Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
02-04-2024 10:15
Static task
static1
Behavioral task
behavioral1
Sample
3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe
Resource
win7-20240221-en
General
-
Target
3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe
-
Size
652KB
-
MD5
26a38af05a6bdd23f047eb65fee67251
-
SHA1
61633e621f7d7cdcca5936b27a18cfe7e5169aae
-
SHA256
3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a
-
SHA512
7d852f05e4377b77691c3c7517609b6bd12c96d0c5dfe0bb330974ff891731529c12da9a7d52ea0f4e526fd35ce35237bfe40d2099afc12f59e58f95157e16b9
-
SSDEEP
12288:JCTYHa5WHBh2Izs6vHhIlvyuq7it546mz2p9:QTYNHU6vHKlvU7ij46mKp
Malware Config
Extracted
formbook
4.1
hy07
katemclaughl.in
worthyofficial.com
digitopia.click
ledmee.com
siwaasnz.life
ba-y.com
specifiedbuild.com
abandoned-houses-pt-0.bond
yesxoit.xyz
onlinemehrgeld.com
gosysamergoods.com
speakdontell.com
brokenequipmentsolutions.online
gruppofebi.cloud
adilosk.shop
supplierpartnerportal.com
wizov.dev
fast-homeinsurance.com
j88.vote
onamaevn.com
smartbatteryshunt.com
alivo-solutions-inc.net
qdcn16qy.shop
enmawholesale.com
experiencemedia.xyz
shoeloyalty.com
wylderosehealingarts.com
m-1263bets10.com
blanks.page
postcase.site
guangxiav.com
vitlrecruiting.info
go-re.one
rutie.net
donielss.com
hitwin.world
poshplaybliss.com
used-cars-25479.bond
riadanil.com
evrenfayans.xyz
cleopatraselixirs.com
beyondcarbon.xyz
pornimmersion.site
f8serial.site
theoriginals.farm
pvindustriesbv.com
santofantasy.shop
gosignkochava.com
akabox.net
valentinesteddyshop.com
closedealsin90days.com
goodsharbor.com
cbdmarkettrends.com
theartsincarter.com
massivedgeagency.website
totthoit.com
o0qqj7jm.shop
morningcallcoffeestandnola.com
51236.loan
omniahorizon.shop
hellasicks.com
soundbiscuitmusic.net
racerace2024.com
9yywk4.site
de-cosmeticenhancement.today
Signatures
-
Formbook payload 1 IoCs
resource yara_rule behavioral2/memory/4672-17-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation 3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4644 set thread context of 4672 4644 3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe 110 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1784 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1108 powershell.exe 1108 powershell.exe 4672 3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe 4672 3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe 4672 3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe 1108 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1108 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4644 wrote to memory of 1108 4644 3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe 106 PID 4644 wrote to memory of 1108 4644 3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe 106 PID 4644 wrote to memory of 1108 4644 3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe 106 PID 4644 wrote to memory of 1784 4644 3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe 108 PID 4644 wrote to memory of 1784 4644 3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe 108 PID 4644 wrote to memory of 1784 4644 3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe 108 PID 4644 wrote to memory of 4672 4644 3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe 110 PID 4644 wrote to memory of 4672 4644 3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe 110 PID 4644 wrote to memory of 4672 4644 3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe 110 PID 4644 wrote to memory of 4672 4644 3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe 110 PID 4644 wrote to memory of 4672 4644 3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe 110 PID 4644 wrote to memory of 4672 4644 3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe"C:\Users\Admin\AppData\Local\Temp\3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wIJCOfiF.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1108
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wIJCOfiF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA9DC.tmp"2⤵
- Creates scheduled task(s)
PID:1784
-
-
C:\Users\Admin\AppData\Local\Temp\3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe"C:\Users\Admin\AppData\Local\Temp\3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4028 --field-trial-handle=2288,i,11069632825633797559,14829202121434726371,262144 --variations-seed-version /prefetch:81⤵PID:4084
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD592bdbe8c9f874bc1cadf927e4ae9618d
SHA1b93eb8b2a8be4ab6bb228ab04b3b025980bc0f26
SHA2562560a52d640d3462a96a30116d21448b819facdb28ee226885bddc0239fc14ac
SHA5125f27e7335e412a4a3ae24aad80d7ae130c743be4f231901f96e8b7ffc1ad2e0134975814c7e013fd2dd8b61ff07756b4c265b11c333bcad0ba020b752394b6e8