Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2023, 15:45
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230831-en
General
-
Target
tmp.exe
-
Size
185KB
-
MD5
e46b46bfc5aa1d925bb65320823fee8b
-
SHA1
506e325008fe464a5b17971d13aad348cc1e0bf4
-
SHA256
f5c4d1a411acaf23f8799d9e97d29010bdd0c38915aad1ed556cb26359994b4c
-
SHA512
f536e8d89b8a404c3b602228900580b858d1918aef0d0ec8e93af287d40092a42de2fe5743721034512133ac9f0f79e7e74c1f16aaa81a23ccf898514823b1a0
-
SSDEEP
3072:536wm/kM2mHsaCbi3zb0LF4B6aPa9+WBYJRK5K4Gkuj24kkUFZIP6Qkqgh9l:rmeLUzwLWYaPa9+WEKrvtHJjl
Malware Config
Extracted
formbook
4.1
ro12
start399.com
decyfincoin.com
binguozhijiaok.com
one45.vip
55dy5s.top
regmt.pro
2ahxgaafifl.com
xn--6rtp2flvfc2h.com
justinmburns.com
los3.online
fleshaaikensdivinegiven7llc.com
servicedelv.services
apexcaryhomesforsale.com
shuraop.xyz
sagetotal.com
gratitude-et-compagnie.com
riderarea.com
digitalserviceact.online
contentbyc.com
agenda-digital-planner.com
senior-living-91799.bond
navigationexperiments.com
tiktok-shop-he.com
qualityquickprints.com
ddbetting.com
navigatenuggets.com
indiannaturals.online
xzgx360.com
xlrj.asia
seagaming.net
saltcasing.info
pq-es.com
doubleapus.com
speedgallery.shop
millions-fans.com
ktrandnews.com
niaeoer.com
60plusmen.com
nala.dev
costanotaryservice.com
palokallio.net
sportsynergyemporium.fun
fathomtackle.com
computer-chronicles.com
valeriaestate.com
holzleisten24.shop
ps212naming.com
blessed-autos.com
rptiki.com
bjykswkj.com
vorbergh.info
ssongg273.cfd
thevitaminstore.store
easyeats307.com
mcied.link
ssongg1620.cfd
y-12federalcreditunion.top
jlh777.com
no5th3267.top
toolifyonline.com
hcsjwdy.com
ypwvj8.top
hja357b.com
bajie6.com
pwpholdings.com
Signatures
-
Formbook payload 3 IoCs
resource yara_rule behavioral2/memory/5028-1-0x0000000000AF0000-0x0000000000B1F000-memory.dmp formbook behavioral2/memory/4316-6-0x0000000000A00000-0x0000000000A2F000-memory.dmp formbook behavioral2/memory/4316-8-0x0000000000A00000-0x0000000000A2F000-memory.dmp formbook -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 5028 set thread context of 2564 5028 tmp.exe 46 PID 4316 set thread context of 2564 4316 systray.exe 46 -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 60 IoCs
pid Process 5028 tmp.exe 5028 tmp.exe 5028 tmp.exe 5028 tmp.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe 4316 systray.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2564 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 5028 tmp.exe 5028 tmp.exe 5028 tmp.exe 4316 systray.exe 4316 systray.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 5028 tmp.exe Token: SeShutdownPrivilege 2564 Explorer.EXE Token: SeCreatePagefilePrivilege 2564 Explorer.EXE Token: SeShutdownPrivilege 2564 Explorer.EXE Token: SeCreatePagefilePrivilege 2564 Explorer.EXE Token: SeShutdownPrivilege 2564 Explorer.EXE Token: SeCreatePagefilePrivilege 2564 Explorer.EXE Token: SeShutdownPrivilege 2564 Explorer.EXE Token: SeCreatePagefilePrivilege 2564 Explorer.EXE Token: SeDebugPrivilege 4316 systray.exe Token: SeManageVolumePrivilege 4500 svchost.exe Token: SeShutdownPrivilege 2564 Explorer.EXE Token: SeCreatePagefilePrivilege 2564 Explorer.EXE -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE 2564 Explorer.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2564 wrote to memory of 4316 2564 Explorer.EXE 86 PID 2564 wrote to memory of 4316 2564 Explorer.EXE 86 PID 2564 wrote to memory of 4316 2564 Explorer.EXE 86 PID 4316 wrote to memory of 336 4316 systray.exe 88 PID 4316 wrote to memory of 336 4316 systray.exe 88 PID 4316 wrote to memory of 336 4316 systray.exe 88
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5028
-
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\tmp.exe"3⤵PID:336
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:3484
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4500