Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
23/10/2023, 18:16
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.ccd3d1ec6d5b5723225b7d0c6488de099b2b22c5b70bc1c521c148160f5997ccexe_JC.exe
Resource
win7-20231020-en
General
-
Target
NEAS.ccd3d1ec6d5b5723225b7d0c6488de099b2b22c5b70bc1c521c148160f5997ccexe_JC.exe
-
Size
593KB
-
MD5
010c9d1a915b7550181014f34ed12a80
-
SHA1
687bb9aa1047c3d19e76570e130d5efe76a9a336
-
SHA256
ccd3d1ec6d5b5723225b7d0c6488de099b2b22c5b70bc1c521c148160f5997cc
-
SHA512
2f15d87d03e3e2c6d007ae4668c294094eb6e570532eb596fa8d5955d857198c2ee7789ff72eb4928ace201cc6f4e5b183e15d076235948df27647af3732c5ae
-
SSDEEP
12288:2OW1vjJGGna1q5IscdEjcdja5VySGJE6awd6jQH171BFM2AYOMgKqhxgyVMwl1:2OW1LJ1na1Or0E4dj4+Ei/BFMlRMgt4M
Malware Config
Extracted
formbook
4.1
5nd2
soulalchemyhub.com
geisa24.online
1c0v9.xyz
marcomarzadori-shop.com
yarn360.net
coding-bootcamps-57448.bond
kjtrhtsd.top
83b52.com
xiaomadou8.com
d4rk23.com
abdg1.com
clientunlimited.com
29981e.shop
scshuixie.fun
erxbet171.com
yiyageshafa.com
salju4d5.com
valentinpfaffenwimmer.com
profitecnicaingenieria.com
dohafintech.net
ziparcher.net
104ppp.vip
oxidize.site
fabulosus.net
jbkey.digital
licihang.net
tube-9.com
tuokesi.com
saletime.site
1xbet-officials8.top
babakex.com
mmdu4u.cfd
leasingservices.net
menglite.com
petgiftball.com
upsidedowntextonline.com
playconnectfour.com
7rwawb.cfd
wiswhempps.com
komoro-honjin.com
memberbonus.xyz
outilla.site
lwnmagazine.com
9570138.com
castler.link
qjw2.com
dyjtcf8.com
used-car-11089.bond
leathervibes.store
dgrblart.info
freshcasino-rezak.top
queensyoungdemocrat.nyc
nbgyd.net
craft2transport.space
chefdirectfoods.com
chat8.top
uniquednm.com
windbornecreations.com
dbplastering.com
kimmikcap.com
yqwenba.com
202398618.com
prostorabota.online
delivous.info
withpdf.net
Signatures
-
Formbook payload 1 IoCs
resource yara_rule behavioral2/memory/3536-12-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3096 set thread context of 3536 3096 NEAS.ccd3d1ec6d5b5723225b7d0c6488de099b2b22c5b70bc1c521c148160f5997ccexe_JC.exe 92 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3536 NEAS.ccd3d1ec6d5b5723225b7d0c6488de099b2b22c5b70bc1c521c148160f5997ccexe_JC.exe 3536 NEAS.ccd3d1ec6d5b5723225b7d0c6488de099b2b22c5b70bc1c521c148160f5997ccexe_JC.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3096 wrote to memory of 3536 3096 NEAS.ccd3d1ec6d5b5723225b7d0c6488de099b2b22c5b70bc1c521c148160f5997ccexe_JC.exe 92 PID 3096 wrote to memory of 3536 3096 NEAS.ccd3d1ec6d5b5723225b7d0c6488de099b2b22c5b70bc1c521c148160f5997ccexe_JC.exe 92 PID 3096 wrote to memory of 3536 3096 NEAS.ccd3d1ec6d5b5723225b7d0c6488de099b2b22c5b70bc1c521c148160f5997ccexe_JC.exe 92 PID 3096 wrote to memory of 3536 3096 NEAS.ccd3d1ec6d5b5723225b7d0c6488de099b2b22c5b70bc1c521c148160f5997ccexe_JC.exe 92 PID 3096 wrote to memory of 3536 3096 NEAS.ccd3d1ec6d5b5723225b7d0c6488de099b2b22c5b70bc1c521c148160f5997ccexe_JC.exe 92 PID 3096 wrote to memory of 3536 3096 NEAS.ccd3d1ec6d5b5723225b7d0c6488de099b2b22c5b70bc1c521c148160f5997ccexe_JC.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.ccd3d1ec6d5b5723225b7d0c6488de099b2b22c5b70bc1c521c148160f5997ccexe_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.ccd3d1ec6d5b5723225b7d0c6488de099b2b22c5b70bc1c521c148160f5997ccexe_JC.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Users\Admin\AppData\Local\Temp\NEAS.ccd3d1ec6d5b5723225b7d0c6488de099b2b22c5b70bc1c521c148160f5997ccexe_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.ccd3d1ec6d5b5723225b7d0c6488de099b2b22c5b70bc1c521c148160f5997ccexe_JC.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3536
-