Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08-05-2024 02:19
Static task
static1
Behavioral task
behavioral1
Sample
Doc53436.exe
Resource
win7-20240221-en
General
-
Target
Doc53436.exe
-
Size
592KB
-
MD5
0a97fae0860363de54832184dfd95952
-
SHA1
b7169157062c6e27c3b093e70e7e88fe72a35d36
-
SHA256
9f7c3f92efbdaec249b532ceb5f3d3e310c7142b7d327fb6f73fc6899781e59d
-
SHA512
2900967160a6b3e7749281700031bd4f3869391ed52a35218a51fd926fce21076376458fd20a193b8672e10b803e4b821b1939708c9670e1588bfe259168ff6f
-
SSDEEP
6144:175yLTtJ12bxs/2Mbavm/cSNTgSRgR0QdSdfslVOU6an295l5fDTWSnLGHIVifW6:1iT8tM0mUeTaGQdnUjU+TfvWSgfW4p
Malware Config
Extracted
formbook
3.9
h9s
domidu.com
twelvei.com
palchecker.com
onariart.com
thescarfhut.com
alimotorsandbikes.com
brianneamira.com
tabwindow.com
babybabymom.com
howtostartanllcbusiness.com
cjaiou.com
californiamentoring.com
21millionbits.com
metgranite.com
ujphy.com
8eves.com
backstorysongs.com
www835234.com
szshijia.com
alquimarket.com
mufalaherbal.com
fouzhuan.com
seriouslygay.net
theadfbaq.info
bjjhbj.com
justsweetstuff.com
work-with-mfo.com
dynamicbrazil.win
adafha.com
lilacboat.com
itskayarie.com
captice.com
atasehirekin.com
industrialsyndemics.com
550313.top
eddyespinal.com
kablosuzsinema.com
woofahs-pet-directory.com
c-what-i-c-info.com
hochzeitszauberberlin.com
lanying.group
jkwe3.com
regional.immobilien
mansim.com
artscurator.net
letstravelmex.com
fasreceptor.com
hezonglvshi.com
utimatespellcaster.com
1a1eightabout.men
bhadrakmarket.com
internetwealthexposed.com
intrumpwetrust.estate
aifra.net
garbageangel.com
l3vdinnqj.online
xinchunmiaomu.com
wsxyjx.com
gildedgreenhouse.com
heartofyc.com
retainoo.com
wonwiki.com
nishiogi-nabeoka-clinic.com
runchallenge365.com
stmonlag.com
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1564-10-0x0000000000400000-0x000000000042A000-memory.dmp formbook behavioral1/memory/1564-17-0x0000000000400000-0x000000000042A000-memory.dmp formbook behavioral1/memory/1564-18-0x0000000000400000-0x000000000042A000-memory.dmp formbook -
Adds policy Run key to start application 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run chkdsk.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1324 cmd.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
Doc53436.exeDoc53436.exeDoc53436.exechkdsk.exedescription pid process target process PID 2456 set thread context of 2536 2456 Doc53436.exe Doc53436.exe PID 2536 set thread context of 1564 2536 Doc53436.exe Doc53436.exe PID 1564 set thread context of 1204 1564 Doc53436.exe Explorer.EXE PID 1564 set thread context of 1204 1564 Doc53436.exe Explorer.EXE PID 2836 set thread context of 1204 2836 chkdsk.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
chkdsk.exedescription ioc process File opened for modification C:\Program Files (x86)\Fabw\configkvkx8zr0.exe chkdsk.exe -
Drops file in Windows directory 2 IoCs
Processes:
Doc53436.exeDoc53436.exedescription ioc process File opened for modification C:\Windows\win.ini Doc53436.exe File opened for modification C:\Windows\win.ini Doc53436.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
Doc53436.exechkdsk.exepid process 1564 Doc53436.exe 1564 Doc53436.exe 1564 Doc53436.exe 2836 chkdsk.exe 2836 chkdsk.exe 2836 chkdsk.exe 2836 chkdsk.exe 2836 chkdsk.exe 2836 chkdsk.exe 2836 chkdsk.exe 2836 chkdsk.exe 2836 chkdsk.exe 2836 chkdsk.exe 2836 chkdsk.exe 2836 chkdsk.exe 2836 chkdsk.exe 2836 chkdsk.exe 2836 chkdsk.exe 2836 chkdsk.exe 2836 chkdsk.exe 2836 chkdsk.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Doc53436.exechkdsk.exepid process 1564 Doc53436.exe 1564 Doc53436.exe 1564 Doc53436.exe 1564 Doc53436.exe 2836 chkdsk.exe 2836 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Doc53436.exechkdsk.exedescription pid process Token: SeDebugPrivilege 1564 Doc53436.exe Token: SeDebugPrivilege 2836 chkdsk.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Doc53436.exeDoc53436.exepid process 2456 Doc53436.exe 2536 Doc53436.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Doc53436.exeDoc53436.exeDoc53436.exechkdsk.exedescription pid process target process PID 2456 wrote to memory of 2536 2456 Doc53436.exe Doc53436.exe PID 2456 wrote to memory of 2536 2456 Doc53436.exe Doc53436.exe PID 2456 wrote to memory of 2536 2456 Doc53436.exe Doc53436.exe PID 2456 wrote to memory of 2536 2456 Doc53436.exe Doc53436.exe PID 2536 wrote to memory of 1564 2536 Doc53436.exe Doc53436.exe PID 2536 wrote to memory of 1564 2536 Doc53436.exe Doc53436.exe PID 2536 wrote to memory of 1564 2536 Doc53436.exe Doc53436.exe PID 2536 wrote to memory of 1564 2536 Doc53436.exe Doc53436.exe PID 2536 wrote to memory of 1564 2536 Doc53436.exe Doc53436.exe PID 2536 wrote to memory of 1564 2536 Doc53436.exe Doc53436.exe PID 2536 wrote to memory of 1564 2536 Doc53436.exe Doc53436.exe PID 2536 wrote to memory of 1564 2536 Doc53436.exe Doc53436.exe PID 1564 wrote to memory of 2836 1564 Doc53436.exe chkdsk.exe PID 1564 wrote to memory of 2836 1564 Doc53436.exe chkdsk.exe PID 1564 wrote to memory of 2836 1564 Doc53436.exe chkdsk.exe PID 1564 wrote to memory of 2836 1564 Doc53436.exe chkdsk.exe PID 2836 wrote to memory of 1324 2836 chkdsk.exe cmd.exe PID 2836 wrote to memory of 1324 2836 chkdsk.exe cmd.exe PID 2836 wrote to memory of 1324 2836 chkdsk.exe cmd.exe PID 2836 wrote to memory of 1324 2836 chkdsk.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\Doc53436.exe"C:\Users\Admin\AppData\Local\Temp\Doc53436.exe"2⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Users\Admin\AppData\Local\Temp\Doc53436.exe"C:\Users\Admin\AppData\Local\Temp\Doc53436.exe"3⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Users\Admin\AppData\Local\Temp\Doc53436.exe"C:\Users\Admin\AppData\Local\Temp\Doc53436.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"5⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Doc53436.exe"6⤵
- Deletes itself
PID:1324
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
509B
MD5d2a2412bddba16d60ec63bd9550d933f
SHA1deb3d3bdc9055f0b4909b31d3048446848fae0e1
SHA25679ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a
SHA5128fecada107f72e59e43a689eeb8e2e18fa6134d0941c122025ed5bd00e5eab8114d7125bd289505be75641385a0c3f112d402c693f142c3ddc870d5fa8116e31