Analysis
-
max time kernel
133s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2024 00:38
Static task
static1
Behavioral task
behavioral1
Sample
b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe
Resource
win7-20240221-en
General
-
Target
b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe
-
Size
581KB
-
MD5
8ebd77032131fa4c9a524b48f241f6ce
-
SHA1
0cc05beba021427f9a8b6d3b1395bf820355a820
-
SHA256
b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d
-
SHA512
a3655e41379df08f23a3242bec23464d261e562785d298b2372275c9040d137209ca9cb6a7e863a796aae02f502456e800a701d0d02de5fcae71c4399a7c832f
-
SSDEEP
6144:TBMEPlABQ0OaqtszpR8V2hYHgORzw+A9PVsZWeDkDu+I2h7whAzO0KZfNrH/:T9Aq0OaqO/8VTXsNvkRNBXZfNL/
Malware Config
Extracted
formbook
3.9
sk
ordersakeonline.net
denisekeelebedford.com
vincentbibuld.com
theswordslinger.com
360sowo.com
birimtihanmevsimi.com
loatta.com
vcmwp.info
arthribon.com
penwortham.church
18666964931.com
publibcn.com
purplekisscouture.com
siquieroceremonias.com
4111zzzzz.com
mvpsportstherapy.info
3rdlegion.com
draguleatherworks.com
kp-sonia.com
mysciencegarden.education
acyash.com
thewhickedwhisker.com
rezervez.com
guanyinds.com
trakviral.com
kittyboodle.com
sandiegosolutions.com
britannia-jewellery.com
radabau.com
xn--e1agiljw.com
runningnewsbd.com
kirbyshealthemporium.com
thegoodtraffic4updates.download
mouldby.com
safetyfirstpoolinspections.com
wandawellness.online
h2buildars.com
tribaltranscenter.com
chooseyourdata.com
lolxoxowtf.com
gcag.church
ascensionkids.com
thewithdrawn.com
it-worldnews.net
brickbroadcastingjr.com
mottamail.com
dj-moschino.com
baobaoroom.com
1zhejie.com
hatesunlikemoon.com
bsjiot.com
rasc2004.info
unite2score.com
encounterrealestate.com
kkcoating.com
minicosmetic.net
naijasurf.com
icese.net
jeffmcmanusdesign.com
shlcabs.com
idsfinancialcorp.com
bailbondsbyruth.com
bluetiel.com
todaysliftinggains.com
kerxbin.com
Signatures
-
Detects executables packed with Cassandra/CyaX 2 IoCs
Processes:
resource yara_rule behavioral2/memory/552-4-0x0000000004E20000-0x0000000004E64000-memory.dmp INDICATOR_EXE_Packed_Cassandra behavioral2/memory/552-15-0x0000000007860000-0x000000000786A000-memory.dmp INDICATOR_EXE_Packed_Cassandra -
Detects executables packed with ConfuserEx Custom; outside of GIT 1 IoCs
Processes:
resource yara_rule behavioral2/memory/552-4-0x0000000004E20000-0x0000000004E64000-memory.dmp INDICATOR_EXE_Packed_ConfuserEx_Custom -
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4992-18-0x0000000000710000-0x000000000073A000-memory.dmp formbook -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exedescription pid process target process PID 552 set thread context of 4992 552 b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3492 4992 WerFault.exe b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exedescription pid process target process PID 552 wrote to memory of 2712 552 b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe schtasks.exe PID 552 wrote to memory of 2712 552 b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe schtasks.exe PID 552 wrote to memory of 2712 552 b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe schtasks.exe PID 552 wrote to memory of 4992 552 b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe PID 552 wrote to memory of 4992 552 b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe PID 552 wrote to memory of 4992 552 b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe PID 552 wrote to memory of 4992 552 b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe PID 552 wrote to memory of 4992 552 b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe PID 552 wrote to memory of 4992 552 b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe"C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IiTdunToFK" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF01D.tmp"2⤵
- Creates scheduled task(s)
PID:2712 -
C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe"C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe"2⤵PID:4992
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 1843⤵
- Program crash
PID:3492
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4992 -ip 49921⤵PID:4624
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b6641dc5108adc81d3db7aae9b3c40b3
SHA11cea02170cd91f8503e3aecd9790484e701e6427
SHA2568650820b765908d94d24b5824599b04ace28ad0ba0e70c85d0595c3a100ae71c
SHA5125d13d7ee183c23cc44c20d6efdc70deb70c5c4229f1a66953cadd16a3bfdcb391d2d17fa2b9c873e35deb1ad7ee1f9a64f03e7a7bf7e58a87512a856f6b1bdb3