Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
27-03-2024 14:36
Static task
static1
Behavioral task
behavioral1
Sample
e1e7b17c9e0a298346b82f04fabd4f60.exe
Resource
win7-20240220-en
General
-
Target
e1e7b17c9e0a298346b82f04fabd4f60.exe
-
Size
604KB
-
MD5
e1e7b17c9e0a298346b82f04fabd4f60
-
SHA1
735264e7cd43dca269582680ce3609eb5cac0418
-
SHA256
239a8da808d8c8af3c89dda0bfeec6ab1f28a65fefca254e42ac993ee887abd0
-
SHA512
929478f7a8a88cbbd7a31891cf886a24608bbbfcf5128d5e4683e50aa7cb916b1216194e2186eb2ea51c7511caecb4fac03fda3ae037dc22ceaf7522f6577f32
-
SSDEEP
12288:KGFOsBgo0q4wMHDyKmBiFmK19sMS+2fI59BDNUHG4lBzGLTq9jbWBCVv:K4OsBgo0q4wMHDyKmBioI9sI2fI5PBU/
Malware Config
Extracted
formbook
4.1
vd9n
theunwrappedcollective.com
seckj-ic.com
tyresandover.com
thetrophyworld.com
fonggrconstruction.com
hopiproject.com
sktitle.com
charlotteobscurer.com
qjuhe.com
girlzglitter.com
createmylawn.com
hempcbgpill.com
zzdfdzkj.com
shreehariessential.com
226sm.com
getcupscall.com
neuralviolin.com
sanskaar.life
xn--fhqrm54yyukopc.com
togetherx4fantasy5star.today
buyonlinesaree.com
percyshandman.site
hatchethangout.com
rugpat.com
zen-gizmo.com
vipmomali.com
lacerasavall.cat
aqueouso.com
mkolgems.com
sevenhundredseventysix.fund
fotografhannaneret.com
mitravy.com
bmtrans.net
linterpreting.com
izquay.com
sawaturkey.com
marche-maman.com
eemygf.com
animenovel.com
travelssimply.com
montecitobutterfly.com
volebahis.com
daniela.red
ramseyedk12.com
leyterealestate.info
patriotstrong.net
vkgcrew.com
nadhiradeebaazkiya.online
hotelcarre.com
myfabulouscollection.com
stellantis-luxury-rent.com
hn2020.xyz
emilyscopes.com
lotosouq.com
lovecord.date
stconstant.online
volkite-culverin.net
allwaysautism.com
sheisnatashasimone.com
sepantaceram.com
ishopgrady.com
lifestorycard.com
sexybbwavailable.website
domainbaycapital.com
constructioncleanup.pro
Signatures
-
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
Processes:
resource yara_rule behavioral1/memory/840-3-0x0000000000340000-0x0000000000352000-memory.dmp CustAttr -
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2404-17-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/2404-21-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/2024-27-0x0000000000080000-0x00000000000AE000-memory.dmp formbook behavioral1/memory/2024-33-0x0000000000080000-0x00000000000AE000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
e1e7b17c9e0a298346b82f04fabd4f60.exeRegSvcs.exewininit.exedescription pid process target process PID 840 set thread context of 2404 840 e1e7b17c9e0a298346b82f04fabd4f60.exe RegSvcs.exe PID 2404 set thread context of 1196 2404 RegSvcs.exe Explorer.EXE PID 2024 set thread context of 1196 2024 wininit.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
e1e7b17c9e0a298346b82f04fabd4f60.exeRegSvcs.exewininit.exepid process 840 e1e7b17c9e0a298346b82f04fabd4f60.exe 2404 RegSvcs.exe 2404 RegSvcs.exe 2024 wininit.exe 2024 wininit.exe 2024 wininit.exe 2024 wininit.exe 2024 wininit.exe 2024 wininit.exe 2024 wininit.exe 2024 wininit.exe 2024 wininit.exe 2024 wininit.exe 2024 wininit.exe 2024 wininit.exe 2024 wininit.exe 2024 wininit.exe 2024 wininit.exe 2024 wininit.exe 2024 wininit.exe 2024 wininit.exe 2024 wininit.exe 2024 wininit.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
RegSvcs.exewininit.exepid process 2404 RegSvcs.exe 2404 RegSvcs.exe 2404 RegSvcs.exe 2024 wininit.exe 2024 wininit.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
e1e7b17c9e0a298346b82f04fabd4f60.exeRegSvcs.exewininit.exedescription pid process Token: SeDebugPrivilege 840 e1e7b17c9e0a298346b82f04fabd4f60.exe Token: SeDebugPrivilege 2404 RegSvcs.exe Token: SeDebugPrivilege 2024 wininit.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
