Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-05-2024 00:38
Static task
static1
Behavioral task
behavioral1
Sample
b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe
Resource
win7-20240221-en
General
-
Target
b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe
-
Size
581KB
-
MD5
8ebd77032131fa4c9a524b48f241f6ce
-
SHA1
0cc05beba021427f9a8b6d3b1395bf820355a820
-
SHA256
b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d
-
SHA512
a3655e41379df08f23a3242bec23464d261e562785d298b2372275c9040d137209ca9cb6a7e863a796aae02f502456e800a701d0d02de5fcae71c4399a7c832f
-
SSDEEP
6144:TBMEPlABQ0OaqtszpR8V2hYHgORzw+A9PVsZWeDkDu+I2h7whAzO0KZfNrH/:T9Aq0OaqO/8VTXsNvkRNBXZfNL/
Malware Config
Extracted
formbook
3.9
sk
ordersakeonline.net
denisekeelebedford.com
vincentbibuld.com
theswordslinger.com
360sowo.com
birimtihanmevsimi.com
loatta.com
vcmwp.info
arthribon.com
penwortham.church
18666964931.com
publibcn.com
purplekisscouture.com
siquieroceremonias.com
4111zzzzz.com
mvpsportstherapy.info
3rdlegion.com
draguleatherworks.com
kp-sonia.com
mysciencegarden.education
acyash.com
thewhickedwhisker.com
rezervez.com
guanyinds.com
trakviral.com
kittyboodle.com
sandiegosolutions.com
britannia-jewellery.com
radabau.com
xn--e1agiljw.com
runningnewsbd.com
kirbyshealthemporium.com
thegoodtraffic4updates.download
mouldby.com
safetyfirstpoolinspections.com
wandawellness.online
h2buildars.com
tribaltranscenter.com
chooseyourdata.com
lolxoxowtf.com
gcag.church
ascensionkids.com
thewithdrawn.com
it-worldnews.net
brickbroadcastingjr.com
mottamail.com
dj-moschino.com
baobaoroom.com
1zhejie.com
hatesunlikemoon.com
bsjiot.com
rasc2004.info
unite2score.com
encounterrealestate.com
kkcoating.com
minicosmetic.net
naijasurf.com
icese.net
jeffmcmanusdesign.com
shlcabs.com
idsfinancialcorp.com
bailbondsbyruth.com
bluetiel.com
todaysliftinggains.com
kerxbin.com
Signatures
-
Detects executables packed with Cassandra/CyaX 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2220-3-0x0000000000960000-0x00000000009A4000-memory.dmp INDICATOR_EXE_Packed_Cassandra behavioral1/memory/2220-12-0x0000000000350000-0x000000000035A000-memory.dmp INDICATOR_EXE_Packed_Cassandra -
Detects executables packed with ConfuserEx Custom; outside of GIT 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2220-3-0x0000000000960000-0x00000000009A4000-memory.dmp INDICATOR_EXE_Packed_ConfuserEx_Custom -
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2132-18-0x0000000000400000-0x000000000042A000-memory.dmp formbook -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exedescription pid process target process PID 2220 set thread context of 2132 2220 b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exepid process 2132 b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exedescription pid process target process PID 2220 wrote to memory of 2520 2220 b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe schtasks.exe PID 2220 wrote to memory of 2520 2220 b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe schtasks.exe PID 2220 wrote to memory of 2520 2220 b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe schtasks.exe PID 2220 wrote to memory of 2520 2220 b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe schtasks.exe PID 2220 wrote to memory of 2132 2220 b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe PID 2220 wrote to memory of 2132 2220 b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe PID 2220 wrote to memory of 2132 2220 b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe PID 2220 wrote to memory of 2132 2220 b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe PID 2220 wrote to memory of 2132 2220 b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe PID 2220 wrote to memory of 2132 2220 b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe PID 2220 wrote to memory of 2132 2220 b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe"C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IiTdunToFK" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD99D.tmp"2⤵
- Creates scheduled task(s)
PID:2520 -
C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe"C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2132
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d1fd5e12f227eb93901f97339ee5c7ad
SHA18172342fde605f8d3d31cf1113227f1a942df3d9
SHA256f8456f237ca2428c6b1976ffc7a71df83ed0f9826643a3b67659cf1f8f7087d9
SHA5127d3fd324abc3a46c89082dcbfc62dd1bcc21dffb5f966d4ec423d603d1053c231efdc68f5290790494fe61910376c167337e9e4805d3f472803e929796f6a755