Analysis
-
max time kernel
141s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30-01-2024 01:20
Static task
static1
Behavioral task
behavioral1
Sample
815a024ce875b00b5386479d8b87f37d.exe
Resource
win7-20231215-en
General
-
Target
815a024ce875b00b5386479d8b87f37d.exe
-
Size
483KB
-
MD5
815a024ce875b00b5386479d8b87f37d
-
SHA1
651844bbacefec03cf31ae7ced538cc79ccb5f73
-
SHA256
c57f54cbf52d1476843ee5a25ec2fd67da19d3d65ef9043bda5b725c6702419d
-
SHA512
910911ad4f145027d9d63412ac82dc475508c2b3a61b2eb090f5c98c3fad8f7a62191e4b7ac4139f256eb16b78aa2f04123cf928d15a6d9107850a8f0cd4b581
-
SSDEEP
6144:OIFhuSYWFYgrKsUc3y2WnO1xzcWmZXe2rkwnbo60T21BOcCSrYDEgfje5ig1ef9b:zh8Mz+sv3y2N1xzAZprkmuN/SD5iKef5
Malware Config
Extracted
formbook
3.9
ow
piavecaffe.com
jlxkqg.men
lifesavingfoundation.net
karadasama.net
michaeltraolach-macsweeney.com
thunderwatches.com
serviciocasawhirlpool.biz
c-cap.online
itparksolution.com
clarityhearingkw.com
wpgrosiri.date
colemarshalcambell.com
webperffest.com
adjusterforirma.info
buildersqq.com
spiritualwisdominindia.com
111222333.net
traditionalarabicdishes.com
hmlifi.com
receive-our-info-heredaily.info
whitecoins.info
woodiesrattlers.com
www8458l.com
fifanie.com
xn--qrq721bqkkzt3b.net
mesquiteleaffarm.com
xn--30-yo3c105l5jn.com
imaginaryfair.com
dawnanddusted.com
youeronline.com
alyssabrandonportfolio.com
winhealthalert.info
fithappenseveryday.com
3dreplicant.net
exiaomaipu.com
billsmockupdomain.com
radicalmiddleusa.com
fatblastingsupplements.com
okvidaoapp.com
1024eees.info
gdbaisu.com
soluciones-libres.com
guansaidingzhi.com
francesca-lynagh.com
airbodycare.com
atlutes.com
learningtolaughintherain.com
zology-tek.com
bjlmzk.com
watchinglass.com
belltowerhealthcare.com
gaetvr.men
xn--j7q21wggj81l.net
photos4lyfe.net
paisaghat.com
repairextend.win
lifesciencescareers.com
bazar-199.com
timepieceluxury.com
wizeater.com
itdui.com
johnshookgp.com
lesderniers.com
goodsystemforupdates.review
cybep.com
Signatures
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/5008-21-0x0000000000530000-0x000000000055A000-memory.dmp formbook -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
815a024ce875b00b5386479d8b87f37d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 815a024ce875b00b5386479d8b87f37d.exe -
Executes dropped EXE 2 IoCs
Processes:
syscheck.exesyscheck.exepid process 1688 syscheck.exe 5008 syscheck.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
syscheck.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysnet = "C:\\Users\\Admin\\AppData\\Local\\syscheck.exe -boot" syscheck.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
syscheck.exedescription pid process target process PID 1688 set thread context of 5008 1688 syscheck.exe syscheck.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3144 5008 WerFault.exe syscheck.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
815a024ce875b00b5386479d8b87f37d.exesyscheck.exedescription pid process Token: SeDebugPrivilege 3348 815a024ce875b00b5386479d8b87f37d.exe Token: SeDebugPrivilege 1688 syscheck.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
