Analysis
-
max time kernel
148s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2023, 14:55
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230831-en
General
-
Target
tmp.exe
-
Size
626KB
-
MD5
b1635f0a98ef8519984bb3f9ef1979f8
-
SHA1
ef247f07d841bc68214c37597cc4557ce8b09ca2
-
SHA256
be8032937b016362c56bd7da1fce8a127af3f1a13839b11a96480a53f0d548f6
-
SHA512
e8127ee5acd14d85048ffadd764e81b3761db25f77778e2013bce358f499d896770fc82b37f8e3d280018c91c06cd3300c35fbd473ff3c7d1c8c9b746fb24e92
-
SSDEEP
12288:JVj3hLQvfdxOo7gpXtrrF725O3CyIKvykzST2YXMq2bI3cjhyZSbR565SRE5uPPC:ZMCjIKzzwXzTayMbq5X5APE1
Malware Config
Extracted
formbook
4.1
ro12
start399.com
decyfincoin.com
binguozhijiaok.com
one45.vip
55dy5s.top
regmt.pro
2ahxgaafifl.com
xn--6rtp2flvfc2h.com
justinmburns.com
los3.online
fleshaaikensdivinegiven7llc.com
servicedelv.services
apexcaryhomesforsale.com
shuraop.xyz
sagetotal.com
gratitude-et-compagnie.com
riderarea.com
digitalserviceact.online
contentbyc.com
agenda-digital-planner.com
senior-living-91799.bond
navigationexperiments.com
tiktok-shop-he.com
qualityquickprints.com
ddbetting.com
navigatenuggets.com
indiannaturals.online
xzgx360.com
xlrj.asia
seagaming.net
saltcasing.info
pq-es.com
doubleapus.com
speedgallery.shop
millions-fans.com
ktrandnews.com
niaeoer.com
60plusmen.com
nala.dev
costanotaryservice.com
palokallio.net
sportsynergyemporium.fun
fathomtackle.com
computer-chronicles.com
valeriaestate.com
holzleisten24.shop
ps212naming.com
blessed-autos.com
rptiki.com
bjykswkj.com
vorbergh.info
ssongg273.cfd
thevitaminstore.store
easyeats307.com
mcied.link
ssongg1620.cfd
y-12federalcreditunion.top
jlh777.com
no5th3267.top
toolifyonline.com
hcsjwdy.com
ypwvj8.top
hja357b.com
bajie6.com
pwpholdings.com
Signatures
-
Formbook payload 4 IoCs
resource yara_rule behavioral2/memory/4384-12-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4384-17-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3360-22-0x00000000010D0000-0x00000000010FF000-memory.dmp formbook behavioral2/memory/3360-25-0x00000000010D0000-0x00000000010FF000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1972 set thread context of 4384 1972 tmp.exe 97 PID 4384 set thread context of 3184 4384 tmp.exe 43 PID 3360 set thread context of 3184 3360 ipconfig.exe 43 -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 3360 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
pid Process 1972 tmp.exe 1972 tmp.exe 1972 tmp.exe 1972 tmp.exe 1972 tmp.exe 1972 tmp.exe 4384 tmp.exe 4384 tmp.exe 4384 tmp.exe 4384 tmp.exe 3360 ipconfig.exe 3360 ipconfig.exe 3360 ipconfig.exe 3360 ipconfig.exe 3360 ipconfig.exe 3360 ipconfig.exe 3360 ipconfig.exe 3360 ipconfig.exe 3360 ipconfig.exe 3360 ipconfig.exe 3360 ipconfig.exe 3360 ipconfig.exe 3360 ipconfig.exe 3360 ipconfig.exe 3360 ipconfig.exe 3360 ipconfig.exe 3360 ipconfig.exe 3360 ipconfig.exe 3360 ipconfig.exe 3360 ipconfig.exe 3360 ipconfig.exe 3360 ipconfig.exe 3360 ipconfig.exe 3360 ipconfig.exe 3360 ipconfig.exe 3360 ipconfig.exe 3360 ipconfig.exe 3360 ipconfig.exe 3360 ipconfig.exe 3360 ipconfig.exe 3360 ipconfig.exe 3360 ipconfig.exe 3360 ipconfig.exe 3360 ipconfig.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3184 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 4384 tmp.exe 4384 tmp.exe 4384 tmp.exe 3360 ipconfig.exe 3360 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1972 tmp.exe Token: SeDebugPrivilege 4384 tmp.exe Token: SeDebugPrivilege 3360 ipconfig.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3184 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1972 wrote to memory of 4384 1972 tmp.exe 97 PID 1972 wrote to memory of 4384 1972 tmp.exe 97 PID 1972 wrote to memory of 4384 1972 tmp.exe 97 PID 1972 wrote to memory of 4384 1972 tmp.exe 97 PID 1972 wrote to memory of 4384 1972 tmp.exe 97 PID 1972 wrote to memory of 4384 1972 tmp.exe 97 PID 3184 wrote to memory of 3360 3184 Explorer.EXE 98 PID 3184 wrote to memory of 3360 3184 Explorer.EXE 98 PID 3184 wrote to memory of 3360 3184 Explorer.EXE 98 PID 3360 wrote to memory of 4316 3360 ipconfig.exe 99 PID 3360 wrote to memory of 4316 3360 ipconfig.exe 99 PID 3360 wrote to memory of 4316 3360 ipconfig.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4384
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\tmp.exe"3⤵PID:4316
-
-