Analysis
-
max time kernel
122s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
23/10/2023, 19:35
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.f98b2fefbfa54e17d684f60629172f5f160259a6041b671f423eefbf0e51f949exe_JC.exe
Resource
win7-20231023-en
General
-
Target
NEAS.f98b2fefbfa54e17d684f60629172f5f160259a6041b671f423eefbf0e51f949exe_JC.exe
-
Size
635KB
-
MD5
0d92c4776d31205c7b2275d1a78b4085
-
SHA1
985fba4c665f1f1250df0a85c3169bc631d9e0a5
-
SHA256
f98b2fefbfa54e17d684f60629172f5f160259a6041b671f423eefbf0e51f949
-
SHA512
965c80653a4e4a0bfaacd60131248aaf15fca1487df8a72f2780c7fba63e6a09227252271cb1e5d8547a241ec644e16b924dd1cf683f39b08f3cbf08b8008e22
-
SSDEEP
12288:Noj7s93wIxbzM1k19Rvt7l+SAd+GSJnhY5RgzTaz6uiczg:Oj7s93nfxfha7SJCuOz9k
Malware Config
Extracted
formbook
4.1
eg02
erc20.gold
elainevannmorgan.photography
melbet-el4.top
guvenilir.bet
sesamecsre.com
kevinjaydenwivano.tech
condohotelguru.com
shjcdz.com
innocarta.store
collinstradingpost.com
6om3j4.top
nagtco.xyz
fasist.fit
arkansaspremiertournaments.com
mrscsnowschool.com
ma-group.online
lillyjriley.icu
electric-cars-87253.bond
lila.tools
hollamia.com
snartonlinecheck.work
zaymnokni.online
rapidreviewmd.online
p8m.xyz
crowdhailer.online
needwaterpump.online
vi-apk.com
anenza.com
smarters-iptv.live
yachtfuellife.com
gbconsulting.online
limasise.com
bankir-ru.com
alexanderbonnet.com
bevontrade.com
inovarevending.com
aamrut.com
asalgacor.info
qqdwua.icu
ownableai.com
karoobaar.com
8lode88.vip
eblata.com
foxhouston26.com
www653f8918344e.com
pg290.fun
blacktowhitecuckold.com
lindsaybea.com
tripitour.com
senhormarceneiro.com
blacktowhitecuckold.com
zephyra.bet
seleneexport.com
nfertilityinwomen.com
godestas.com
pickuptruk.com
broadwayscg.com
jordanwatts.link
escuelawakana.com
compreiganhei.site
wolfandthecrow.com
nagoya-naisou-kaitai.com
wiseleadership.net
midowallwet.com
mygeneralmotorsretirement.com
Signatures
-
Formbook payload 2 IoCs
resource yara_rule behavioral1/memory/2564-19-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2912-24-0x0000000002350000-0x0000000002390000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1264 set thread context of 2564 1264 NEAS.f98b2fefbfa54e17d684f60629172f5f160259a6041b671f423eefbf0e51f949exe_JC.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2716 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 1264 NEAS.f98b2fefbfa54e17d684f60629172f5f160259a6041b671f423eefbf0e51f949exe_JC.exe 1264 NEAS.f98b2fefbfa54e17d684f60629172f5f160259a6041b671f423eefbf0e51f949exe_JC.exe 1264 NEAS.f98b2fefbfa54e17d684f60629172f5f160259a6041b671f423eefbf0e51f949exe_JC.exe 1264 NEAS.f98b2fefbfa54e17d684f60629172f5f160259a6041b671f423eefbf0e51f949exe_JC.exe 1264 NEAS.f98b2fefbfa54e17d684f60629172f5f160259a6041b671f423eefbf0e51f949exe_JC.exe 1264 NEAS.f98b2fefbfa54e17d684f60629172f5f160259a6041b671f423eefbf0e51f949exe_JC.exe 1264 NEAS.f98b2fefbfa54e17d684f60629172f5f160259a6041b671f423eefbf0e51f949exe_JC.exe 1264 NEAS.f98b2fefbfa54e17d684f60629172f5f160259a6041b671f423eefbf0e51f949exe_JC.exe 1264 NEAS.f98b2fefbfa54e17d684f60629172f5f160259a6041b671f423eefbf0e51f949exe_JC.exe 2564 NEAS.f98b2fefbfa54e17d684f60629172f5f160259a6041b671f423eefbf0e51f949exe_JC.exe 