815a024ce875b00b5386479d8b87f37d.execmd.exesyscheck.exedescription pid process target process PID 3348 wrote to memory of 4728 3348 815a024ce875b00b5386479d8b87f37d.exe cmd.exe PID 3348 wrote to memory of 4728 3348 815a024ce875b00b5386479d8b87f37d.exe cmd.exe PID 3348 wrote to memory of 4728 3348 815a024ce875b00b5386479d8b87f37d.exe cmd.exe PID 3348 wrote to memory of 2372 3348 815a024ce875b00b5386479d8b87f37d.exe cmd.exe PID 3348 wrote to memory of 2372 3348 815a024ce875b00b5386479d8b87f37d.exe cmd.exe PID 3348 wrote to memory of 2372 3348 815a024ce875b00b5386479d8b87f37d.exe cmd.exe PID 2372 wrote to memory of 1688 2372 cmd.exe syscheck.exe PID 2372 wrote to memory of 1688 2372 cmd.exe syscheck.exe PID 2372 wrote to memory of 1688 2372 cmd.exe syscheck.exe PID 1688 wrote to memory of 5008 1688 syscheck.exe syscheck.exe PID 1688 wrote to memory of 5008 1688 syscheck.exe syscheck.exe PID 1688 wrote to memory of 5008 1688 syscheck.exe syscheck.exe PID 1688 wrote to memory of 5008 1688 syscheck.exe syscheck.exe PID 1688 wrote to memory of 5008 1688 syscheck.exe syscheck.exe PID 1688 wrote to memory of 5008 1688 syscheck.exe syscheck.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\815a024ce875b00b5386479d8b87f37d.exe"C:\Users\Admin\AppData\Local\Temp\815a024ce875b00b5386479d8b87f37d.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\815a024ce875b00b5386479d8b87f37d.exe" "C:\Users\Admin\AppData\Local\syscheck.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\syscheck.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\syscheck.exe"C:\Users\Admin\AppData\Local\syscheck.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\syscheck.exe"C:\Users\Admin\AppData\Local\syscheck.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 1845⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5008 -ip 50081⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\syscheck.exeFilesize
483KB
MD5815a024ce875b00b5386479d8b87f37d
SHA1651844bbacefec03cf31ae7ced538cc79ccb5f73
SHA256c57f54cbf52d1476843ee5a25ec2fd67da19d3d65ef9043bda5b725c6702419d
SHA512910911ad4f145027d9d63412ac82dc475508c2b3a61b2eb090f5c98c3fad8f7a62191e4b7ac4139f256eb16b78aa2f04123cf928d15a6d9107850a8f0cd4b581
-
memory/1688-17-0x0000000074EA0000-0x0000000075650000-memory.dmpFilesize
7.7MB
-
memory/1688-15-0x0000000074EA0000-0x0000000075650000-memory.dmpFilesize
7.7MB
-
memory/1688-24-0x0000000074EA0000-0x0000000075650000-memory.dmpFilesize
7.7MB
-
memory/1688-18-0x0000000005B20000-0x0000000005BBC000-memory.dmpFilesize
624KB
-
memory/1688-16-0x0000000004EE0000-0x0000000004EF0000-memory.dmpFilesize
64KB
-
memory/3348-5-0x00000000058D0000-0x00000000058E0000-memory.dmpFilesize
64KB
-
memory/3348-2-0x0000000005B90000-0x0000000006134000-memory.dmpFilesize
5.6MB
-
memory/3348-14-0x0000000074EA0000-0x0000000075650000-memory.dmpFilesize
7.7MB
-
memory/3348-9-0x00000000058D0000-0x00000000058E0000-memory.dmpFilesize
64KB
-
memory/3348-8-0x0000000074EA0000-0x0000000075650000-memory.dmpFilesize
7.7MB
-
memory/3348-1-0x0000000000BB0000-0x0000000000C2E000-memory.dmpFilesize
504KB
-
memory/3348-0-0x0000000074EA0000-0x0000000075650000-memory.dmpFilesize
7.7MB
-
memory/3348-4-0x0000000005580000-0x000000000559C000-memory.dmpFilesize
112KB
-
memory/3348-3-0x0000000005680000-0x0000000005712000-memory.dmpFilesize
584KB
-
memory/5008-21-0x0000000000530000-0x000000000055A000-memory.dmpFilesize
168KB