Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
23/10/2023, 16:47
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.354bb2d5a03e3c1d041730e3478e80ab5a264fd852e146e880834a346fc63579exe_JC.exe
Resource
win7-20231020-en
General
-
Target
NEAS.354bb2d5a03e3c1d041730e3478e80ab5a264fd852e146e880834a346fc63579exe_JC.exe
-
Size
426KB
-
MD5
df247bbfaf91dbe0da4d79a04cfb5ca3
-
SHA1
0d29cbfa4b746e71c680bbd56a6c51964fd9b1fa
-
SHA256
354bb2d5a03e3c1d041730e3478e80ab5a264fd852e146e880834a346fc63579
-
SHA512
ea413b9f389b9bb2bd8eaca5c3917a656840df5d48c5fb5478d9b453412fe941229cae535df587a66996acb9b96a4c692491ebe65a106d35eb0b757d6412286b
-
SSDEEP
6144:zfL+oqgoT3oPrD68F2PD44p8Ls1k7n82iKGI3TmBp6CbspK7M2jtsftCq9CPbz:zfLCT21oy82PGIC/Bb8K7MNCB/
Malware Config
Extracted
formbook
4.1
sy22
vinteligencia.com
displayfridges.fun
completetip.com
giallozafferrano.com
jizihao1.com
mysticheightstrail.com
fourseasonslb.com
kjnala.shop
mosiacwall.com
vandistreet.com
gracefullytouchedartistry.com
hbiwhwr.shop
mfmz.net
hrmbrillianz.com
funwarsztat.com
polewithcandy.com
ourrajasthan.com
wilhouettteamerica.com
johnnystintshop.com
asgnelwin.com
alcmcyu.com
thwmlohr.click
gypseascuba.com
mysonisgaythemovie.com
sunriseautostorellc.com
fuhouse.link
motorcycleglassesshop.com
vaskaworldairways.com
qixservice.online
b2b-scaling.com
03ss.vip
trishpintar.com
gk84.com
omclaval.com
emeeycarwash.com
wb7mnp.com
kimgj.com
278809.com
summitstracecolumbus.com
dryadai.com
vistcreative.com
weoliveorder.com
kwamitikki.com
cjk66.online
travisline.pro
mercardosupltda.shop
sunspotplumbing.com
podplugca.com
leontellez.com
fzturf.com
docomo-mobileconsulting.com
apneabirmingham.info
rollesgraciejiujitsu.com
sx15k.com
kebobcapital.com
91967.net
claudiaduverglas.com
zhperviepixie.com
oliwas.xyz
flowersinspace.tech
uadmxqby.click
greatbaitusa.com
drpenawaraircondhargarahmah.com
sofbks.top
sarthaksrishticreation.com
Signatures
-
Formbook payload 4 IoCs
resource yara_rule behavioral1/memory/2636-10-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2636-14-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2736-22-0x00000000000C0000-0x00000000000EF000-memory.dmp formbook behavioral1/memory/2736-24-0x00000000000C0000-0x00000000000EF000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
pid Process 2044 ohtfjmxqk.exe 2636 ohtfjmxqk.exe -
Loads dropped DLL 2 IoCs
pid Process 2956 NEAS.354bb2d5a03e3c1d041730e3478e80ab5a264fd852e146e880834a346fc63579exe_JC.exe 2044 ohtfjmxqk.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2044 set thread context of 2636 2044 ohtfjmxqk.exe 29 PID 2636 set thread context of 1364 2636 ohtfjmxqk.exe 15 PID 2736 set thread context of 1364 2736 chkdsk.exe 15 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2636 ohtfjmxqk.exe 2636 ohtfjmxqk.exe 2736 chkdsk.exe 2736 chkdsk.exe 2736 chkdsk.exe 2736 chkdsk.exe 2736 chkdsk.exe 2736 chkdsk.exe 2736 chkdsk.exe 2736 chkdsk.exe 2736 chkdsk.exe 2736 chkdsk.exe 2736 chkdsk.exe 2736 chkdsk.exe 2736 chkdsk.exe 2736 chkdsk.exe 2736 chkdsk.exe 2736 chkdsk.exe 2736 chkdsk.exe 2736 chkdsk.exe 2736 chkdsk.exe 2736 chkdsk.exe 2736 chkdsk.exe 2736 chkdsk.exe 2736 chkdsk.exe 2736 chkdsk.exe 2736 chkdsk.exe 2736 chkdsk.exe 2736 chkdsk.exe 2736 chkdsk.exe 2736 chkdsk.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1364 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 2044 ohtfjmxqk.exe 2636 ohtfjmxqk.exe 2636 ohtfjmxqk.exe 2636 ohtfjmxqk.exe 2736 chkdsk.exe 2736 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2636 ohtfjmxqk.exe Token: SeDebugPrivilege 2736 chkdsk.