Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2023, 14:35
Static task
static1
Behavioral task
behavioral1
Sample
CDE 0915.exe
Resource
win7-20230831-en
General
-
Target
CDE 0915.exe
-
Size
308KB
-
MD5
8198d6bfbb6195d1658d7949a98e33ff
-
SHA1
f0b4a41bd7dfd3e5eda456ab88de948407e3e8db
-
SHA256
46436c9504931b7cedc6f56121141a9cca7389258def5ccb0981b9bbe2301cc5
-
SHA512
54156e8483bcbe6a72df32a9aac438d9de82af956d6fac69c49a4cb1ab92863792dc1c0e27e44f0cd54f28136f3c72f6faca630e6a0f5734ebdbfcf17dc564d7
-
SSDEEP
6144:LnPdudwDWtQFrtD0AaHPcmQUW6aeyVze25Sqvv+1YErCuWWQVaIaIJDbiV0bu:LnPdatQptD6HIRegeFuv+6EtWrJ/w0bu
Malware Config
Extracted
formbook
4.1
k13s
runbe.fun
factrip.com
zalenterprises.net
yoyufoods.com
soniakmahajan.com
jdfdht.site
provenimpact.net
hotelsmadridairport.com
avondalemclarenparts.com
champagnepelissot.com
dqnshtvn.click
barbarahensonrealestate.com
jrys117.top
amb168g.pro
zionsystem.live
highcaliberhusbands.com
dsc-marketing.com
outlemax.com
legalloanmaster.com
sky71.link
willispeng.com
guoguxin.com
087687303.xyz
ailearningprompts.com
surpcop.online
ihb4y.com
buscafincas.net
crstersite.com
ios333cbp.top
abilitytoday.news
aitechscope.com
ywx5pn.com
metasiliconvalley.com
haztutestamento.com
schrothny.com
workout.pictures
xyhbg.com
cheapagain.com
miszedbc.click
stopmichelle.net
laptopsofficial.com
arcade-games-88932.bond
premiumistudysolution.com
particlecraft.net
autoluxetrans.com
mydogandcatlover.com
annaregas.com
firstenergyconp.com
taikerism.com
dlandolfi.com
mtlywgbo.click
chordstalkstudios.com
liaozx.link
hiit4lifenorthbridge.com
maximskip.com
arcofuss.com
stoneleighview.info
nongsanvietco.com
platinum-entertainments.com
xxxmovs.world
webpanel.cfd
rrlearningcenter.com
ichsport.com
hkbnzb36a52z.xyz
landscapestandard.com
Signatures
-
Formbook payload 5 IoCs
resource yara_rule behavioral2/memory/3388-7-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3388-12-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2092-17-0x0000000001170000-0x000000000119F000-memory.dmp formbook behavioral2/memory/2092-21-0x0000000001170000-0x000000000119F000-memory.dmp formbook behavioral2/memory/2092-22-0x0000000001170000-0x000000000119F000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
pid Process 2332 myyzql.exe 3388 myyzql.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2332 set thread context of 3388 2332 myyzql.exe 91 PID 3388 set thread context of 2572 3388 myyzql.exe 32 PID 2092 set thread context of 2572 2092 cscript.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 58 IoCs
pid Process 3388 myyzql.exe 3388 myyzql.exe 3388 myyzql.exe 3388 myyzql.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe 2092 cscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2572 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 2332 myyzql.exe 3388 myyzql.exe 3388 myyzql.exe 3388 myyzql.exe 2092 cscript.exe 2092 cscript.