Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
23/10/2023, 16:17
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe
Resource
win7-20231020-en
General
-
Target
NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe
-
Size
635KB
-
MD5
329d62d6721d26d80cbad1ea1bc0fabb
-
SHA1
8f5b7cd1fb8190b04c5075082d7d86628f93c664
-
SHA256
0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898b
-
SHA512
24a2334c55a1049f1a194e7fb6810d0037a97962d88c5544dd1f1073e01514131b9839aaf68d32900a2704709823ec8bf4b770327c1f229920a560dca5475167
-
SSDEEP
12288:cZ7s9IwQ2FBf6J0lJda/LGvgZ8l7gXipJ6l+8OAMtcjd:cZ7s9IlkfmXZ8KSzwTOAgcjd
Malware Config
Extracted
formbook
4.1
ey16
slimshotonline.com
rifaboa.com
metallzauber.com
jabandfuel.com
reacthat.com
qcgaeu.top
ssongg446.cfd
29kuan7.cfd
101agh.com
reliablii.com
luginfinity.com
e513.cloud
k4lantar.sbs
etoempire.com
phons.info
vovacom.com
birbakalim.fun
wellhousesctx.com
flthg.link
strasburgangus.com
warehouse-jobs-19432.bond
tisduallywheels.com
gbcontabilidade.com
nsyoiq.top
erlacx.xyz
graphic-design-degrees-us.xyz
therealopulent.com
genw.support
fmfo.asia
rrbookreviews.com
cirbs.com
afu-bf.net
northwesttheatreballet.com
koru.clinic
railway-tandoori.com
dumpsterrentalreading.com
73a73.com
ysudveg.buzz
y0rvragmr5.com
dataroomfiscale.com
jbfinishing.com
dcm393.com
nebulousharmony.bet
solaldesign.com
ssongg4323.cfd
rentingstudio.com
affiliatemarketingjoy.com
cvilleflowerfarm.com
huhubet505.com
bigpeople.top
casaalmafurniture.com
yccop.cfd
moviescoutt.com
wholemind.store
hvvwff.net
xn--srsz50dqxa5xb3rn52a.com
aunoption.com
zgtiku.com
jnbks.link
alqalamacademy.net
fly-destiny.com
servprowestpalm.com
itdev.life
paover.com
trsmine.com
Signatures
-
Formbook payload 5 IoCs
resource yara_rule behavioral1/memory/2552-21-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2552-30-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2552-35-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/564-41-0x0000000000080000-0x00000000000AF000-memory.dmp formbook behavioral1/memory/564-44-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1168 set thread context of 2552 1168 NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe 34 PID 2552 set thread context of 1232 2552 RegSvcs.exe 13 PID 2552 set thread context of 1232 2552 RegSvcs.exe 13 PID 564 set thread context of 1232 564 raserver.exe 13 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2736 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2552 RegSvcs.exe 2552 RegSvcs.exe 2840 powershell.exe 2552 RegSvcs.exe 564 raserver.exe 564 raserver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1232 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 2552 RegSvcs.exe 2552 RegSvcs.exe 2552 RegSvcs.exe 2552 RegSvcs.exe 564 raserver.exe 564 raserver.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2552 RegSvcs.exe Token: SeDebugPrivilege 2840 powershell.exe Token: SeDebugPrivilege 564 raserver.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 1168 wrote to memory of 2840 1168 NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe 30 PID 1168 wrote to memory of 2840 1168 NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe 30 PID 1168 wrote to memory of 2840 1168 NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe 30 PID 1168 wrote to memory of 2840 1168 NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe 30 PID 1168 wrote to memory of 2736 1168 NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe 32 PID 1168 wrote to memory of 2736 1168 NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe 32 PID 1168 wrote to memory of 2736 1168 NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe 32 PID 1168 wrote to memory of 2736 1168 NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe 32 PID 1168 wrote to memory of 2552 1168 NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe 34 PID 1168 wrote to memory of 2552 1168 NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe 34 PID 1168 wrote to memory of 2552 1168 NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe 34 PID 1168 wrote to memory of 2552 1168 NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe 34 PID 1168 wrote to memory of 2552 1168 NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe 34 PID 1168 wrote to memory of 2552 1168 NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe 34 PID 1168 wrote to memory of 2552 1168 NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe 34 PID 1168 wrote to memory of 2552 1168 NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe 34 PID 1168 wrote to memory of 2552 1168 NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe 34 PID 1168 wrote to memory of 2552 1168 NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe 34 PID 1232 wrote to memory of 564 1232 Explorer.EXE 35 PID 1232 wrote to memory of 564 1232 Explorer.EXE 35 PID 1232 wrote to memory of 564 1232 Explorer.EXE 35 PID 1232 wrote to memory of 564 1232 Explorer.EXE 35 PID 564 wrote to memory of 2628 564 raserver.exe 36 PID 564 wrote to memory of 2628 564 raserver.exe 36 PID 564 wrote to memory of 2628 564 raserver.exe 36 PID 564 wrote to memory of 2628 564 raserver.exe 36
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Users\Admin\AppData\Local\Temp\NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HQgFNd.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HQgFNd" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF151.tmp"3⤵
- Creates scheduled task(s)
PID:2736
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
-
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:2628
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD534228ce51b7ab202e733dc15a22b57d3
SHA1fb8eb8b9fe01d5219e9d7f2f357de8ab54449663
SHA256c95b5606d9573d67ed9f7aace0ba7f65f3528b9240a9ef9e8842e9c10fa28911
SHA512980ddef85691d6c1011e28c461f04d8f041958927f65f8ad216cc4161eedb546a2ac81d84e964a1995da257b356c867189bc5ee726bee47d17e773384851c171