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2956 wrote to memory of 2044 2956 NEAS.354bb2d5a03e3c1d041730e3478e80ab5a264fd852e146e880834a346fc63579exe_JC.exe 28 PID 2956 wrote to memory of 2044 2956 NEAS.354bb2d5a03e3c1d041730e3478e80ab5a264fd852e146e880834a346fc63579exe_JC.exe 28 PID 2956 wrote to memory of 2044 2956 NEAS.354bb2d5a03e3c1d041730e3478e80ab5a264fd852e146e880834a346fc63579exe_JC.exe 28 PID 2956 wrote to memory of 2044 2956 NEAS.354bb2d5a03e3c1d041730e3478e80ab5a264fd852e146e880834a346fc63579exe_JC.exe 28 PID 2044 wrote to memory of 2636 2044 ohtfjmxqk.exe 29 PID 2044 wrote to memory of 2636 2044 ohtfjmxqk.exe 29 PID 2044 wrote to memory of 2636 2044 ohtfjmxqk.exe 29 PID 2044 wrote to memory of 2636 2044 ohtfjmxqk.exe 29 PID 2044 wrote to memory of 2636 2044 ohtfjmxqk.exe 29 PID 1364 wrote to memory of 2736 1364 Explorer.EXE 30 PID 1364 wrote to memory of 2736 1364 Explorer.EXE 30 PID 1364 wrote to memory of 2736 1364 Explorer.EXE 30 PID 1364 wrote to memory of 2736 1364 Explorer.EXE 30 PID 2736 wrote to memory of 2700 2736 chkdsk.exe 31 PID 2736 wrote to memory of 2700 2736 chkdsk.exe 31 PID 2736 wrote to memory of 2700 2736 chkdsk.exe 31 PID 2736 wrote to memory of 2700 2736 chkdsk.exe 31
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Users\Admin\AppData\Local\Temp\NEAS.354bb2d5a03e3c1d041730e3478e80ab5a264fd852e146e880834a346fc63579exe_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.354bb2d5a03e3c1d041730e3478e80ab5a264fd852e146e880834a346fc63579exe_JC.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe"C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe"C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
-
-
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe"3⤵PID:2700
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
205KB
MD560d116c175aabe2c06bdd949a101127c
SHA163bb316383b4706d43f7882ee545031c4cac2505
SHA256ee52d5afe32c612681d16c9bfee4cdb923ee5e54b84196b7b5ecc0aa4ad1df76
SHA512d90f9148243101db90de1945854a9dd1e6aa6fd59ff0ccb1ff0053f7f91b8b40176a7d5401e63a5600474bfc8749733ff55cc76fa2094a697eb14726241a2fe9
-
Filesize
361KB
MD59e519a78d2ee0e4fa641187866bc9703
SHA1549dc42c936b4bc2612c20c668f94b37bb5163cc
SHA256c54c9db30df0d4fc34dcb8fece51fe3089d38283665cdd5af2c4846fa26f8e26
SHA512a04afae9d0a2143f4ea5d1754fb1b162571275af935fda205d327765c1181d235a13d76bd204b2517d0a100c58956bd47880f8aad1d8da1b9bc5c8691e80a92c
-
Filesize
361KB
MD59e519a78d2ee0e4fa641187866bc9703
SHA1549dc42c936b4bc2612c20c668f94b37bb5163cc
SHA256c54c9db30df0d4fc34dcb8fece51fe3089d38283665cdd5af2c4846fa26f8e26
SHA512a04afae9d0a2143f4ea5d1754fb1b162571275af935fda205d327765c1181d235a13d76bd204b2517d0a100c58956bd47880f8aad1d8da1b9bc5c8691e80a92c
-
Filesize
361KB
MD59e519a78d2ee0e4fa641187866bc9703
SHA1549dc42c936b4bc2612c20c668f94b37bb5163cc
SHA256c54c9db30df0d4fc34dcb8fece51fe3089d38283665cdd5af2c4846fa26f8e26
SHA512a04afae9d0a2143f4ea5d1754fb1b162571275af935fda205d327765c1181d235a13d76bd204b2517d0a100c58956bd47880f8aad1d8da1b9bc5c8691e80a92c
-
Filesize
361KB
MD59e519a78d2ee0e4fa641187866bc9703
SHA1549dc42c936b4bc2612c20c668f94b37bb5163cc
SHA256c54c9db30df0d4fc34dcb8fece51fe3089d38283665cdd5af2c4846fa26f8e26
SHA512a04afae9d0a2143f4ea5d1754fb1b162571275af935fda205d327765c1181d235a13d76bd204b2517d0a100c58956bd47880f8aad1d8da1b9bc5c8691e80a92c
-
Filesize
361KB
MD59e519a78d2ee0e4fa641187866bc9703
SHA1549dc42c936b4bc2612c20c668f94b37bb5163cc
SHA256c54c9db30df0d4fc34dcb8fece51fe3089d38283665cdd5af2c4846fa26f8e26
SHA512a04afae9d0a2143f4ea5d1754fb1b162571275af935fda205d327765c1181d235a13d76bd204b2517d0a100c58956bd47880f8aad1d8da1b9bc5c8691e80a92c