e1e7b17c9e0a298346b82f04fabd4f60.exeExplorer.EXEwininit.exedescription pid process target process PID 840 wrote to memory of 2432 840 e1e7b17c9e0a298346b82f04fabd4f60.exe schtasks.exe PID 840 wrote to memory of 2432 840 e1e7b17c9e0a298346b82f04fabd4f60.exe schtasks.exe PID 840 wrote to memory of 2432 840 e1e7b17c9e0a298346b82f04fabd4f60.exe schtasks.exe PID 840 wrote to memory of 2432 840 e1e7b17c9e0a298346b82f04fabd4f60.exe schtasks.exe PID 840 wrote to memory of 2404 840 e1e7b17c9e0a298346b82f04fabd4f60.exe RegSvcs.exe PID 840 wrote to memory of 2404 840 e1e7b17c9e0a298346b82f04fabd4f60.exe RegSvcs.exe PID 840 wrote to memory of 2404 840 e1e7b17c9e0a298346b82f04fabd4f60.exe RegSvcs.exe PID 840 wrote to memory of 2404 840 e1e7b17c9e0a298346b82f04fabd4f60.exe RegSvcs.exe PID 840 wrote to memory of 2404 840 e1e7b17c9e0a298346b82f04fabd4f60.exe RegSvcs.exe PID 840 wrote to memory of 2404 840 e1e7b17c9e0a298346b82f04fabd4f60.exe RegSvcs.exe PID 840 wrote to memory of 2404 840 e1e7b17c9e0a298346b82f04fabd4f60.exe RegSvcs.exe PID 840 wrote to memory of 2404 840 e1e7b17c9e0a298346b82f04fabd4f60.exe RegSvcs.exe PID 840 wrote to memory of 2404 840 e1e7b17c9e0a298346b82f04fabd4f60.exe RegSvcs.exe PID 840 wrote to memory of 2404 840 e1e7b17c9e0a298346b82f04fabd4f60.exe RegSvcs.exe PID 1196 wrote to memory of 2024 1196 Explorer.EXE wininit.exe PID 1196 wrote to memory of 2024 1196 Explorer.EXE wininit.exe PID 1196 wrote to memory of 2024 1196 Explorer.EXE wininit.exe PID 1196 wrote to memory of 2024 1196 Explorer.EXE wininit.exe PID 2024 wrote to memory of 2688 2024 wininit.exe cmd.exe PID 2024 wrote to memory of 2688 2024 wininit.exe cmd.exe PID 2024 wrote to memory of 2688 2024 wininit.exe cmd.exe PID 2024 wrote to memory of 2688 2024 wininit.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e1e7b17c9e0a298346b82f04fabd4f60.exe"C:\Users\Admin\AppData\Local\Temp\e1e7b17c9e0a298346b82f04fabd4f60.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Vuaokht" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCF8F.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wininit.exe"C:\Windows\SysWOW64\wininit.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpCF8F.tmpFilesize
1KB
MD53abcc76859bba7c8afc6cda7968d94f2
SHA1d951dede708964d193049cde1a74d63d3997bd3c
SHA25630d5010a2d35db5c6f8a4882855418aa196add21c99778749455aedffb68a798
SHA512f99bf571d346ce4a9fcef7f4f1ec785360b9be9fca65078ec3da0234559ecee806eda5b978d5c59dc7d234fbd80e89f84d934eea2b10bf2a0efc6729357b362c
-
memory/840-18-0x0000000074680000-0x0000000074D6E000-memory.dmpFilesize
6.9MB
-
memory/840-1-0x0000000074680000-0x0000000074D6E000-memory.dmpFilesize
6.9MB
-
memory/840-2-0x0000000004FA0000-0x0000000004FE0000-memory.dmpFilesize
256KB
-
memory/840-3-0x0000000000340000-0x0000000000352000-memory.dmpFilesize
72KB
-
memory/840-4-0x0000000074680000-0x0000000074D6E000-memory.dmpFilesize
6.9MB
-
memory/840-5-0x0000000004FA0000-0x0000000004FE0000-memory.dmpFilesize
256KB
-
memory/840-6-0x00000000052B0000-0x0000000005330000-memory.dmpFilesize
512KB
-
memory/840-7-0x00000000007E0000-0x0000000000818000-memory.dmpFilesize
224KB
-
memory/840-0-0x0000000001210000-0x00000000012AE000-memory.dmpFilesize
632KB
-
memory/1196-24-0x0000000007300000-0x000000000746A000-memory.dmpFilesize
1.4MB
-
memory/1196-31-0x0000000007300000-0x000000000746A000-memory.dmpFilesize
1.4MB
-
memory/1196-22-0x0000000002F30000-0x0000000003030000-memory.dmpFilesize
1024KB
-
memory/2024-25-0x0000000000490000-0x00000000004AA000-memory.dmpFilesize
104KB
-
memory/2024-33-0x0000000000080000-0x00000000000AE000-memory.dmpFilesize
184KB
-
memory/2024-29-0x0000000002120000-0x00000000021B3000-memory.dmpFilesize
588KB
-
memory/2024-28-0x00000000022B0000-0x00000000025B3000-memory.dmpFilesize
3.0MB
-
memory/2024-27-0x0000000000080000-0x00000000000AE000-memory.dmpFilesize
184KB
-
memory/2024-26-0x0000000000490000-0x00000000004AA000-memory.dmpFilesize
104KB
-
memory/2404-14-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/2404-13-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/2404-21-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/2404-23-0x0000000000390000-0x00000000003A4000-memory.dmpFilesize
80KB
-
memory/2404-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2404-19-0x0000000000920000-0x0000000000C23000-memory.dmpFilesize
3.0MB
-
memory/2404-17-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB