Analysis
-
max time kernel
79s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
23/10/2023, 18:15
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.cab1239af46720e7dea7b06c3c9c6e3fc7928445e84db2636fb5427ae1ef4196exe_JC.exe
Resource
win7-20231023-en
General
-
Target
NEAS.cab1239af46720e7dea7b06c3c9c6e3fc7928445e84db2636fb5427ae1ef4196exe_JC.exe
-
Size
593KB
-
MD5
7a93bc269b2ebe1348969bcef1267af2
-
SHA1
7b54993eb8d2d9c7a1fa67d08152fc29f7f42cfb
-
SHA256
cab1239af46720e7dea7b06c3c9c6e3fc7928445e84db2636fb5427ae1ef4196
-
SHA512
a6cdeb0dc3ded21eda3c123b41812cf7f4caa3a9a5cca87c5080ab6dcc32dd771a050792b744ce4130579130a5fa24e475ed7bad8d41400f55e4f4aba0e5f4c1
-
SSDEEP
12288:w6NL1vjJGGna1sJ3h6ioYT9KryxykutduJiYOX/F81:hNL1LJ1na1sR6ioYT9KrSyaJZh1
Malware Config
Extracted
formbook
4.1
a9h3
yimbyco.com
goformyplanet.com
cylegeorgedesigns.com
scarmall.net
v4xs654y.asia
die-instandhalter.com
julietheimpatientartist.com
novoxvape.com
faireco.life
theoldcup.com
creehackapk.xyz
meineexperimentierseite.net
gdriyue.icu
sanmasan.com
zoomtrakfauci.com
youssion.com
ovrconfidence.com
kaapikadai.net
lhgs5.com
srgpatience.click
kalonlabcorp.com
iteasyrico.online
combsheatingandcoolingoh.com
conservation.top
ragazziragazzi.com
callbox.xyz
willowshc.com
bevandeacasa.com
mbsjapans.com
anthonyy.net
termloancapital.net
theirloorlando.com
hoats.net
oniioncraft.com
shabbirkhan.online
sellfashionshop.com
nourishingmama.host
satria4d2d.com
makarydaily65.store
drumclassesforhomeschoolers.com
observeincshop.com
itrecruiter.fun
qta81.xyz
lyzlbc.com
tusmusicandarts.com
megamallau.com
olaifayoruba.com
webtrustcu.com
entrlude.com
qw1txf.top
w8mzeg3shd.top
plww.net
washingtonmb.com
nordheide-jobs.com
zakahomescents.com
scwanzhong.fun
cazhece.com
interactivebrokerz.com
spacecon.info
politance.net
kasihpetir106.click
topdelapandelapan.com
coloringcapital.com
westcoaststyle.shop
servicehxm.com
Signatures
-
Formbook payload 1 IoCs
resource yara_rule behavioral2/memory/3812-12-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3260 set thread context of 3812 3260 NEAS.cab1239af46720e7dea7b06c3c9c6e3fc7928445e84db2636fb5427ae1ef4196exe_JC.exe 85 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3260 NEAS.cab1239af46720e7dea7b06c3c9c6e3fc7928445e84db2636fb5427ae1ef4196exe_JC.exe 3260 NEAS.cab1239af46720e7dea7b06c3c9c6e3fc7928445e84db2636fb5427ae1ef4196exe_JC.exe 3812 NEAS.cab1239af46720e7dea7b06c3c9c6e3fc7928445e84db2636fb5427ae1ef4196exe_JC.exe 3812 NEAS.cab1239af46720e7dea7b06c3c9c6e3fc7928445e84db2636fb5427ae1ef4196exe_JC.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3260 NEAS.cab1239af46720e7dea7b06c3c9c6e3fc7928445e84db2636fb5427ae1ef4196exe_JC.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3260 wrote to memory of 4296 3260 NEAS.cab1239af46720e7dea7b06c3c9c6e3fc7928445e84db2636fb5427ae1ef4196exe_JC.exe 84 PID 3260 wrote to memory of 4296 3260 NEAS.cab1239af46720e7dea7b06c3c9c6e3fc7928445e84db2636fb5427ae1ef4196exe_JC.exe 84 PID 3260 wrote to memory of 4296 3260 NEAS.cab1239af46720e7dea7b06c3c9c6e3fc7928445e84db2636fb5427ae1ef4196exe_JC.exe 84 PID 3260 wrote to memory of 3812 3260 NEAS.cab1239af46720e7dea7b06c3c9c6e3fc7928445e84db2636fb5427ae1ef4196exe_JC.exe 85 PID 3260 wrote to memory of 3812 3260 NEAS.cab1239af46720e7dea7b06c3c9c6e3fc7928445e84db2636fb5427ae1ef4196exe_JC.exe 85 PID 3260 wrote to memory of 3812 3260 NEAS.cab1239af46720e7dea7b06c3c9c6e3fc7928445e84db2636fb5427ae1ef4196exe_JC.exe 85 PID 3260 wrote to memory of 3812 3260 NEAS.cab1239af46720e7dea7b06c3c9c6e3fc7928445e84db2636fb5427ae1ef4196exe_JC.exe 85 PID 3260 wrote to memory of 3812 3260 NEAS.cab1239af46720e7dea7b06c3c9c6e3fc7928445e84db2636fb5427ae1ef4196exe_JC.exe 85 PID 3260 wrote to memory of 3812 3260 NEAS.cab1239af46720e7dea7b06c3c9c6e3fc7928445e84db2636fb5427ae1ef4196exe_JC.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.cab1239af46720e7dea7b06c3c9c6e3fc7928445e84db2636fb5427ae1ef4196exe_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.cab1239af46720e7dea7b06c3c9c6e3fc7928445e84db2636fb5427ae1ef4196exe_JC.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Users\Admin\AppData\Local\Temp\NEAS.cab1239af46720e7dea7b06c3c9c6e3fc7928445e84db2636fb5427ae1ef4196exe_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.cab1239af46720e7dea7b06c3c9c6e3fc7928445e84db2636fb5427ae1ef4196exe_JC.exe"2⤵PID:4296
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.cab1239af46720e7dea7b06c3c9c6e3fc7928445e84db2636fb5427ae1ef4196exe_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.cab1239af46720e7dea7b06c3c9c6e3fc7928445e84db2636fb5427ae1ef4196exe_JC.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3812
-