOUP_IND.exedescription pid process target process PID 1400 wrote to memory of 2140 1400 ORDER#KG23AG007_JUNE2023_SHYAM_GRSOUP_IND.exe ORDER#KG23AG007_JUNE2023_SHYAM_GRSOUP_IND.exe PID 1400 wrote to memory of 2140 1400 ORDER#KG23AG007_JUNE2023_SHYAM_GRSOUP_IND.exe ORDER#KG23AG007_JUNE2023_SHYAM_GRSOUP_IND.exe PID 1400 wrote to memory of 2140 1400 ORDER#KG23AG007_JUNE2023_SHYAM_GRSOUP_IND.exe ORDER#KG23AG007_JUNE2023_SHYAM_GRSOUP_IND.exe PID 1400 wrote to memory of 2140 1400 ORDER#KG23AG007_JUNE2023_SHYAM_GRSOUP_IND.exe ORDER#KG23AG007_JUNE2023_SHYAM_GRSOUP_IND.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ORDER#KG23AG007_JUNE2023_SHYAM_GRSOUP_IND.exe"C:\Users\Admin\AppData\Local\Temp\ORDER#KG23AG007_JUNE2023_SHYAM_GRSOUP_IND.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ORDER#KG23AG007_JUNE2023_SHYAM_GRSOUP_IND.exe"C:\Users\Admin\AppData\Local\Temp\ORDER#KG23AG007_JUNE2023_SHYAM_GRSOUP_IND.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nsp6E9F.tmp\vwoslw.dllFilesize
41KB
MD5a71d9f8347f763684d8df1027d95b805
SHA1f2a1089da9d3caad65d68ee94948dd9278c40e31
SHA25694ddf37c0bf60b116a9fbc3d59943035a89fba7ff3b85306f3753f04a677c184
SHA5120a69c7d14b385d763e0ae9462f9348102cd9715302e5b92e38cd11acce05629df12202519a089fa633b241e0256cf9b131beae47f5d78371cddef2c42b08ef7b
-
memory/2140-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2140-142-0x0000000000A20000-0x0000000000D6A000-memory.dmpFilesize
3.3MB