Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-04-2024 10:15
Static task
static1
Behavioral task
behavioral1
Sample
8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe
Resource
win7-20240221-en
General
-
Target
8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe
-
Size
629KB
-
MD5
eebb33a5375ffd40682c86deea752033
-
SHA1
8ed7b849ba2829a164ee569995f2d4d8a8d90924
-
SHA256
8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e
-
SHA512
77b5fb3046040512a93e4e7069a5e4ded1362c2913b928232d00be416f93619c21e5a3aef20516336eb81e7c4067f88ae67caeada31ddda7480b0a5e3fcf5fe5
-
SSDEEP
12288:DK0YOwqVT+BnEymdHekIrOuPhKPrbgAoOxCzSb0c6gb/wM4IKkR:DqO7VDVdDIrOusrbZoGWy0c9wM4IJ
Malware Config
Extracted
formbook
4.1
dz25
sdw123.com
theflower-jeju.com
bigbargins.shop
xn--grsdetetizao-dcb9c.site
visionprobiz.com
ebruunalsigorta.xyz
51tree.net
tommeynadier.com
spx21.com
researchupdatehub.com
rserveohio.com
schemaconsultant.com
ec-peleti.com
songkokgelhq.shop
sixfigureswithkarah.net
quickfinancebrokerage.com
alliance-couverture.com
heartlandinnovates.com
art-friday.online
curi-o-rama.com
tlfpros.xyz
pusatjudionline1a.com
exitmusic.xyz
jegrapo.com
paintk.com
hyperbaricredlight.net
residencialvilaflora.com
learnorama.in
xpjs194.cc
szjfly.com
ucelmobilya.net
idealsconsulting.com
baku.technology
wijaya88e.xyz
marketpaysolutions.com
kuristusjuntta.com
marchlightfilms.com
memento5.com
tigus.us
escarlatalabs.com
emsonsupport.com
t3ht6g3.pw
goldprocleaning.com
verifycerts.net
nltwfkdt.info
ohmioz.com
qticompanny.com
thirteencat.com
eliteedgeresources.com
alsalmisteel.com
dfxzwd.xyz
daigaku-debut.info
aquamunitions.com
68296dd.com
asas886.com
boutiquecelestiala.com
tsg-egypt.com
cgdm.shop
bizzyprofitness.com
sayhellotonails.com
umeboshisan.tech
elnuevonuevoleon.com
glenpa.net
tbj.one
venusbackend.live
Signatures
-
Formbook payload 1 IoCs
resource yara_rule behavioral1/memory/2336-13-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1224 set thread context of 2336 1224 8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 1224 8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe 1224 8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe 1224 8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe 1224 8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe 1224 8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe 1224 8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe 1224 8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe 2336 8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe 2456 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1224 8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe Token: SeDebugPrivilege 2456 powershell.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1224 wrote to memory of 2456 1224 8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe 28 PID 1224 wrote to memory of 2456 1224 8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe 28 PID 1224 wrote to memory of 2456 1224 8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe 28 PID 1224 wrote to memory of 2456 1224 8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe 28 PID 1224 wrote to memory of 2336 1224 8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe 30 PID 1224 wrote to memory of 2336 1224 8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe 30 PID 1224 wrote to memory of 2336 1224 8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe 30 PID 1224 wrote to memory of 2336 1224 8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe 30 PID 1224 wrote to memory of 2336 1224 8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe 30 PID 1224 wrote to memory of 2336 1224 8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe 30 PID 1224 wrote to memory of 2336 1224 8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe"C:\Users\Admin\AppData\Local\Temp\8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2456
-
-
C:\Users\Admin\AppData\Local\Temp\8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe"C:\Users\Admin\AppData\Local\Temp\8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2336
-