Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
23/10/2023, 19:34
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.f73717ede50c0ae3573c34a1cca093a90b6e52265fd26b8bfbbfee5b84d57273exe_JC.exe
Resource
win7-20231020-en
General
-
Target
NEAS.f73717ede50c0ae3573c34a1cca093a90b6e52265fd26b8bfbbfee5b84d57273exe_JC.exe
-
Size
576KB
-
MD5
de957e259418fa386a39e294aeb807a9
-
SHA1
6d5ad6ec8fa83e650103cd339c8fc979f0073ead
-
SHA256
f73717ede50c0ae3573c34a1cca093a90b6e52265fd26b8bfbbfee5b84d57273
-
SHA512
d1cfdc587f763cdd545ee2ac8fc8193ef1833927963ab92ab5f75b1411ed7be10ccd557f718c7a72ce76e7f5c0976948d9140dd927c5de86c7fc3d86084c0275
-
SSDEEP
12288:PzY/jnIt0IByAg84676D7w4l6RyncFiQ5FN/rKs8u:PMLnIOIgALCwlRacFZ5T
Malware Config
Extracted
formbook
4.1
cy12
routinelywell.com
traderinformation.com
xv1lz.cfd
elfiensclinic.com
dfwtexasmilitaryagent.com
gb3p8a.com
ofcure.com
kslgd.link
apexassisthubs.com
270hg.com
spacovitta.com
mattress-info-hu-kwu.today
jakestarrbroadcast.com
modestswimwearshop.com
game0814.com
gec.tokyo
growwellnesscoaching.com
thefavoreats.com
gaasmantech.net
mloffers.net
sarahklimekrealty.com
fnykl2.com
nuomingjs.com
thewanderingbarfly.com
affiliatebrokers.cloud
yourdesignneed.com
360expantion.com
burumakansatunikki.com
hh870.bio
com-safe.site
ssongg4134.cfd
juntocrecemosalinstante.top
poorexcuses.com
stargear.top
ktobr.live
s5266m.com
paragon-cto.net
luohuigroup.com
srspicture.com
jounce.space
otrnton.top
jhaganjr.com
eshebrown.com
mc-ibit.com
rundlestreetkenttown.net
ssongg3132.cfd
thedivorcelawyer.website
ipcontrolsas.com
ungravity.dev
vigne.tattoo
modcoops.com
earthbondproperty.com
pachinko-and-slot.tokyo
pp88money.com
mysweettangrine.com
barbieinterviews.com
aimageabove.com
hamidconstruction.com
xcolpuj.xyz
xxxvedio.online
ceracasas.com
mariaelamine.com
eew.lat
pmugly.top
withscreamandsugar.com
Signatures
-
Formbook payload 1 IoCs
resource yara_rule behavioral1/memory/2816-12-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1944 set thread context of 2816 1944 NEAS.f73717ede50c0ae3573c34a1cca093a90b6e52265fd26b8bfbbfee5b84d57273exe_JC.exe 30 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1944 NEAS.f73717ede50c0ae3573c34a1cca093a90b6e52265fd26b8bfbbfee5b84d57273exe_JC.exe 1944 NEAS.f73717ede50c0ae3573c34a1cca093a90b6e52265fd26b8bfbbfee5b84d57273exe_JC.exe 2816 NEAS.f73717ede50c0ae3573c34a1cca093a90b6e52265fd26b8bfbbfee5b84d57273exe_JC.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1944 NEAS.f73717ede50c0ae3573c34a1cca093a90b6e52265fd26b8bfbbfee5b84d57273exe_JC.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1944 wrote to memory of 2816 1944 NEAS.f73717ede50c0ae3573c34a1cca093a90b6e52265fd26b8bfbbfee5b84d57273exe_JC.exe 30 PID 1944 wrote to memory of 2816 1944 NEAS.f73717ede50c0ae3573c34a1cca093a90b6e52265fd26b8bfbbfee5b84d57273exe_JC.exe 30 PID 1944 wrote to memory of 2816 1944 NEAS.f73717ede50c0ae3573c34a1cca093a90b6e52265fd26b8bfbbfee5b84d57273exe_JC.exe 30 PID 1944 wrote to memory of 2816 1944 NEAS.f73717ede50c0ae3573c34a1cca093a90b6e52265fd26b8bfbbfee5b84d57273exe_JC.exe 30 PID 1944 wrote to memory of 2816 1944 NEAS.f73717ede50c0ae3573c34a1cca093a90b6e52265fd26b8bfbbfee5b84d57273exe_JC.exe 30 PID 1944 wrote to memory of 2816 1944 NEAS.f73717ede50c0ae3573c34a1cca093a90b6e52265fd26b8bfbbfee5b84d57273exe_JC.exe 30 PID 1944 wrote to memory of 2816 1944 NEAS.f73717ede50c0ae3573c34a1cca093a90b6e52265fd26b8bfbbfee5b84d57273exe_JC.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.f73717ede50c0ae3573c34a1cca093a90b6e52265fd26b8bfbbfee5b84d57273exe_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.f73717ede50c0ae3573c34a1cca093a90b6e52265fd26b8bfbbfee5b84d57273exe_JC.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Users\Admin\AppData\Local\Temp\NEAS.f73717ede50c0ae3573c34a1cca093a90b6e52265fd26b8bfbbfee5b84d57273exe_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.f73717ede50c0ae3573c34a1cca093a90b6e52265fd26b8bfbbfee5b84d57273exe_JC.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2816
-