Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
11/10/2023, 14:35
Static task
static1
Behavioral task
behavioral1
Sample
CDE 0915.exe
Resource
win7-20230831-en
General
-
Target
CDE 0915.exe
-
Size
308KB
-
MD5
8198d6bfbb6195d1658d7949a98e33ff
-
SHA1
f0b4a41bd7dfd3e5eda456ab88de948407e3e8db
-
SHA256
46436c9504931b7cedc6f56121141a9cca7389258def5ccb0981b9bbe2301cc5
-
SHA512
54156e8483bcbe6a72df32a9aac438d9de82af956d6fac69c49a4cb1ab92863792dc1c0e27e44f0cd54f28136f3c72f6faca630e6a0f5734ebdbfcf17dc564d7
-
SSDEEP
6144:LnPdudwDWtQFrtD0AaHPcmQUW6aeyVze25Sqvv+1YErCuWWQVaIaIJDbiV0bu:LnPdatQptD6HIRegeFuv+6EtWrJ/w0bu
Malware Config
Extracted
formbook
4.1
k13s
runbe.fun
factrip.com
zalenterprises.net
yoyufoods.com
soniakmahajan.com
jdfdht.site
provenimpact.net
hotelsmadridairport.com
avondalemclarenparts.com
champagnepelissot.com
dqnshtvn.click
barbarahensonrealestate.com
jrys117.top
amb168g.pro
zionsystem.live
highcaliberhusbands.com
dsc-marketing.com
outlemax.com
legalloanmaster.com
sky71.link
willispeng.com
guoguxin.com
087687303.xyz
ailearningprompts.com
surpcop.online
ihb4y.com
buscafincas.net
crstersite.com
ios333cbp.top
abilitytoday.news
aitechscope.com
ywx5pn.com
metasiliconvalley.com
haztutestamento.com
schrothny.com
workout.pictures
xyhbg.com
cheapagain.com
miszedbc.click
stopmichelle.net
laptopsofficial.com
arcade-games-88932.bond
premiumistudysolution.com
particlecraft.net
autoluxetrans.com
mydogandcatlover.com
annaregas.com
firstenergyconp.com
taikerism.com
dlandolfi.com
mtlywgbo.click
chordstalkstudios.com
liaozx.link
hiit4lifenorthbridge.com
maximskip.com
arcofuss.com
stoneleighview.info
nongsanvietco.com
platinum-entertainments.com
xxxmovs.world
webpanel.cfd
rrlearningcenter.com
ichsport.com
hkbnzb36a52z.xyz
landscapestandard.com
Signatures
-
Formbook payload 5 IoCs
resource yara_rule behavioral1/memory/2724-10-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2724-15-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2724-20-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2764-26-0x0000000000080000-0x00000000000AF000-memory.dmp formbook behavioral1/memory/2764-29-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
pid Process 3060 myyzql.exe 2724 myyzql.exe -
Loads dropped DLL 2 IoCs
pid Process 2324 CDE 0915.exe 3060 myyzql.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3060 set thread context of 2724 3060 myyzql.exe 29 PID 2724 set thread context of 1244 2724 myyzql.exe 22 PID 2724 set thread context of 1244 2724 myyzql.exe 22 PID 2764 set thread context of 1244 2764 systray.exe 22 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 2724 myyzql.exe 2724 myyzql.exe 2724 myyzql.exe 2764 systray.exe 2764 systray.exe 2764 systray.exe 2764 systray.exe 2764 systray.exe 2764 systray.exe 2764 systray.exe 2764 systray.exe 2764 systray.exe 2764 systray.exe 2764 systray.exe 2764 systray.exe 2764 systray.exe 2764 systray.exe 2764 systray.exe 2764 systray.exe 2764 systray.exe 2764 systray.exe 2764 systray.exe 2764 systray.exe 2764 systray.exe 2764 systray.exe 2764 systray.exe 2764 systray.exe 2764 systray.exe 2764 systray.exe 2764 systray.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1244 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 3060 myyzql.exe 2724 myyzql.exe 2724 myyzql.exe 2724 myyzql.exe 2724 myyzql.exe 2764 systray.exe 2764 systray.