Analysis
-
max time kernel
90s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-04-2024 10:15
Static task
static1
Behavioral task
behavioral1
Sample
8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe
Resource
win7-20240221-en
General
-
Target
8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe
-
Size
629KB
-
MD5
eebb33a5375ffd40682c86deea752033
-
SHA1
8ed7b849ba2829a164ee569995f2d4d8a8d90924
-
SHA256
8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e
-
SHA512
77b5fb3046040512a93e4e7069a5e4ded1362c2913b928232d00be416f93619c21e5a3aef20516336eb81e7c4067f88ae67caeada31ddda7480b0a5e3fcf5fe5
-
SSDEEP
12288:DK0YOwqVT+BnEymdHekIrOuPhKPrbgAoOxCzSb0c6gb/wM4IKkR:DqO7VDVdDIrOusrbZoGWy0c9wM4IJ
Malware Config
Extracted
formbook
4.1
dz25
sdw123.com
theflower-jeju.com
bigbargins.shop
xn--grsdetetizao-dcb9c.site
visionprobiz.com
ebruunalsigorta.xyz
51tree.net
tommeynadier.com
spx21.com
researchupdatehub.com
rserveohio.com
schemaconsultant.com
ec-peleti.com
songkokgelhq.shop
sixfigureswithkarah.net
quickfinancebrokerage.com
alliance-couverture.com
heartlandinnovates.com
art-friday.online
curi-o-rama.com
tlfpros.xyz
pusatjudionline1a.com
exitmusic.xyz
jegrapo.com
paintk.com
hyperbaricredlight.net
residencialvilaflora.com
learnorama.in
xpjs194.cc
szjfly.com
ucelmobilya.net
idealsconsulting.com
baku.technology
wijaya88e.xyz
marketpaysolutions.com
kuristusjuntta.com
marchlightfilms.com
memento5.com
tigus.us
escarlatalabs.com
emsonsupport.com
t3ht6g3.pw
goldprocleaning.com
verifycerts.net
nltwfkdt.info
ohmioz.com
qticompanny.com
thirteencat.com
eliteedgeresources.com
alsalmisteel.com
dfxzwd.xyz
daigaku-debut.info
aquamunitions.com
68296dd.com
asas886.com
boutiquecelestiala.com
tsg-egypt.com
cgdm.shop
bizzyprofitness.com
sayhellotonails.com
umeboshisan.tech
elnuevonuevoleon.com
glenpa.net
tbj.one
venusbackend.live
Signatures
-
Formbook payload 1 IoCs
resource yara_rule behavioral2/memory/4256-11-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation 8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3688 set thread context of 4256 3688 8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe 97 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 3688 8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe 3688 8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe 3688 8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe 3688 8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe 3688 8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe 3688 8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe 3688 8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe 4256 8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe 4256 8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe 2084 powershell.exe 2084 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3688 8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe Token: SeDebugPrivilege 2084 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3688 wrote to memory of 2084 3688 8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe 95 PID 3688 wrote to memory of 2084 3688 8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe 95 PID 3688 wrote to memory of 2084 3688 8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe 95 PID 3688 wrote to memory of 4256 3688 8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe 97 PID 3688 wrote to memory of 4256 3688 8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe 97 PID 3688 wrote to memory of 4256 3688 8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe 97 PID 3688 wrote to memory of 4256 3688 8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe 97 PID 3688 wrote to memory of 4256 3688 8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe 97 PID 3688 wrote to memory of 4256 3688 8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe"C:\Users\Admin\AppData\Local\Temp\8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
-
C:\Users\Admin\AppData\Local\Temp\8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe"C:\Users\Admin\AppData\Local\Temp\8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4256
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82