Analysis
-
max time kernel
143s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12-10-2023 08:56
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230831-en
General
-
Target
tmp.exe
-
Size
710KB
-
MD5
493562fc3240d634f797be4a433d72c7
-
SHA1
92569595aa0a20d9937bd03525a756dd35059d3b
-
SHA256
6b73ab2cf730e26c8609e57d23e09260d6c74db84f29ae6f786129f7a3b6512b
-
SHA512
70eb16d06d38d80cc4513962f6fbdeda54e6ec2bc30caa9fb112d3cd355b12c088426c823d3d4a3e315209b3fc908c0339e9cdc8de99462e87eba311f4801a75
-
SSDEEP
12288:406gna2iNP1UIkvEbtOgVt3KB6bxxXRZEG/p8fD5mcjtqlg6utz5l96OXaq:XTa1F14ot1aIxxAop+mc0g6MNa
Malware Config
Extracted
formbook
4.1
ro12
start399.com
decyfincoin.com
binguozhijiaok.com
one45.vip
55dy5s.top
regmt.pro
2ahxgaafifl.com
xn--6rtp2flvfc2h.com
justinmburns.com
los3.online
fleshaaikensdivinegiven7llc.com
servicedelv.services
apexcaryhomesforsale.com
shuraop.xyz
sagetotal.com
gratitude-et-compagnie.com
riderarea.com
digitalserviceact.online
contentbyc.com
agenda-digital-planner.com
senior-living-91799.bond
navigationexperiments.com
tiktok-shop-he.com
qualityquickprints.com
ddbetting.com
navigatenuggets.com
indiannaturals.online
xzgx360.com
xlrj.asia
seagaming.net
saltcasing.info
pq-es.com
doubleapus.com
speedgallery.shop
millions-fans.com
ktrandnews.com
niaeoer.com
60plusmen.com
nala.dev
costanotaryservice.com
palokallio.net
sportsynergyemporium.fun
fathomtackle.com
computer-chronicles.com
valeriaestate.com
holzleisten24.shop
ps212naming.com
blessed-autos.com
rptiki.com
bjykswkj.com
vorbergh.info
ssongg273.cfd
thevitaminstore.store
easyeats307.com
mcied.link
ssongg1620.cfd
y-12federalcreditunion.top
jlh777.com
no5th3267.top
toolifyonline.com
hcsjwdy.com
ypwvj8.top
hja357b.com
bajie6.com
pwpholdings.com
Signatures
-
Formbook payload 4 IoCs
resource yara_rule behavioral2/memory/5084-12-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/5084-17-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2044-23-0x0000000000D00000-0x0000000000D2F000-memory.dmp formbook behavioral2/memory/2044-25-0x0000000000D00000-0x0000000000D2F000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
flow pid Process 382 2044 rundll32.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1708 set thread context of 5084 1708 tmp.exe 97 PID 5084 set thread context of 536 5084 tmp.exe 41 PID 2044 set thread context of 536 2044 rundll32.exe 41 -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 41 IoCs
pid Process 1708 tmp.exe 1708 tmp.exe 1708 tmp.exe 1708 tmp.exe 1708 tmp.exe 1708 tmp.exe 1708 tmp.exe 5084 tmp.exe 5084 tmp.exe 5084 tmp.exe 5084 tmp.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 536 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 5084 tmp.exe 5084 tmp.exe 5084 tmp.exe 2044 rundll32.exe 2044 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 1708 tmp.exe Token: SeDebugPrivilege 5084 tmp.exe Token: SeDebugPrivilege 2044 rundll32.exe Token: SeShutdownPrivilege 536 Explorer.EXE Token: SeCreatePagefilePrivilege 536 Explorer.EXE Token: SeShutdownPrivilege 536 Explorer.EXE Token: SeCreatePagefilePrivilege 536 Explorer.EXE Token: SeManageVolumePrivilege 928 svchost.exe Token: SeShutdownPrivilege 536 Explorer.EXE Token: SeCreatePagefilePrivilege 536 Explorer.EXE Token: SeShutdownPrivilege 536 Explorer.EXE Token: SeCreatePagefilePrivilege 536 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 536 Explorer.EXE 536 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1708 wrote to memory of 5084 1708 tmp.exe 97 PID 1708 wrote to memory of 5084 1708 tmp.exe 97 PID 1708 wrote to memory of 5084 1708 tmp.exe 97 PID 1708 wrote to memory of 5084 1708 tmp.exe 97 PID 1708 wrote to memory of 5084 1708 tmp.exe 97 PID 1708 wrote to memory of 5084 1708 tmp.exe 97 PID 536 wrote to memory of 2044 536 Explorer.EXE 98 PID 536 wrote to memory of 2044 536 Explorer.EXE 98 PID 536 wrote to memory of 2044 536 Explorer.EXE 98 PID 2044 wrote to memory of 3028 2044 rundll32.exe 99 PID 2044 wrote to memory of 3028 2044 rundll32.exe 99 PID 2044 wrote to memory of 3028 2044 rundll32.exe 99
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5084
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\tmp.exe"3⤵PID:3028
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:2252
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:928
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD5f3a8dc2c817d8c561d16eeb581c0aaea
SHA1494e97e17737ee6ad6eccc6f298113ecbeab0fc0
SHA2562e7f851549c26aa6e0dd7b65c2bb9d910b56fe473296855b1eca26e312b51183
SHA51229d4c1cf189a753db4af2eba9dbbd6938fc6a8f77d02e4f24f8f945e616d2bbf8c4f09a8b46b8b5dad6cdc1d2c1eeaf4b66e04c865b2cc3a06e9f545fb47a2c6