Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
23/10/2023, 13:32
Static task
static1
Behavioral task
behavioral1
Sample
PO8687.exe
Resource
win7-20231020-en
General
-
Target
PO8687.exe
-
Size
761KB
-
MD5
9daa7adc7435c5e080c99f2239017e27
-
SHA1
70b63b6a205b277367be62cfbfc9e528c5b1903a
-
SHA256
1d18b8139377bf5246b24fd11e4386312cc4ab3e652ab9df534068ac96755394
-
SHA512
78e36c18660004fdaf3b8b07fa0b47ece8323b170c2fdd66e75efe88e4dfa46c7dc06fbcf9f08eccdf455e5fe7aeb083fc8191b2511588ee851811999a3fefd7
-
SSDEEP
12288:hhNh6sxTA6qNhtnaRi+glMjYTabQ0IFpRxwkn+RuB3SJ:hDDxs6g7aRi+/YTabQ0ktwk+cB
Malware Config
Extracted
formbook
4.1
ro12
start399.com
decyfincoin.com
binguozhijiaok.com
one45.vip
55dy5s.top
regmt.pro
2ahxgaafifl.com
xn--6rtp2flvfc2h.com
justinmburns.com
los3.online
fleshaaikensdivinegiven7llc.com
servicedelv.services
apexcaryhomesforsale.com
shuraop.xyz
sagetotal.com
gratitude-et-compagnie.com
riderarea.com
digitalserviceact.online
contentbyc.com
agenda-digital-planner.com
senior-living-91799.bond
navigationexperiments.com
tiktok-shop-he.com
qualityquickprints.com
ddbetting.com
navigatenuggets.com
indiannaturals.online
xzgx360.com
xlrj.asia
seagaming.net
saltcasing.info
pq-es.com
doubleapus.com
speedgallery.shop
millions-fans.com
ktrandnews.com
niaeoer.com
60plusmen.com
nala.dev
costanotaryservice.com
palokallio.net
sportsynergyemporium.fun
fathomtackle.com
computer-chronicles.com
valeriaestate.com
holzleisten24.shop
ps212naming.com
blessed-autos.com
rptiki.com
bjykswkj.com
vorbergh.info
ssongg273.cfd
thevitaminstore.store
easyeats307.com
mcied.link
ssongg1620.cfd
y-12federalcreditunion.top
jlh777.com
no5th3267.top
toolifyonline.com
hcsjwdy.com
ypwvj8.top
hja357b.com
bajie6.com
pwpholdings.com
Signatures
-
Formbook payload 4 IoCs
resource yara_rule behavioral2/memory/380-13-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/380-18-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2404-23-0x00000000008C0000-0x00000000008EF000-memory.dmp formbook behavioral2/memory/2404-25-0x00000000008C0000-0x00000000008EF000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4868 set thread context of 380 4868 PO8687.exe 94 PID 380 set thread context of 3136 380 PO8687.exe 36 PID 2404 set thread context of 3136 2404 ipconfig.exe 36 -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 2404 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 50 IoCs
pid Process 4868 PO8687.exe 4868 PO8687.exe 4868 PO8687.exe 4868 PO8687.exe 4868 PO8687.exe 4868 PO8687.exe 4868 PO8687.exe 4868 PO8687.exe 380 PO8687.exe 380 PO8687.exe 380 PO8687.exe 380 PO8687.exe 2404 ipconfig.exe 2404 ipconfig.exe 2404 ipconfig.exe 2404 ipconfig.exe 2404 ipconfig.exe 2404 ipconfig.exe 2404 ipconfig.exe 2404 ipconfig.exe 2404 ipconfig.exe 2404 ipconfig.exe 2404 ipconfig.exe 2404 ipconfig.exe 2404 ipconfig.exe 2404 ipconfig.exe 2404 ipconfig.exe 2404 ipconfig.exe 2404 ipconfig.exe 2404 ipconfig.exe 2404 ipconfig.exe 2404 ipconfig.exe 2404 ipconfig.exe 2404 ipconfig.exe 2404 ipconfig.exe 2404 ipconfig.exe 2404 ipconfig.exe 2404 ipconfig.exe 2404 ipconfig.exe 2404 ipconfig.exe 2404 ipconfig.exe 2404 ipconfig.exe 2404 ipconfig.exe 2404 ipconfig.exe 2404 ipconfig.exe 2404 ipconfig.exe 2404 ipconfig.exe 2404 ipconfig.exe 2404 ipconfig.exe 2404 ipconfig.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3136 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 380 PO8687.exe 380 PO8687.exe 380 PO8687.exe 2404 ipconfig.exe 2404 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4868 PO8687.exe Token: SeDebugPrivilege 380 PO8687.exe Token: SeDebugPrivilege 2404 ipconfig.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4868 wrote to memory of 3432 4868 PO8687.exe 93 PID 4868 wrote to memory of 3432 4868 PO8687.exe 93 PID 4868 wrote to memory of 3432 4868 PO8687.exe 93 PID 4868 wrote to memory of 380 4868 PO8687.exe 94 PID 4868 wrote to memory of 380 4868 PO8687.exe 94 PID 4868 wrote to memory of 380 4868 PO8687.exe 94 PID 4868 wrote to memory of 380 4868 PO8687.exe 94 PID 4868 wrote to memory of 380 4868 PO8687.exe 94 PID 4868 wrote to memory of 380 4868 PO8687.exe 94 PID 3136 wrote to memory of 2404 3136 Explorer.EXE 95 PID 3136 wrote to memory of 2404 3136 Explorer.EXE 95 PID 3136 wrote to memory of 2404 3136 Explorer.EXE 95 PID 2404 wrote to memory of 3176 2404 ipconfig.exe 96 PID 2404 wrote to memory of 3176 2404 ipconfig.exe 96 PID 2404 wrote to memory of 3176 2404 ipconfig.exe 96
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Users\Admin\AppData\Local\Temp\PO8687.exe"C:\Users\Admin\AppData\Local\Temp\PO8687.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Users\Admin\AppData\Local\Temp\PO8687.exe"C:\Users\Admin\AppData\Local\Temp\PO8687.exe"3⤵PID:3432
-
-
C:\Users\Admin\AppData\Local\Temp\PO8687.exe"C:\Users\Admin\AppData\Local\Temp\PO8687.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:380
-
-
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PO8687.exe"3⤵PID:3176
-
-