Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2023, 09:31
Static task
static1
Behavioral task
behavioral1
Sample
tmpp0z2ll9l.exe
Resource
win7-20230831-en
General
-
Target
tmpp0z2ll9l.exe
-
Size
592KB
-
MD5
00b27694025e82652c1976c6745a2de1
-
SHA1
4540fad255e77cb3e58c8df7d2d9b8c746e41248
-
SHA256
15426243aa8d60c8592a759e72f42ee2b1d9f2cbf96018c565ce70fd6778ca33
-
SHA512
561ed6bdbbbdee54e9a9c5a70e370c425084f129b493c92f566921d1a17856ba3e96c8bdc27d863be09efa8fd93dd82b047ef212da5619335c6b344152796cda
-
SSDEEP
12288:fO7s9Cxh5ukOsWyb/FdmwEf8aAaTbg6XFoC5GjtXy+y+6TnGpODSBnuq:W7s9yZ9WyTEb5vNXirjhT6TGpOQn
Malware Config
Extracted
formbook
4.1
btrd
toulouse.gold
launchyouglobal.com
margarita-services.com
dasnail.club
casa-hilo.com
hardscapesofflorida.com
thepositivitypulse.com
kkmyanev.cfd
love6ace22.top
castorcruise.com
chch6.com
h59f07jy.cfd
saatvikteerthyatra.com
fxsecuretrading-option.com
mostbet-k1o.click
36-m.beauty
ko-or-a-news.com
eurekatextile.com
gynlkj.com
deepsouthcraftsman.com
bougiebossbabe.com
202402.xyz
thecareskin.com
zimmerli.online
bathroomconnectsupreme.com
opmk.monster
docemimocasamentos.com
mywayinist.com
healthyters.com
mozartchamberorchestra.sydney
wewillrock.club
education2jobs.com
everlastdisposal.com
valentinascrochet.com
stewartvaluation.net
blackphoenix01.xyz
omnikart.shop
jejeesclothing.com
allurepet.site
futureofaustin.com
sillylittlestory.com
inthewoodsdesigns.com
freshtraining.store
illuminati4me.com
jewishlakecounty.com
devadecoration.com
nashexshop.com
martline.website
affirmationtotebags.com
golifestyles.com
telegood.info
trygenesisx.com
bestwhitetee.com
delicatemayhem.com
redyardcom.com
solarcyborg.com
emotieloos.com
fanatics-international.com
ballonsmagiques.com
projektincognito.com
fcno30.com
horizonoutdoorservices.com
couturewrap.com
mbbwa4wp.cfd
lifeofthobes.uk
Signatures
-
Formbook payload 4 IoCs
resource yara_rule behavioral2/memory/744-12-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/744-17-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/1348-22-0x00000000006C0000-0x00000000006EF000-memory.dmp formbook behavioral2/memory/1348-24-0x00000000006C0000-0x00000000006EF000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2516 set thread context of 744 2516 tmpp0z2ll9l.exe 99 PID 744 set thread context of 1084 744 tmpp0z2ll9l.exe 49 PID 1348 set thread context of 1084 1348 cscript.exe 49 -
Suspicious behavior: EnumeratesProcesses 46 IoCs
pid Process 744 tmpp0z2ll9l.exe 744 tmpp0z2ll9l.exe 744 tmpp0z2ll9l.exe 744 tmpp0z2ll9l.exe 1348 cscript.exe 1348 cscript.exe 1348 cscript.exe 1348 cscript.exe 1348 cscript.exe 1348 cscript.exe 1348 cscript.exe 1348 cscript.exe 1348 cscript.exe 1348 cscript.exe 1348 cscript.exe 1348 cscript.exe 1348 cscript.exe 1348 cscript.exe 1348 cscript.exe 1348 cscript.exe 1348 cscript.exe 1348 cscript.exe 1348 cscript.exe 1348 cscript.exe 1348 cscript.exe 1348 cscript.exe 1348 cscript.exe 1348 cscript.exe 1348 cscript.exe 1348 cscript.exe 1348 cscript.exe 1348 cscript.exe 1348 cscript.exe 1348 cscript.exe 1348 cscript.exe 1348 cscript.exe 1348 cscript.exe 1348 cscript.exe 1348 cscript.exe 1348 cscript.exe 1348 cscript.exe 1348 cscript.exe 1348 cscript.exe 1348 cscript.exe 1348 cscript.exe 1348 cscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1084 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 744 tmpp0z2ll9l.exe 744 tmpp0z2ll9l.exe 744 tmpp0z2ll9l.exe 1348 cscript.exe 1348 cscript.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 744 tmpp0z2ll9l.exe Token: SeDebugPrivilege 1348 cscript.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 1084 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2516 wrote to memory of 744 2516 tmpp0z2ll9l.exe 99 PID 2516 wrote to memory of 744 2516 tmpp0z2ll9l.exe 99 PID 2516 wrote to memory of 744 2516 tmpp0z2ll9l.exe 99 PID 2516 wrote to memory of 744 2516 tmpp0z2ll9l.exe 99 PID 2516 wrote to memory of 744 2516 tmpp0z2ll9l.exe 99 PID 2516 wrote to memory of 744 2516 tmpp0z2ll9l.exe 99 PID 1084 wrote to memory of 1348 1084 Explorer.EXE 100 PID 1084 wrote to memory of 1348 1084 Explorer.EXE 100 PID 1084 wrote to memory of 1348 1084 Explorer.EXE 100 PID 1348 wrote to memory of 1096 1348 cscript.exe 101 PID 1348 wrote to memory of 1096 1348 cscript.exe 101 PID 1348 wrote to memory of 1096 1348 cscript.exe 101
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Users\Admin\AppData\Local\Temp\tmpp0z2ll9l.exe"C:\Users\Admin\AppData\Local\Temp\tmpp0z2ll9l.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\tmpp0z2ll9l.exe"C:\Users\Admin\AppData\Local\Temp\tmpp0z2ll9l.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:744
-
-
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\tmpp0z2ll9l.exe"3⤵PID:1096
-
-