Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
23/10/2023, 16:17
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe
Resource
win7-20231020-en
General
-
Target
NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe
-
Size
635KB
-
MD5
329d62d6721d26d80cbad1ea1bc0fabb
-
SHA1
8f5b7cd1fb8190b04c5075082d7d86628f93c664
-
SHA256
0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898b
-
SHA512
24a2334c55a1049f1a194e7fb6810d0037a97962d88c5544dd1f1073e01514131b9839aaf68d32900a2704709823ec8bf4b770327c1f229920a560dca5475167
-
SSDEEP
12288:cZ7s9IwQ2FBf6J0lJda/LGvgZ8l7gXipJ6l+8OAMtcjd:cZ7s9IlkfmXZ8KSzwTOAgcjd
Malware Config
Extracted
formbook
4.1
ey16
slimshotonline.com
rifaboa.com
metallzauber.com
jabandfuel.com
reacthat.com
qcgaeu.top
ssongg446.cfd
29kuan7.cfd
101agh.com
reliablii.com
luginfinity.com
e513.cloud
k4lantar.sbs
etoempire.com
phons.info
vovacom.com
birbakalim.fun
wellhousesctx.com
flthg.link
strasburgangus.com
warehouse-jobs-19432.bond
tisduallywheels.com
gbcontabilidade.com
nsyoiq.top
erlacx.xyz
graphic-design-degrees-us.xyz
therealopulent.com
genw.support
fmfo.asia
rrbookreviews.com
cirbs.com
afu-bf.net
northwesttheatreballet.com
koru.clinic
railway-tandoori.com
dumpsterrentalreading.com
73a73.com
ysudveg.buzz
y0rvragmr5.com
dataroomfiscale.com
jbfinishing.com
dcm393.com
nebulousharmony.bet
solaldesign.com
ssongg4323.cfd
rentingstudio.com
affiliatemarketingjoy.com
cvilleflowerfarm.com
huhubet505.com
bigpeople.top
casaalmafurniture.com
yccop.cfd
moviescoutt.com
wholemind.store
hvvwff.net
xn--srsz50dqxa5xb3rn52a.com
aunoption.com
zgtiku.com
jnbks.link
alqalamacademy.net
fly-destiny.com
servprowestpalm.com
itdev.life
paover.com
trsmine.com
Signatures
-
Formbook payload 4 IoCs
resource yara_rule behavioral2/memory/1512-21-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/1512-40-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3948-67-0x0000000000810000-0x000000000083F000-memory.dmp formbook behavioral2/memory/3948-79-0x0000000000810000-0x000000000083F000-memory.dmp formbook -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 700 set thread context of 1512 700 NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe 96 PID 1512 set thread context of 3204 1512 RegSvcs.exe 51 PID 3948 set thread context of 3204 3948 WWAHost.exe 51 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3516 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
pid Process 4976 powershell.exe 1512 RegSvcs.exe 1512 RegSvcs.exe 1512 RegSvcs.exe 1512 RegSvcs.exe 4976 powershell.exe 3948 WWAHost.exe 3948 WWAHost.exe 3948 WWAHost.exe 3948 WWAHost.exe 3948 WWAHost.exe 3948 WWAHost.exe 3948 WWAHost.exe 3948 WWAHost.exe 3948 WWAHost.exe 3948 WWAHost.exe 3948 WWAHost.exe 3948 WWAHost.exe 3948 WWAHost.exe 3948 WWAHost.exe 3948 WWAHost.exe 3948 WWAHost.exe 3948 WWAHost.exe 3948 WWAHost.exe 3948 WWAHost.exe 3948 WWAHost.exe 3948 WWAHost.exe 3948 WWAHost.exe 3948 WWAHost.exe 3948 WWAHost.exe 3948 WWAHost.exe 3948 WWAHost.exe 3948 WWAHost.exe 3948 WWAHost.exe 3948 WWAHost.exe 3948 WWAHost.exe 3948 WWAHost.exe 3948 WWAHost.exe 3948 WWAHost.exe 3948 WWAHost.exe 3948 WWAHost.exe 3948 WWAHost.exe 3948 WWAHost.exe 3948 WWAHost.exe 3948 WWAHost.exe 3948 WWAHost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3204 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 1512 RegSvcs.exe 1512 RegSvcs.exe 1512 RegSvcs.exe 3948 WWAHost.exe 3948 WWAHost.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4976 powershell.exe Token: SeDebugPrivilege 1512 RegSvcs.exe Token: SeDebugPrivilege 3948 WWAHost.exe Token: SeShutdownPrivilege 3204 Explorer.EXE Token: SeCreatePagefilePrivilege 3204 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 700 wrote to memory of 4976 700 NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe 92 PID 700 wrote to memory of 4976 700 NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe 92 PID 700 wrote to memory of 4976 700 NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe 92 PID 700 wrote to memory of 3516 700 NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe 94 PID 700 wrote to memory of 3516 700 NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe 94 PID 700 wrote to memory of 3516 700 NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe 94 PID 700 wrote to memory of 1512 700 NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe 96 PID 700 wrote to memory of 1512 700 NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe 96 PID 700 wrote to memory of 1512 700 NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe 96 PID 700 wrote to memory of 1512 700 NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe 96 PID 700 wrote to memory of 1512 700 NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe 96 PID 700 wrote to memory of 1512 700 NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe 96 PID 3204 wrote to memory of 3948 3204 Explorer.EXE 97 PID 3204 wrote to memory of 3948 3204 Explorer.EXE 97 PID 3204 wrote to memory of 3948 3204 Explorer.EXE 97 PID 3948 wrote to memory of 4760 3948 WWAHost.exe 99 PID 3948 wrote to memory of 4760 3948 WWAHost.exe 99 PID 3948 wrote to memory of 4760 3948 WWAHost.exe 99
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Users\Admin\AppData\Local\Temp\NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HQgFNd.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4976
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HQgFNd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3A26.tmp"3⤵
- Creates scheduled task(s)
PID:3516
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1512
-
-
-
C:\Windows\SysWOW64\WWAHost.exe"C:\Windows\SysWOW64\WWAHost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:4760
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD586765daf23d59204f72d1f7816fd60fa
SHA19cdd046e95614bcc2b825dabb43a0125a526e70c
SHA2561ce03266b8398e4789a1a0adc82c28e1bbf721824afe3d5b14abf0699f8668cf
SHA512c2091074da5e3a585f5b8d1db4dcd649ccde86e660ab5c4878c4df8405afccd62d7ae89a2ccf0611506a1ecef7805d49c7c0cf92c04ce4f97b8b6b4c1a22d433