Analysis
-
max time kernel
141s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
23/10/2023, 16:43
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.2f717becc408420e2dfdcac5643bcf420ce2a8e3e28320c23b3db7a489235f2aexe_JC.exe
Resource
win7-20231023-en
General
-
Target
NEAS.2f717becc408420e2dfdcac5643bcf420ce2a8e3e28320c23b3db7a489235f2aexe_JC.exe
-
Size
590KB
-
MD5
e085287e182e1fe1afc6136e08639b49
-
SHA1
5eb95ee31e92596ab20100ad13358c5e214c20cf
-
SHA256
2f717becc408420e2dfdcac5643bcf420ce2a8e3e28320c23b3db7a489235f2a
-
SHA512
0a22ce57d336d07ece3121144c9aa67a5db67164782cf53e60ecd3689e8ba6af6f0d4ed49dbf9b7afdabee4cd24c61d105083104740b02f7beb8ee1927674414
-
SSDEEP
12288:u8zS55mFzhcNurziYbsFTzKyGvmKE8GJnff5VBJSCQ:uf55qF6urz9IFPOuZ5nsJ
Malware Config
Extracted
formbook
4.1
cy12
routinelywell.com
traderinformation.com
xv1lz.cfd
elfiensclinic.com
dfwtexasmilitaryagent.com
gb3p8a.com
ofcure.com
kslgd.link
apexassisthubs.com
270hg.com
spacovitta.com
mattress-info-hu-kwu.today
jakestarrbroadcast.com
modestswimwearshop.com
game0814.com
gec.tokyo
growwellnesscoaching.com
thefavoreats.com
gaasmantech.net
mloffers.net
sarahklimekrealty.com
fnykl2.com
nuomingjs.com
thewanderingbarfly.com
affiliatebrokers.cloud
yourdesignneed.com
360expantion.com
burumakansatunikki.com
hh870.bio
com-safe.site
ssongg4134.cfd
juntocrecemosalinstante.top
poorexcuses.com
stargear.top
ktobr.live
s5266m.com
paragon-cto.net
luohuigroup.com
srspicture.com
jounce.space
otrnton.top
jhaganjr.com
eshebrown.com
mc-ibit.com
rundlestreetkenttown.net
ssongg3132.cfd
thedivorcelawyer.website
ipcontrolsas.com
ungravity.dev
vigne.tattoo
modcoops.com
earthbondproperty.com
pachinko-and-slot.tokyo
pp88money.com
mysweettangrine.com
barbieinterviews.com
aimageabove.com
hamidconstruction.com
xcolpuj.xyz
xxxvedio.online
ceracasas.com
mariaelamine.com
eew.lat
pmugly.top
withscreamandsugar.com
Signatures
-
Formbook payload 1 IoCs
resource yara_rule behavioral2/memory/1776-12-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5028 set thread context of 1776 5028 NEAS.2f717becc408420e2dfdcac5643bcf420ce2a8e3e28320c23b3db7a489235f2aexe_JC.exe 92 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 5028 NEAS.2f717becc408420e2dfdcac5643bcf420ce2a8e3e28320c23b3db7a489235f2aexe_JC.exe 5028 NEAS.2f717becc408420e2dfdcac5643bcf420ce2a8e3e28320c23b3db7a489235f2aexe_JC.exe 1776 NEAS.2f717becc408420e2dfdcac5643bcf420ce2a8e3e28320c23b3db7a489235f2aexe_JC.exe 1776 NEAS.2f717becc408420e2dfdcac5643bcf420ce2a8e3e28320c23b3db7a489235f2aexe_JC.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5028 NEAS.2f717becc408420e2dfdcac5643bcf420ce2a8e3e28320c23b3db7a489235f2aexe_JC.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5028 wrote to memory of 1776 5028 NEAS.2f717becc408420e2dfdcac5643bcf420ce2a8e3e28320c23b3db7a489235f2aexe_JC.exe 92 PID 5028 wrote to memory of 1776 5028 NEAS.2f717becc408420e2dfdcac5643bcf420ce2a8e3e28320c23b3db7a489235f2aexe_JC.exe 92 PID 5028 wrote to memory of 1776 5028 NEAS.2f717becc408420e2dfdcac5643bcf420ce2a8e3e28320c23b3db7a489235f2aexe_JC.exe 92 PID 5028 wrote to memory of 1776 5028 NEAS.2f717becc408420e2dfdcac5643bcf420ce2a8e3e28320c23b3db7a489235f2aexe_JC.exe 92 PID 5028 wrote to memory of 1776 5028 NEAS.2f717becc408420e2dfdcac5643bcf420ce2a8e3e28320c23b3db7a489235f2aexe_JC.exe 92 PID 5028 wrote to memory of 1776 5028 NEAS.2f717becc408420e2dfdcac5643bcf420ce2a8e3e28320c23b3db7a489235f2aexe_JC.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.2f717becc408420e2dfdcac5643bcf420ce2a8e3e28320c23b3db7a489235f2aexe_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.2f717becc408420e2dfdcac5643bcf420ce2a8e3e28320c23b3db7a489235f2aexe_JC.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Users\Admin\AppData\Local\Temp\NEAS.2f717becc408420e2dfdcac5643bcf420ce2a8e3e28320c23b3db7a489235f2aexe_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.2f717becc408420e2dfdcac5643bcf420ce2a8e3e28320c23b3db7a489235f2aexe_JC.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1776
-