Analysis
-
max time kernel
120s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
23/10/2023, 17:44
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.a40c92a00ca0f04cd04883d555859cf2c8e884a01329defd3631c7cc61204ff8exe_JC.exe
Resource
win7-20231020-en
General
-
Target
NEAS.a40c92a00ca0f04cd04883d555859cf2c8e884a01329defd3631c7cc61204ff8exe_JC.exe
-
Size
591KB
-
MD5
03ba07ae9665412a170bbe06dd55d724
-
SHA1
060461b26a84d0db8609404c5f1c7977b3b5a7d0
-
SHA256
a40c92a00ca0f04cd04883d555859cf2c8e884a01329defd3631c7cc61204ff8
-
SHA512
d7db15a5457c9ebe8e2cf39689e7c89de70c5870e2bc26aab6258b258f09d8ae06991cad12c07dcbd39f130e22cc5645ac7d4ec3e96ac75f39187f2438a99511
-
SSDEEP
12288:L8zS55mFzy6+NeUKIDG96nhL2Gq89z/s9lVgkVsWjb/5lojH:Lf55qCNeQa0u89TKlVgcjb8jH
Malware Config
Extracted
formbook
4.1
hinf
gemaprojects.com
infinitymarketingsystems.com
pustmegfram.com
mydetailaccelerator.com
zeusoffyp6.click
thegoddessofthehunt.com
abajim.com
jctrhc78.com
iyouiyiti.com
jobscnwire.com
emirates-tobacco.com
onledutech.com
medicinefloor.com
lghyr.fun
dohodnaavtomate.online
fbaxqevemd7.xyz
descontode70porcento.online
assmaco.com
bb845933.site
pinapplecapital.com
jizdna.com
dogsecom.shop
immutepvec.com
ankewayglobal.com
stoaenterprises.com
vitemalls.shop
ferdisparts.com
dyqfzx202308.com
sta4mps.com
glassesupmobilebarservices.com
aspireblockchain.com
salomon-skor-sverige.com
ascenndum.com
betper781.com
onhunhboan.cfd
theedgeofzion.com
aahwwr7p.com
angelandcoinsurance.com
morningbirdschool.com
ctrccadqccpwy.com
067tt.com
zjlzhb.com
theductalcarcinomas.live
qrcodeyes.com
usefight.best
vidanomada101.com
surfmodel.top
lypap.com
findlayxfulton.com
chuanzhe.cfd
jfa-consulting.com
melosboutiquehotel.com
lphm.club
buygreenparkpadeluk.com
cfyuanh.com
verizonwirelcoess.com
national-taxs.top
wigzworld.shop
aigenniti.com
cynthia-costello.com
barbitas.com
mullancero.com
radiantpoolscfl.com
tocbe.yachts
lookmovie136.xyz
Signatures
-
Formbook payload 1 IoCs
resource yara_rule behavioral1/memory/2768-12-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1212 set thread context of 2768 1212 NEAS.a40c92a00ca0f04cd04883d555859cf2c8e884a01329defd3631c7cc61204ff8exe_JC.exe 30 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2768 NEAS.a40c92a00ca0f04cd04883d555859cf2c8e884a01329defd3631c7cc61204ff8exe_JC.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1212 wrote to memory of 2768 1212 NEAS.a40c92a00ca0f04cd04883d555859cf2c8e884a01329defd3631c7cc61204ff8exe_JC.exe 30 PID 1212 wrote to memory of 2768 1212 NEAS.a40c92a00ca0f04cd04883d555859cf2c8e884a01329defd3631c7cc61204ff8exe_JC.exe 30 PID 1212 wrote to memory of 2768 1212 NEAS.a40c92a00ca0f04cd04883d555859cf2c8e884a01329defd3631c7cc61204ff8exe_JC.exe 30 PID 1212 wrote to memory of 2768 1212 NEAS.a40c92a00ca0f04cd04883d555859cf2c8e884a01329defd3631c7cc61204ff8exe_JC.exe 30 PID 1212 wrote to memory of 2768 1212 NEAS.a40c92a00ca0f04cd04883d555859cf2c8e884a01329defd3631c7cc61204ff8exe_JC.exe 30 PID 1212 wrote to memory of 2768 1212 NEAS.a40c92a00ca0f04cd04883d555859cf2c8e884a01329defd3631c7cc61204ff8exe_JC.exe 30 PID 1212 wrote to memory of 2768 1212 NEAS.a40c92a00ca0f04cd04883d555859cf2c8e884a01329defd3631c7cc61204ff8exe_JC.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.a40c92a00ca0f04cd04883d555859cf2c8e884a01329defd3631c7cc61204ff8exe_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.a40c92a00ca0f04cd04883d555859cf2c8e884a01329defd3631c7cc61204ff8exe_JC.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\NEAS.a40c92a00ca0f04cd04883d555859cf2c8e884a01329defd3631c7cc61204ff8exe_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.a40c92a00ca0f04cd04883d555859cf2c8e884a01329defd3631c7cc61204ff8exe_JC.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2768
-