Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
23/10/2023, 18:52
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.e3bad3b72d6b9d9572d3c2df6e6e02b08366065d4dca0d65d868c4d7d9ff52c8exe_JC.exe
Resource
win7-20231020-en
General
-
Target
NEAS.e3bad3b72d6b9d9572d3c2df6e6e02b08366065d4dca0d65d868c4d7d9ff52c8exe_JC.exe
-
Size
576KB
-
MD5
bd7d9e25eb411dc50797883dcb932a9a
-
SHA1
16a066628f7d9d0fe4f4053eca6b51f19844375e
-
SHA256
e3bad3b72d6b9d9572d3c2df6e6e02b08366065d4dca0d65d868c4d7d9ff52c8
-
SHA512
c542a741a7f57a2e747a5142031a8a85afc8c7996c8a0739df31af6808fd5892f382d10851cc34ecac619306a74071a10e9503cfef4629f1bd2fb4f4af45288e
-
SSDEEP
12288:dvs/jTTrK3U0DMEJ5T0nPc/wVI7ZZ41x8//SEeXD+wl:xsLTq3FvNagHdx/
Malware Config
Extracted
formbook
4.1
ls02
vocabularybot.com
invisalignsmilesolutions.xyz
sleepdisorderinsomnia.com
bern.beauty
ahazmcdris.top
21874960sie8ca1.store
yeitced.xyz
biggerpictureventures.com
alduhagroup.com
itsolutions.biz
0oq6y.com
wildpolis.com
mariobet469.com
brynnwpods.com
tastywin.com
cou2m1.com
newaitrucks.com
puremeans.studio
mitienda-la.com
jujuresorthotel.com
kmjdhq.com
2840vacations.com
recchia-assicura.com
danetresales.com
crashed.boats
canton404.com
bluetilestudio.com
dfcf68333.net
smartplusplatform.online
apotheekgemak.online
arsmassagii.com
keenly-digital.com
uptravelcrm.com
loftybud.com
djfiremangambia.com
dreamydesiresstudio.com
perezzuriagaarquitecto.com
alisseo.com
smnxp.com
dhsgnk.com
ernestveremu.com
e2owaz8zskz.asia
stannesnstyrrellspass.com
delimikrofon.com
commodityrisks.com
ghghhgettt22.top
biggestbasispoints.com
evelmeedical.com
sentrumsnytt.online
kingdom69amp.com
bhphub.com
k5h5v.com
wuliangysh12.cloud
annasutraasource.net
greatairconditioners1.buzz
subpaylive.com
assumablemortgagenetwork.com
flairity.tech
shoutart.com
miy9.icu
nebudali.com
bagishopping.com
baiyeba.com
nycoapartments.com
wisewolftdot.online
Signatures
-
Formbook payload 1 IoCs
resource yara_rule behavioral2/memory/4944-12-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2036 set thread context of 4944 2036 NEAS.e3bad3b72d6b9d9572d3c2df6e6e02b08366065d4dca0d65d868c4d7d9ff52c8exe_JC.exe 80 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2036 NEAS.e3bad3b72d6b9d9572d3c2df6e6e02b08366065d4dca0d65d868c4d7d9ff52c8exe_JC.exe 2036 NEAS.e3bad3b72d6b9d9572d3c2df6e6e02b08366065d4dca0d65d868c4d7d9ff52c8exe_JC.exe 4944 NEAS.e3bad3b72d6b9d9572d3c2df6e6e02b08366065d4dca0d65d868c4d7d9ff52c8exe_JC.exe 4944 NEAS.e3bad3b72d6b9d9572d3c2df6e6e02b08366065d4dca0d65d868c4d7d9ff52c8exe_JC.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2036 NEAS.e3bad3b72d6b9d9572d3c2df6e6e02b08366065d4dca0d65d868c4d7d9ff52c8exe_JC.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2036 wrote to memory of 4776 2036 NEAS.e3bad3b72d6b9d9572d3c2df6e6e02b08366065d4dca0d65d868c4d7d9ff52c8exe_JC.exe 79 PID 2036 wrote to memory of 4776 2036 NEAS.e3bad3b72d6b9d9572d3c2df6e6e02b08366065d4dca0d65d868c4d7d9ff52c8exe_JC.exe 79 PID 2036 wrote to memory of 4776 2036 NEAS.e3bad3b72d6b9d9572d3c2df6e6e02b08366065d4dca0d65d868c4d7d9ff52c8exe_JC.exe 79 PID 2036 wrote to memory of 4944 2036 NEAS.e3bad3b72d6b9d9572d3c2df6e6e02b08366065d4dca0d65d868c4d7d9ff52c8exe_JC.exe 80 PID 2036 wrote to memory of 4944 2036 NEAS.e3bad3b72d6b9d9572d3c2df6e6e02b08366065d4dca0d65d868c4d7d9ff52c8exe_JC.exe 80 PID 2036 wrote to memory of 4944 2036 NEAS.e3bad3b72d6b9d9572d3c2df6e6e02b08366065d4dca0d65d868c4d7d9ff52c8exe_JC.exe 80 PID 2036 wrote to memory of 4944 2036 NEAS.e3bad3b72d6b9d9572d3c2df6e6e02b08366065d4dca0d65d868c4d7d9ff52c8exe_JC.exe 80 PID 2036 wrote to memory of 4944 2036 NEAS.e3bad3b72d6b9d9572d3c2df6e6e02b08366065d4dca0d65d868c4d7d9ff52c8exe_JC.exe 80 PID 2036 wrote to memory of 4944 2036 NEAS.e3bad3b72d6b9d9572d3c2df6e6e02b08366065d4dca0d65d868c4d7d9ff52c8exe_JC.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.e3bad3b72d6b9d9572d3c2df6e6e02b08366065d4dca0d65d868c4d7d9ff52c8exe_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.e3bad3b72d6b9d9572d3c2df6e6e02b08366065d4dca0d65d868c4d7d9ff52c8exe_JC.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\NEAS.e3bad3b72d6b9d9572d3c2df6e6e02b08366065d4dca0d65d868c4d7d9ff52c8exe_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.e3bad3b72d6b9d9572d3c2df6e6e02b08366065d4dca0d65d868c4d7d9ff52c8exe_JC.exe"2⤵PID:4776
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.e3bad3b72d6b9d9572d3c2df6e6e02b08366065d4dca0d65d868c4d7d9ff52c8exe_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.e3bad3b72d6b9d9572d3c2df6e6e02b08366065d4dca0d65d868c4d7d9ff52c8exe_JC.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4944
-