2912 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1264 NEAS.f98b2fefbfa54e17d684f60629172f5f160259a6041b671f423eefbf0e51f949exe_JC.exe Token: SeDebugPrivilege 2912 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1264 wrote to memory of 2912 1264 NEAS.f98b2fefbfa54e17d684f60629172f5f160259a6041b671f423eefbf0e51f949exe_JC.exe 30 PID 1264 wrote to memory of 2912 1264 NEAS.f98b2fefbfa54e17d684f60629172f5f160259a6041b671f423eefbf0e51f949exe_JC.exe 30 PID 1264 wrote to memory of 2912 1264 NEAS.f98b2fefbfa54e17d684f60629172f5f160259a6041b671f423eefbf0e51f949exe_JC.exe 30 PID 1264 wrote to memory of 2912 1264 NEAS.f98b2fefbfa54e17d684f60629172f5f160259a6041b671f423eefbf0e51f949exe_JC.exe 30 PID 1264 wrote to memory of 2716 1264 NEAS.f98b2fefbfa54e17d684f60629172f5f160259a6041b671f423eefbf0e51f949exe_JC.exe 32 PID 1264 wrote to memory of 2716 1264 NEAS.f98b2fefbfa54e17d684f60629172f5f160259a6041b671f423eefbf0e51f949exe_JC.exe 32 PID 1264 wrote to memory of 2716 1264 NEAS.f98b2fefbfa54e17d684f60629172f5f160259a6041b671f423eefbf0e51f949exe_JC.exe 32 PID 1264 wrote to memory of 2716 1264 NEAS.f98b2fefbfa54e17d684f60629172f5f160259a6041b671f423eefbf0e51f949exe_JC.exe 32 PID 1264 wrote to memory of 2564 1264 NEAS.f98b2fefbfa54e17d684f60629172f5f160259a6041b671f423eefbf0e51f949exe_JC.exe 34 PID 1264 wrote to memory of 2564 1264 NEAS.f98b2fefbfa54e17d684f60629172f5f160259a6041b671f423eefbf0e51f949exe_JC.exe 34 PID 1264 wrote to memory of 2564 1264 NEAS.f98b2fefbfa54e17d684f60629172f5f160259a6041b671f423eefbf0e51f949exe_JC.exe 34 PID 1264 wrote to memory of 2564 1264 NEAS.f98b2fefbfa54e17d684f60629172f5f160259a6041b671f423eefbf0e51f949exe_JC.exe 34 PID 1264 wrote to memory of 2564 1264 NEAS.f98b2fefbfa54e17d684f60629172f5f160259a6041b671f423eefbf0e51f949exe_JC.exe 34 PID 1264 wrote to memory of 2564 1264 NEAS.f98b2fefbfa54e17d684f60629172f5f160259a6041b671f423eefbf0e51f949exe_JC.exe 34 PID 1264 wrote to memory of 2564 1264 NEAS.f98b2fefbfa54e17d684f60629172f5f160259a6041b671f423eefbf0e51f949exe_JC.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.f98b2fefbfa54e17d684f60629172f5f160259a6041b671f423eefbf0e51f949exe_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.f98b2fefbfa54e17d684f60629172f5f160259a6041b671f423eefbf0e51f949exe_JC.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Ruwtgxl.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2912
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Ruwtgxl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp954.tmp"2⤵
- Creates scheduled task(s)
PID:2716
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.f98b2fefbfa54e17d684f60629172f5f160259a6041b671f423eefbf0e51f949exe_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.f98b2fefbfa54e17d684f60629172f5f160259a6041b671f423eefbf0e51f949exe_JC.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2564
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57a127e68830078d9c2b9490bb1957762
SHA13bf4dedec481ca06df8d66192f1a45659f95135a
SHA256cb03dfc141181516ef76049eba71f5819f4ec50f8e63c4b4990994b81f782d98
SHA512892753087e0fc9e9c19115dd305814ed1df81fd8bea218afe18287e4cee194da8b13a63bc0e6a55003d8a7f24a4e171091650fb6ae5b8cd40241e94a97fcc9b3