Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
11/10/2023, 15:45
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230831-en
General
-
Target
tmp.exe
-
Size
185KB
-
MD5
e46b46bfc5aa1d925bb65320823fee8b
-
SHA1
506e325008fe464a5b17971d13aad348cc1e0bf4
-
SHA256
f5c4d1a411acaf23f8799d9e97d29010bdd0c38915aad1ed556cb26359994b4c
-
SHA512
f536e8d89b8a404c3b602228900580b858d1918aef0d0ec8e93af287d40092a42de2fe5743721034512133ac9f0f79e7e74c1f16aaa81a23ccf898514823b1a0
-
SSDEEP
3072:536wm/kM2mHsaCbi3zb0LF4B6aPa9+WBYJRK5K4Gkuj24kkUFZIP6Qkqgh9l:rmeLUzwLWYaPa9+WEKrvtHJjl
Malware Config
Extracted
formbook
4.1
ro12
start399.com
decyfincoin.com
binguozhijiaok.com
one45.vip
55dy5s.top
regmt.pro
2ahxgaafifl.com
xn--6rtp2flvfc2h.com
justinmburns.com
los3.online
fleshaaikensdivinegiven7llc.com
servicedelv.services
apexcaryhomesforsale.com
shuraop.xyz
sagetotal.com
gratitude-et-compagnie.com
riderarea.com
digitalserviceact.online
contentbyc.com
agenda-digital-planner.com
senior-living-91799.bond
navigationexperiments.com
tiktok-shop-he.com
qualityquickprints.com
ddbetting.com
navigatenuggets.com
indiannaturals.online
xzgx360.com
xlrj.asia
seagaming.net
saltcasing.info
pq-es.com
doubleapus.com
speedgallery.shop
millions-fans.com
ktrandnews.com
niaeoer.com
60plusmen.com
nala.dev
costanotaryservice.com
palokallio.net
sportsynergyemporium.fun
fathomtackle.com
computer-chronicles.com
valeriaestate.com
holzleisten24.shop
ps212naming.com
blessed-autos.com
rptiki.com
bjykswkj.com
vorbergh.info
ssongg273.cfd
thevitaminstore.store
easyeats307.com
mcied.link
ssongg1620.cfd
y-12federalcreditunion.top
jlh777.com
no5th3267.top
toolifyonline.com
hcsjwdy.com
ypwvj8.top
hja357b.com
bajie6.com
pwpholdings.com
Signatures
-
Formbook payload 3 IoCs
resource yara_rule behavioral1/memory/2288-1-0x0000000000DD0000-0x0000000000DFF000-memory.dmp formbook behavioral1/memory/2636-7-0x00000000000C0000-0x00000000000EF000-memory.dmp formbook behavioral1/memory/2636-9-0x00000000000C0000-0x00000000000EF000-memory.dmp formbook -
Deletes itself 1 IoCs
pid Process 2812 cmd.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2288 set thread context of 1276 2288 tmp.exe 12 PID 2636 set thread context of 1276 2636 wlanext.exe 12 -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2288 tmp.exe 2288 tmp.exe 2636 wlanext.exe 2636 wlanext.exe 2636 wlanext.exe 2636 wlanext.exe 2636 wlanext.exe 2636 wlanext.exe 2636 wlanext.exe 2636 wlanext.exe 2636 wlanext.exe 2636 wlanext.exe 2636 wlanext.exe 2636 wlanext.exe 2636 wlanext.exe 2636 wlanext.exe 2636 wlanext.exe 2636 wlanext.exe 2636 wlanext.exe 2636 wlanext.exe 2636 wlanext.exe 2636 wlanext.exe 2636 wlanext.exe 2636 wlanext.exe 2636 wlanext.exe 2636 wlanext.exe 2636 wlanext.exe 2636 wlanext.exe 2636 wlanext.exe 2636 wlanext.exe 2636 wlanext.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1276 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 2288 tmp.exe 2288 tmp.exe 2288 tmp.exe 2636 wlanext.exe 2636 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2288 tmp.exe Token: SeDebugPrivilege 2636 wlanext.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 1276 Explorer.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1276 wrote to memory of 2636 1276 Explorer.EXE 28 PID 1276 wrote to memory of 2636 1276 Explorer.EXE 28 PID 1276 wrote to memory of 2636 1276 Explorer.EXE 28 PID 1276 wrote to memory of 2636 1276 Explorer.EXE 28 PID 2636 wrote to memory of 2812 2636 wlanext.exe 29 PID 2636 wrote to memory of 2812 2636 wlanext.exe 29 PID 2636 wrote to memory of 2812 2636 wlanext.exe 29 PID 2636 wrote to memory of 2812 2636 wlanext.exe 29
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\tmp.exe"3⤵
- Deletes itself
PID:2812
-
-