Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
23/10/2023, 17:15
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.69585ae659cf7e13dd4c48f8d3109c5e219cb37f266a3aed6d0e0aac051e89b2exe_JC.exe
Resource
win7-20231020-en
General
-
Target
NEAS.69585ae659cf7e13dd4c48f8d3109c5e219cb37f266a3aed6d0e0aac051e89b2exe_JC.exe
-
Size
456KB
-
MD5
6ebb994d00938e37d43b4cb66fd5356d
-
SHA1
48a7117f5ed601381d744f949b66529e52251343
-
SHA256
69585ae659cf7e13dd4c48f8d3109c5e219cb37f266a3aed6d0e0aac051e89b2
-
SHA512
d9de4847d0cc0d9073bd8b4f6062014c37d9394baf8aeb912af5ad3078401e1a8ad25abfe943100f4c41cb64561d3e5bd2f8835cd881f0658ff9ebc8b2681266
-
SSDEEP
12288:KfLRrNGaW112bN1wW5I1UrqNnEKiIYZ6U0RsRJVlBMlh:KfL5NGa01WN5gEf6Wpoh
Malware Config
Extracted
formbook
4.1
ge06
azaharparis.com
nationaleventsafety.com
covesstudy.com
quinshon4.com
moderco.net
trailblazerbaby.com
time-edu.net
azeemtourism.com
anakmedan3.click
bookinternationaltours.com
ulksht.top
newswirex.com
dingg.net
waveoflife.pro
miamirealestatecommercial.com
rtplive77.xyz
bowllywood.com
automation-tools-84162.bond
booptee.com
ebx.lat
gdlongzhong.icu
seoulbeautytw.com
bulgarianarchive.com
pojipoji.com
mochibees-wylie.com
ecoboat.world
eroyfw.top
centralngs.com
youtube-manager.site
eatlust.com
geutik.cfd
credit-cards-16215.bond
lodsoab.com
jon188.ink
52iwin.win
juanmafit.com
gamemuggaz.com
oneresi.com
pj69vip12.cyou
west-paws.com
chaineccn.com
mentiti.com
modeparisiennefr.com
skyboxpro.net
versebuild.xyz
luxpsy.com
nivaarnalawgroup.com
c091627.com
preppal.shop
narrativepages.com
yqsoysy.com
diverseindiatours.com
batcavela.com
ayyp300.top
daqtpt.cfd
livers-guardplus.com
chucobuilt.net
qianxz109.xyz
carat-automotive.com
hndswicco.best
workwithray.live
sxchenggu.com
sanpan010.com
fufe066.xyz
fakeittilyoumakeitfinance.com
Signatures
-
Formbook payload 4 IoCs
resource yara_rule behavioral2/memory/3556-7-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3556-11-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3064-18-0x0000000000BA0000-0x0000000000BCF000-memory.dmp formbook behavioral2/memory/3064-20-0x0000000000BA0000-0x0000000000BCF000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
pid Process 2088 heooiabir.exe 3556 heooiabir.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2088 set thread context of 3556 2088 heooiabir.exe 90 PID 3556 set thread context of 3264 3556 heooiabir.exe 59 PID 3064 set thread context of 3264 3064 cmmon32.exe 59 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 58 IoCs
pid Process 3556 heooiabir.exe 3556 heooiabir.exe 3556 heooiabir.exe 3556 heooiabir.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe 3064 cmmon32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3264 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 2088 heooiabir.exe 3556 heooiabir.exe 3556 heooiabir.exe 3556 heooiabir.exe 3064 cmmon32.exe 3064 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3556 heooiabir.exe Token: SeDebugPrivilege 3064 cmmon32.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4284 wrote to memory of 2088 4284 NEAS.69585ae659cf7e13dd4c48f8d3109c5e219cb37f266a3aed6d0e0aac051e89b2exe_JC.exe 89 PID 4284 wrote to memory of 2088 4284 NEAS.69585ae659cf7e13dd4c48f8d3109c5e219cb37f266a3aed6d0e0aac051e89b2exe_JC.exe 89 PID 4284 wrote to memory of 2088 4284 NEAS.69585ae659cf7e13dd4c48f8d3109c5e219cb37f266a3aed6d0e0aac051e89b2exe_JC.exe 89 PID 2088 wrote to memory of 3556 2088 heooiabir.exe 90 PID 2088 wrote to memory of 3556 2088 heooiabir.exe 90 PID 2088 wrote to memory of 3556 2088 heooiabir.exe 90 PID 2088 wrote to memory of 3556 2088 heooiabir.exe 90 PID 3264 wrote to memory of 3064 3264 Explorer.EXE 91 PID 3264 wrote to memory of 3064 3264 Explorer.EXE 91 PID 3264 wrote to memory of 3064 3264 Explorer.EXE 91 PID 3064 wrote to memory of 3416 3064 cmmon32.exe 92 PID 3064 wrote to memory of 3416 3064 cmmon32.exe 92 PID 3064 wrote to memory of 3416 3064 cmmon32.exe 92
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Users\Admin\AppData\Local\Temp\NEAS.69585ae659cf7e13dd4c48f8d3109c5e219cb37f266a3aed6d0e0aac051e89b2exe_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.69585ae659cf7e13dd4c48f8d3109c5e219cb37f266a3aed6d0e0aac051e89b2exe_JC.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Users\Admin\AppData\Local\Temp\heooiabir.exe"C:\Users\Admin\AppData\Local\Temp\heooiabir.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Users\Admin\AppData\Local\Temp\heooiabir.exe"C:\Users\Admin\AppData\Local\Temp\heooiabir.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3556
-
-
-
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\heooiabir.exe"3⤵PID:3416
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
205KB
MD5f8dfd353d09136096e0996463892f727
SHA133ded541f75bc169cd2410cb5105b1fd9b372eb6
SHA2569fffdcedea07e45d8f46ece1949d1ab372c89ee427a6015bb99bd40fa2c9e09b
SHA512e0d7db124617b31f350411fd9b4d683b7aa0adbb839696b77a7fc4e0dfcbe72ba4ae58727f490733583adde19120ce700066d15b687ef082e83d1716fd696004
-
Filesize
361KB
MD5a7282a909f46de953ab33416ab47ae18
SHA153c5e1d282046364186554b2a93f1eb0c13ae909
SHA256603f1db91199b78cf2623f62ebaaa2ea2250a37a09b769ff82d1eade19b6b25b
SHA5121e77062609fe86c88d932f649dfc32d58064add893318bb3e27d303a3db7d752704252c74255a4628fe558fb2c15f8c137693455886ae6e722a07d3d133a7b1b
-
Filesize
361KB
MD5a7282a909f46de953ab33416ab47ae18
SHA153c5e1d282046364186554b2a93f1eb0c13ae909
SHA256603f1db91199b78cf2623f62ebaaa2ea2250a37a09b769ff82d1eade19b6b25b
SHA5121e77062609fe86c88d932f649dfc32d58064add893318bb3e27d303a3db7d752704252c74255a4628fe558fb2c15f8c137693455886ae6e722a07d3d133a7b1b
-
Filesize
361KB
MD5a7282a909f46de953ab33416ab47ae18
SHA153c5e1d282046364186554b2a93f1eb0c13ae909
SHA256603f1db91199b78cf2623f62ebaaa2ea2250a37a09b769ff82d1eade19b6b25b
SHA5121e77062609fe86c88d932f649dfc32d58064add893318bb3e27d303a3db7d752704252c74255a4628fe558fb2c15f8c137693455886ae6e722a07d3d133a7b1b