Analysis
-
max time kernel
147s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-04-2024 16:37
Static task
static1
Behavioral task
behavioral1
Sample
Confirmation de paiement.exe
Resource
win7-20240221-en
General
-
Target
Confirmation de paiement.exe
-
Size
400KB
-
MD5
b7056d5765c2af266f183f7f255ea98c
-
SHA1
2259c9f9e701cedfdfefd19473495261bf2f8f01
-
SHA256
8683941dc107f93a4fcd68ef852d59795a3c790bccf91680b1729f2fb8ed3cd7
-
SHA512
5d9aa582ab237655b4b56cb2e58829d4c4a9b34a795a278798a9d1149003f6822b8ddfc0a37da8cfac59f8528381c9d27f29346e243f5b0bc777d23bc30c4e36
-
SSDEEP
6144:cwI5Lbz5FmDHUeBN+kNUvoxF6FoVrm1YnIJbqxwFAMRyxUG+w/r1FOOI:25LX5FmD0elRx0nYxwFAMRYUG+w/qO
Malware Config
Extracted
formbook
4.1
upio
thecantonmentcookhouse.com
1for1ecomask.com
thatvintagehome.com
momentbymomentmindfulness.com
denxmedia.com
arc-corner.com
siddharthmakharia.com
meiluk.com
toughu.com
hotelwisatabaru.com
ibluebelt3dbuy.com
bestfootwearhk.com
wbjobalerts.com
radiancenurestoringcleanse.com
xintianlongyeya.com
docauphuhau.com
liberty-furniture.com
ranchhousepizzaonline.com
bednhomes.com
kollakids.com
jumtix.xyz
hallbergtownhomes.com
thenewnaughty.com
thirtytwoandprospect.com
malukeji.com
minecraftmastery.com
vvww-avito.net
rheconsultoria.com
albukharyschools.com
ffully.com
christiansenlawoffice1.com
testghghgh.com
ridersbesttime.com
priyathams.com
laamin.today
tjew.club
classicvidz.com
homelandrealestateschool.com
fytwe.com
newsqribble.icu
vaxcova.com
modernankara.com
domentemenegi50.net
suryadjalil.com
tmpsytech.com
rubyclyde.com
makeupbrush.academy
pennydarbyshire.com
gobulko.com
brownbusinessowners.com
oftenchic.com
s998vip.com
tuhuertica.com
militaryhype.com
itsinthereimage.com
20revcoe.com
goodhandsclinic.com
88finxe.com
xn--gstemappe-v2a.digital
wheresbitty.com
pointdatorcida.com
jackielespiegle.com
uecdlt.com
yoshizawaryo.com
furniture-of-ironforge.com
Signatures
-
Formbook payload 5 IoCs
resource yara_rule behavioral1/memory/2708-18-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/2708-22-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/2708-28-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/2864-33-0x0000000000080000-0x00000000000AE000-memory.dmp formbook behavioral1/memory/2864-35-0x0000000000080000-0x00000000000AE000-memory.dmp formbook -
Deletes itself 1 IoCs
pid Process 2912 cmd.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1460 set thread context of 2708 1460 Confirmation de paiement.exe 30 PID 2708 set thread context of 1212 2708 Confirmation de paiement.exe 21 PID 2708 set thread context of 1212 2708 Confirmation de paiement.exe 21 PID 2864 set thread context of 1212 2864 help.exe 21 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2752 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 1460 Confirmation de paiement.exe 1460 Confirmation de paiement.exe 2708 Confirmation de paiement.exe 2708 Confirmation de paiement.exe 2708 Confirmation de paiement.exe 2864 help.exe 2864 help.exe 2864 help.exe 2864 help.exe 2864 help.exe 2864 help.exe 2864 help.exe 2864 help.exe 2864 help.exe 2864 help.exe 2864 help.exe 2864 help.exe 2864 help.exe 2864 help.exe 2864 help.exe 2864 help.exe 2864 help.exe 2864 help.exe 2864 help.exe 2864 help.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 2708 Confirmation de paiement.exe 2708 Confirmation de paiement.exe 2708 Confirmation de paiement.exe 2708 Confirmation de paiement.exe 2864 help.exe 2864 help.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1460 Confirmation de paiement.exe Token: SeDebugPrivilege 2708 Confirmation de paiement.exe Token: SeDebugPrivilege 2864 help.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1460 wrote to memory of 2752 1460 Confirmation de paiement.exe 28 PID 1460 wrote to memory of 2752 1460 Confirmation de paiement.exe 28 PID 1460 wrote to memory of 2752 1460 Confirmation de paiement.exe 28 PID 1460 wrote to memory of 2752 1460 Confirmation de paiement.exe 28 PID 1460 wrote to memory of 2708 1460 Confirmation de paiement.exe 30 PID 1460 wrote to memory of 2708 1460 Confirmation de paiement.exe 30 PID 1460 wrote to memory of 2708 1460 Confirmation de paiement.exe 30 PID 1460 wrote to memory of 2708 1460 Confirmation de paiement.exe 30 PID 1460 wrote to memory of 2708 1460 Confirmation de paiement.exe 30 PID 1460 wrote to memory of 2708 1460 Confirmation de paiement.exe 30 PID 1460 wrote to memory of 2708 1460 Confirmation de paiement.exe 30 PID 1212 wrote to memory of 2864 1212 Explorer.EXE 33 PID 1212 wrote to memory of 2864 1212 Explorer.EXE 33 PID 1212 wrote to memory of 2864 1212 Explorer.EXE 33 PID 1212 wrote to memory of 2864 1212 Explorer.EXE 33 PID 2864 wrote to memory of 2912 2864 help.exe 34 PID 2864 wrote to memory of 2912 2864 help.exe 34 PID 2864 wrote to memory of 2912 2864 help.exe 34 PID 2864 wrote to memory of 2912 2864 help.exe 34
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe"C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pIHJhbCBS" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBA2B.tmp"3⤵
- Creates scheduled task(s)
PID:2752
-
-
C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe"C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
-
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe"3⤵
- Deletes itself
PID:2912
-
-