Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
02-04-2024 16:37
Static task
static1
Behavioral task
behavioral1
Sample
Confirmation de paiement.exe
Resource
win7-20240221-en
General
-
Target
Confirmation de paiement.exe
-
Size
400KB
-
MD5
b7056d5765c2af266f183f7f255ea98c
-
SHA1
2259c9f9e701cedfdfefd19473495261bf2f8f01
-
SHA256
8683941dc107f93a4fcd68ef852d59795a3c790bccf91680b1729f2fb8ed3cd7
-
SHA512
5d9aa582ab237655b4b56cb2e58829d4c4a9b34a795a278798a9d1149003f6822b8ddfc0a37da8cfac59f8528381c9d27f29346e243f5b0bc777d23bc30c4e36
-
SSDEEP
6144:cwI5Lbz5FmDHUeBN+kNUvoxF6FoVrm1YnIJbqxwFAMRyxUG+w/r1FOOI:25LX5FmD0elRx0nYxwFAMRYUG+w/qO
Malware Config
Extracted
formbook
4.1
upio
thecantonmentcookhouse.com
1for1ecomask.com
thatvintagehome.com
momentbymomentmindfulness.com
denxmedia.com
arc-corner.com
siddharthmakharia.com
meiluk.com
toughu.com
hotelwisatabaru.com
ibluebelt3dbuy.com
bestfootwearhk.com
wbjobalerts.com
radiancenurestoringcleanse.com
xintianlongyeya.com
docauphuhau.com
liberty-furniture.com
ranchhousepizzaonline.com
bednhomes.com
kollakids.com
jumtix.xyz
hallbergtownhomes.com
thenewnaughty.com
thirtytwoandprospect.com
malukeji.com
minecraftmastery.com
vvww-avito.net
rheconsultoria.com
albukharyschools.com
ffully.com
christiansenlawoffice1.com
testghghgh.com
ridersbesttime.com
priyathams.com
laamin.today
tjew.club
classicvidz.com
homelandrealestateschool.com
fytwe.com
newsqribble.icu
vaxcova.com
modernankara.com
domentemenegi50.net
suryadjalil.com
tmpsytech.com
rubyclyde.com
makeupbrush.academy
pennydarbyshire.com
gobulko.com
brownbusinessowners.com
oftenchic.com
s998vip.com
tuhuertica.com
militaryhype.com
itsinthereimage.com
20revcoe.com
goodhandsclinic.com
88finxe.com
xn--gstemappe-v2a.digital
wheresbitty.com
pointdatorcida.com
jackielespiegle.com
uecdlt.com
yoshizawaryo.com
furniture-of-ironforge.com
Signatures
-
Formbook payload 4 IoCs
resource yara_rule behavioral2/memory/732-16-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/732-21-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/4624-26-0x0000000000ED0000-0x0000000000EFE000-memory.dmp formbook behavioral2/memory/4624-28-0x0000000000ED0000-0x0000000000EFE000-memory.dmp formbook -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation Confirmation de paiement.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3160 set thread context of 732 3160 Confirmation de paiement.exe 98 PID 732 set thread context of 3520 732 Confirmation de paiement.exe 57 PID 4624 set thread context of 3520 4624 systray.exe 57 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4920 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 3160 Confirmation de paiement.exe 3160 Confirmation de paiement.exe 3160 Confirmation de paiement.exe 3160 Confirmation de paiement.exe 3160 Confirmation de paiement.exe 3160 Confirmation de paiement.exe 3160 Confirmation de paiement.exe 3160 Confirmation de paiement.exe 732 Confirmation de paiement.exe 732 Confirmation de paiement.exe 732 Confirmation de paiement.exe 732 Confirmation de paiement.exe 4624 systray.exe 4624 systray.exe 4624 systray.exe 4624 systray.exe 4624 systray.exe 4624 systray.exe 4624 systray.exe 4624 systray.exe 4624 systray.exe 4624 systray.exe 4624 systray.exe 4624 systray.exe 4624 systray.exe 4624 systray.exe 4624 systray.exe 4624 systray.exe 4624 systray.exe 4624 systray.exe 4624 systray.exe 4624 systray.exe 4624 systray.exe 4624 systray.exe 4624 systray.exe 4624 systray.exe 4624 systray.exe 4624 systray.exe 4624 systray.exe 4624 systray.exe 4624 systray.exe 4624 systray.exe 4624 systray.exe 4624 systray.exe 4624 systray.exe 4624 systray.exe 4624 systray.exe 4624 systray.exe 4624 systray.exe 4624 systray.exe 4624 systray.exe 4624 systray.exe 4624 systray.exe 4624 systray.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 732 Confirmation de paiement.exe 732 Confirmation de paiement.exe 732 Confirmation de paiement.exe 4624 systray.exe 4624 systray.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 3160 Confirmation de paiement.exe Token: SeDebugPrivilege 732 Confirmation de paiement.exe Token: SeShutdownPrivilege 3520 Explorer.EXE Token: SeCreatePagefilePrivilege 3520 Explorer.EXE Token: SeDebugPrivilege 4624 systray.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 3160 wrote to memory of 4920 3160 Confirmation de paiement.exe 93 PID 3160 wrote to memory of 4920 3160 Confirmation de paiement.exe 93 PID 3160 wrote to memory of 4920 3160 Confirmation de paiement.exe 93 PID 3160 wrote to memory of 1564 3160 Confirmation de paiement.exe 95 PID 3160 wrote to memory of 1564 3160 Confirmation de paiement.exe 95 PID 3160 wrote to memory of 1564 3160 Confirmation de paiement.exe 95 PID 3160 wrote to memory of 3308 3160 Confirmation de paiement.exe 96 PID 3160 wrote to memory of 3308 3160 Confirmation de paiement.exe 96 PID 3160 wrote to memory of 3308 3160 Confirmation de paiement.exe 96 PID 3160 wrote to memory of 1960 3160 Confirmation de paiement.exe 97 PID 3160 wrote to memory of 1960 3160 Confirmation de paiement.exe 97 PID 3160 wrote to memory of 1960 3160 Confirmation de paiement.exe 97 PID 3160 wrote to memory of 732 3160 Confirmation de paiement.exe 98 PID 3160 wrote to memory of 732 3160 Confirmation de paiement.exe 98 PID 3160 wrote to memory of 732 3160 Confirmation de paiement.exe 98 PID 3160 wrote to memory of 732 3160 Confirmation de paiement.exe 98 PID 3160 wrote to memory of 732 3160 Confirmation de paiement.exe 98 PID 3160 wrote to memory of 732 3160 Confirmation de paiement.exe 98 PID 3520 wrote to memory of 4624 3520 Explorer.EXE 99 PID 3520 wrote to memory of 4624 3520 Explorer.EXE 99 PID 3520 wrote to memory of 4624 3520 Explorer.EXE 99 PID 4624 wrote to memory of 1004 4624 systray.exe 100 PID 4624 wrote to memory of 1004 4624 systray.exe 100 PID 4624 wrote to memory of 1004 4624 systray.exe 100
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe"C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pIHJhbCBS" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF78F.tmp"3⤵
- Creates scheduled task(s)
PID:4920
-
-
C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe"C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe"3⤵PID:1564
-
-
C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe"C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe"3⤵PID:3308
-
-
C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe"C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe"3⤵PID:1960
-
-
C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe"C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:732
-
-
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe"3⤵PID:1004
-
-