Analysis
-
max time kernel
118s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
11/10/2023, 15:11
Static task
static1
Behavioral task
behavioral1
Sample
4fb330b2b5620e1b30a795ad5d989526d7cefbcb553d4a79227b1220351d25bd.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
4fb330b2b5620e1b30a795ad5d989526d7cefbcb553d4a79227b1220351d25bd.exe
Resource
win10v2004-20230915-en
General
-
Target
4fb330b2b5620e1b30a795ad5d989526d7cefbcb553d4a79227b1220351d25bd.exe
-
Size
565KB
-
MD5
ab4f31ff0f628b02f3890e579243d004
-
SHA1
fd527f7d882680573d4687a7a3a477f10199b083
-
SHA256
4fb330b2b5620e1b30a795ad5d989526d7cefbcb553d4a79227b1220351d25bd
-
SHA512
bad32cf6817e524ad44d5fced0f2102ca9d73235d7f7cda94e42c24c894f222a81bc12cf2cd734c2a55752070ea17ba07a2343bd70e9a676a6862792741532c5
-
SSDEEP
12288:LO90wJ1tubbpOoweEyBANwQltbvBLCMTyQTxxMspirVZn7aqXEb4if018icEuA9:nwb0bbgoweEyBAGib1CMGQLMfTn7BXr7
Malware Config
Extracted
formbook
4.1
4hc5
amandaastburyillustration.com
7141999.com
showshoe.info
sagemarlin.com
lithuaniandreamtime.com
therenixgroupllc.com
avalialooks.shop
vurporn.com
lemmy.systems
2816goldfinch.com
pacersun.com
checktrace.com
loadtransfer.site
matsuri-jujutsukaisen.com
iontrapper.science
5108010.com
beidixi.com
21305599.com
peakvitality.fitness
osisfeelingfee.com
hotshark-shop.com
bollywood.nexus
stephenplattassociatesllp.com
bakepreneurs.com
claudiobarros.online
akabou-hayasaka.com
collibrishop.online
britishfemalevo.com
prestigesmp.online
wzmatics.com
sactribune.com
slotjitu88.website
theproactiveexpat.com
therealnikib.com
elnoh.life
tianyan110.com
tcbbuilds.com
zhe276.com
c1405.com
candicrem.com
lambdasigmarho.com
gemwhk.store
crissmendez.com
locduongseafood.com
jessformdsenate.info
329.bio
nbgonghe.com
tr-ij.com
quailrun-inc.com
pathlightpropertiesmgt.com
lpqxmz.site
castlegrouplt.com
beautybylily.com
bernabeicarniceriaygranja.com
spicax.com
globalentertainmentservices.com
modluxenwa.com
imaswe.com
hntv6201.top
homerevamps.today
motionmixmedia.com
antojitoslosramos.com
julieslive.com
bepnuclasechia.com
iqixuehe.com
Signatures
-
Formbook payload 1 IoCs
resource yara_rule behavioral1/memory/2680-14-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2996 set thread context of 2680 2996 4fb330b2b5620e1b30a795ad5d989526d7cefbcb553d4a79227b1220351d25bd.exe 30 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2680 4fb330b2b5620e1b30a795ad5d989526d7cefbcb553d4a79227b1220351d25bd.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2996 wrote to memory of 2680 2996 4fb330b2b5620e1b30a795ad5d989526d7cefbcb553d4a79227b1220351d25bd.exe 30 PID 2996 wrote to memory of 2680 2996 4fb330b2b5620e1b30a795ad5d989526d7cefbcb553d4a79227b1220351d25bd.exe 30 PID 2996 wrote to memory of 2680 2996 4fb330b2b5620e1b30a795ad5d989526d7cefbcb553d4a79227b1220351d25bd.exe 30 PID 2996 wrote to memory of 2680 2996 4fb330b2b5620e1b30a795ad5d989526d7cefbcb553d4a79227b1220351d25bd.exe 30 PID 2996 wrote to memory of 2680 2996 4fb330b2b5620e1b30a795ad5d989526d7cefbcb553d4a79227b1220351d25bd.exe 30 PID 2996 wrote to memory of 2680 2996 4fb330b2b5620e1b30a795ad5d989526d7cefbcb553d4a79227b1220351d25bd.exe 30 PID 2996 wrote to memory of 2680 2996 4fb330b2b5620e1b30a795ad5d989526d7cefbcb553d4a79227b1220351d25bd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\4fb330b2b5620e1b30a795ad5d989526d7cefbcb553d4a79227b1220351d25bd.exe"C:\Users\Admin\AppData\Local\Temp\4fb330b2b5620e1b30a795ad5d989526d7cefbcb553d4a79227b1220351d25bd.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Users\Admin\AppData\Local\Temp\4fb330b2b5620e1b30a795ad5d989526d7cefbcb553d4a79227b1220351d25bd.exe"C:\Users\Admin\AppData\Local\Temp\4fb330b2b5620e1b30a795ad5d989526d7cefbcb553d4a79227b1220351d25bd.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2680
-