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 3388 myyzql.exe Token: SeDebugPrivilege 2092 cscript.exe Token: SeShutdownPrivilege 2572 Explorer.EXE Token: SeCreatePagefilePrivilege 2572 Explorer.EXE Token: SeShutdownPrivilege 2572 Explorer.EXE Token: SeCreatePagefilePrivilege 2572 Explorer.EXE Token: SeShutdownPrivilege 2572 Explorer.EXE Token: SeCreatePagefilePrivilege 2572 Explorer.EXE Token: SeShutdownPrivilege 2572 Explorer.EXE Token: SeCreatePagefilePrivilege 2572 Explorer.EXE Token: SeShutdownPrivilege 2572 Explorer.EXE Token: SeCreatePagefilePrivilege 2572 Explorer.EXE Token: SeShutdownPrivilege 2572 Explorer.EXE Token: SeCreatePagefilePrivilege 2572 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 2572 Explorer.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 960 wrote to memory of 2332 960 CDE 0915.exe 86 PID 960 wrote to memory of 2332 960 CDE 0915.exe 86 PID 960 wrote to memory of 2332 960 CDE 0915.exe 86 PID 2332 wrote to memory of 3388 2332 myyzql.exe 91 PID 2332 wrote to memory of 3388 2332 myyzql.exe 91 PID 2332 wrote to memory of 3388 2332 myyzql.exe 91 PID 2332 wrote to memory of 3388 2332 myyzql.exe 91 PID 2572 wrote to memory of 2092 2572 Explorer.EXE 94 PID 2572 wrote to memory of 2092 2572 Explorer.EXE 94 PID 2572 wrote to memory of 2092 2572 Explorer.EXE 94 PID 2092 wrote to memory of 4612 2092 cscript.exe 97 PID 2092 wrote to memory of 4612 2092 cscript.exe 97 PID 2092 wrote to memory of 4612 2092 cscript.exe 97
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Users\Admin\AppData\Local\Temp\CDE 0915.exe"C:\Users\Admin\AppData\Local\Temp\CDE 0915.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Users\Admin\AppData\Local\Temp\myyzql.exe"C:\Users\Admin\AppData\Local\Temp\myyzql.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Users\Admin\AppData\Local\Temp\myyzql.exe"C:\Users\Admin\AppData\Local\Temp\myyzql.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3388
-
-
-
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\myyzql.exe"3⤵PID:4612
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
205KB
MD533b827d4ebc3080d1b326e7335dfdfbe
SHA128830e77aa2c9a4b512e20d18734bf03379c81ba
SHA256e18d141bb79de85f32948f75025263084559780d116f5ddbca8767636b8058d9
SHA5124a47d359cded2f7c634827d2f39522bd0e4e741579401455aed57cabbefc905bf51566c5216aa7879489f7f234ee8255c5f01e7fcf079a7e6fd4cf27c848fba3
-
Filesize
176KB
MD5e460b7d571b50e5950fdd69feebf2357
SHA104d5a524e57a760f0bcea873faab604a6364428d
SHA256c42d7a0eb68618cb608daf7de1233989e9704edbf9f8b09a590ac07c378d9fed
SHA512444f6a9bb022eee54090c67534de0873f9f0e28850b49aea7163760bff72e34c61d4c840e0bde66d799c3b9f8f92e87ed1dd3f326d4be621ff6f82a3ad522863
-
Filesize
176KB
MD5e460b7d571b50e5950fdd69feebf2357
SHA104d5a524e57a760f0bcea873faab604a6364428d
SHA256c42d7a0eb68618cb608daf7de1233989e9704edbf9f8b09a590ac07c378d9fed
SHA512444f6a9bb022eee54090c67534de0873f9f0e28850b49aea7163760bff72e34c61d4c840e0bde66d799c3b9f8f92e87ed1dd3f326d4be621ff6f82a3ad522863
-
Filesize
176KB
MD5e460b7d571b50e5950fdd69feebf2357
SHA104d5a524e57a760f0bcea873faab604a6364428d
SHA256c42d7a0eb68618cb608daf7de1233989e9704edbf9f8b09a590ac07c378d9fed
SHA512444f6a9bb022eee54090c67534de0873f9f0e28850b49aea7163760bff72e34c61d4c840e0bde66d799c3b9f8f92e87ed1dd3f326d4be621ff6f82a3ad522863