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2724 myyzql.exe Token: SeDebugPrivilege 2764 systray.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2324 wrote to memory of 3060 2324 CDE 0915.exe 28 PID 2324 wrote to memory of 3060 2324 CDE 0915.exe 28 PID 2324 wrote to memory of 3060 2324 CDE 0915.exe 28 PID 2324 wrote to memory of 3060 2324 CDE 0915.exe 28 PID 3060 wrote to memory of 2724 3060 myyzql.exe 29 PID 3060 wrote to memory of 2724 3060 myyzql.exe 29 PID 3060 wrote to memory of 2724 3060 myyzql.exe 29 PID 3060 wrote to memory of 2724 3060 myyzql.exe 29 PID 3060 wrote to memory of 2724 3060 myyzql.exe 29 PID 2724 wrote to memory of 2764 2724 myyzql.exe 30 PID 2724 wrote to memory of 2764 2724 myyzql.exe 30 PID 2724 wrote to memory of 2764 2724 myyzql.exe 30 PID 2724 wrote to memory of 2764 2724 myyzql.exe 30 PID 2764 wrote to memory of 2624 2764 systray.exe 31 PID 2764 wrote to memory of 2624 2764 systray.exe 31 PID 2764 wrote to memory of 2624 2764 systray.exe 31 PID 2764 wrote to memory of 2624 2764 systray.exe 31
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1244 -
C:\Users\Admin\AppData\Local\Temp\CDE 0915.exe"C:\Users\Admin\AppData\Local\Temp\CDE 0915.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Users\Admin\AppData\Local\Temp\myyzql.exe"C:\Users\Admin\AppData\Local\Temp\myyzql.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\myyzql.exe"C:\Users\Admin\AppData\Local\Temp\myyzql.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\myyzql.exe"6⤵PID:2624
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
205KB
MD533b827d4ebc3080d1b326e7335dfdfbe
SHA128830e77aa2c9a4b512e20d18734bf03379c81ba
SHA256e18d141bb79de85f32948f75025263084559780d116f5ddbca8767636b8058d9
SHA5124a47d359cded2f7c634827d2f39522bd0e4e741579401455aed57cabbefc905bf51566c5216aa7879489f7f234ee8255c5f01e7fcf079a7e6fd4cf27c848fba3
-
Filesize
176KB
MD5e460b7d571b50e5950fdd69feebf2357
SHA104d5a524e57a760f0bcea873faab604a6364428d
SHA256c42d7a0eb68618cb608daf7de1233989e9704edbf9f8b09a590ac07c378d9fed
SHA512444f6a9bb022eee54090c67534de0873f9f0e28850b49aea7163760bff72e34c61d4c840e0bde66d799c3b9f8f92e87ed1dd3f326d4be621ff6f82a3ad522863
-
Filesize
176KB
MD5e460b7d571b50e5950fdd69feebf2357
SHA104d5a524e57a760f0bcea873faab604a6364428d
SHA256c42d7a0eb68618cb608daf7de1233989e9704edbf9f8b09a590ac07c378d9fed
SHA512444f6a9bb022eee54090c67534de0873f9f0e28850b49aea7163760bff72e34c61d4c840e0bde66d799c3b9f8f92e87ed1dd3f326d4be621ff6f82a3ad522863
-
Filesize
176KB
MD5e460b7d571b50e5950fdd69feebf2357
SHA104d5a524e57a760f0bcea873faab604a6364428d
SHA256c42d7a0eb68618cb608daf7de1233989e9704edbf9f8b09a590ac07c378d9fed
SHA512444f6a9bb022eee54090c67534de0873f9f0e28850b49aea7163760bff72e34c61d4c840e0bde66d799c3b9f8f92e87ed1dd3f326d4be621ff6f82a3ad522863
-
Filesize
176KB
MD5e460b7d571b50e5950fdd69feebf2357
SHA104d5a524e57a760f0bcea873faab604a6364428d
SHA256c42d7a0eb68618cb608daf7de1233989e9704edbf9f8b09a590ac07c378d9fed
SHA512444f6a9bb022eee54090c67534de0873f9f0e28850b49aea7163760bff72e34c61d4c840e0bde66d799c3b9f8f92e87ed1dd3f326d4be621ff6f82a3ad522863
-
Filesize
176KB
MD5e460b7d571b50e5950fdd69feebf2357
SHA104d5a524e57a760f0bcea873faab604a6364428d
SHA256c42d7a0eb68618cb608daf7de1233989e9704edbf9f8b09a590ac07c378d9fed
SHA512444f6a9bb022eee54090c67534de0873f9f0e28850b49aea7163760bff72e34c61d4c840e0bde66d799c3b9f8f92e87ed1dd3f326d4be621ff6f82a3ad522863