Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
08-05-2024 02:19
Static task
static1
Behavioral task
behavioral1
Sample
Doc53436.exe
Resource
win7-20240221-en
General
-
Target
Doc53436.exe
-
Size
592KB
-
MD5
0a97fae0860363de54832184dfd95952
-
SHA1
b7169157062c6e27c3b093e70e7e88fe72a35d36
-
SHA256
9f7c3f92efbdaec249b532ceb5f3d3e310c7142b7d327fb6f73fc6899781e59d
-
SHA512
2900967160a6b3e7749281700031bd4f3869391ed52a35218a51fd926fce21076376458fd20a193b8672e10b803e4b821b1939708c9670e1588bfe259168ff6f
-
SSDEEP
6144:175yLTtJ12bxs/2Mbavm/cSNTgSRgR0QdSdfslVOU6an295l5fDTWSnLGHIVifW6:1iT8tM0mUeTaGQdnUjU+TfvWSgfW4p
Malware Config
Extracted
formbook
3.9
h9s
domidu.com
twelvei.com
palchecker.com
onariart.com
thescarfhut.com
alimotorsandbikes.com
brianneamira.com
tabwindow.com
babybabymom.com
howtostartanllcbusiness.com
cjaiou.com
californiamentoring.com
21millionbits.com
metgranite.com
ujphy.com
8eves.com
backstorysongs.com
www835234.com
szshijia.com
alquimarket.com
mufalaherbal.com
fouzhuan.com
seriouslygay.net
theadfbaq.info
bjjhbj.com
justsweetstuff.com
work-with-mfo.com
dynamicbrazil.win
adafha.com
lilacboat.com
itskayarie.com
captice.com
atasehirekin.com
industrialsyndemics.com
550313.top
eddyespinal.com
kablosuzsinema.com
woofahs-pet-directory.com
c-what-i-c-info.com
hochzeitszauberberlin.com
lanying.group
jkwe3.com
regional.immobilien
mansim.com
artscurator.net
letstravelmex.com
fasreceptor.com
hezonglvshi.com
utimatespellcaster.com
1a1eightabout.men
bhadrakmarket.com
internetwealthexposed.com
intrumpwetrust.estate
aifra.net
garbageangel.com
l3vdinnqj.online
xinchunmiaomu.com
wsxyjx.com
gildedgreenhouse.com
heartofyc.com
retainoo.com
wonwiki.com
nishiogi-nabeoka-clinic.com
runchallenge365.com
stmonlag.com
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4212-11-0x0000000000400000-0x000000000042A000-memory.dmp formbook behavioral2/memory/4212-13-0x0000000000400000-0x000000000042A000-memory.dmp formbook behavioral2/memory/4212-16-0x0000000000400000-0x000000000042A000-memory.dmp formbook -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ZRPD-6S0ZD = "C:\\Program Files (x86)\\Xu6al\\8pn0or6ql.exe" explorer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
Doc53436.exeDoc53436.exeexplorer.exedescription pid process target process PID 3856 set thread context of 4212 3856 Doc53436.exe Doc53436.exe PID 4212 set thread context of 3476 4212 Doc53436.exe Explorer.EXE PID 4212 set thread context of 3476 4212 Doc53436.exe Explorer.EXE PID 3324 set thread context of 3476 3324 explorer.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Program Files (x86)\Xu6al\8pn0or6ql.exe explorer.exe -
Drops file in Windows directory 2 IoCs
Processes:
Doc53436.exeDoc53436.exedescription ioc process File opened for modification C:\Windows\win.ini Doc53436.exe File opened for modification C:\Windows\win.ini Doc53436.exe -
Processes:
explorer.exedescription ioc process Key created \Registry\User\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 explorer.exe -
Suspicious behavior: EnumeratesProcesses 56 IoCs
Processes:
Doc53436.exeexplorer.exepid process 4212 Doc53436.exe 4212 Doc53436.exe 4212 Doc53436.exe 4212 Doc53436.exe 4212 Doc53436.exe 4212 Doc53436.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Doc53436.exeexplorer.exepid process 4212 Doc53436.exe 4212 Doc53436.exe 4212 Doc53436.exe 4212 Doc53436.exe 3324 explorer.exe 3324 explorer.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Doc53436.exeexplorer.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 4212 Doc53436.exe Token: SeDebugPrivilege 3324 explorer.exe Token: SeShutdownPrivilege 3476 Explorer.EXE Token: SeCreatePagefilePrivilege 3476 Explorer.EXE Token: SeShutdownPrivilege 3476 Explorer.EXE Token: SeCreatePagefilePrivilege 3476 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Doc53436.exeDoc53436.exepid process 3784 Doc53436.exe 3856 Doc53436.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3476 Explorer.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
Doc53436.exeDoc53436.exeDoc53436.exeexplorer.exedescription pid process target process PID 3784 wrote to memory of 3856 3784 Doc53436.exe Doc53436.exe PID 3784 wrote to memory of 3856 3784 Doc53436.exe Doc53436.exe PID 3784 wrote to memory of 3856 3784 Doc53436.exe Doc53436.exe PID 3856 wrote to memory of 4212 3856 Doc53436.exe Doc53436.exe PID 3856 wrote to memory of 4212 3856 Doc53436.exe Doc53436.exe PID 3856 wrote to memory of 4212 3856 Doc53436.exe Doc53436.exe PID 3856 wrote to memory of 4212 3856 Doc53436.exe Doc53436.exe PID 3856 wrote to memory of 4212 3856 Doc53436.exe Doc53436.exe PID 3856 wrote to memory of 4212 3856 Doc53436.exe Doc53436.exe PID 3856 wrote to memory of 4212 3856 Doc53436.exe Doc53436.exe PID 4212 wrote to memory of 3324 4212 Doc53436.exe explorer.exe PID 4212 wrote to memory of 3324 4212 Doc53436.exe explorer.exe PID 4212 wrote to memory of 3324 4212 Doc53436.exe explorer.exe PID 3324 wrote to memory of 2708 3324 explorer.exe cmd.exe PID 3324 wrote to memory of 2708 3324 explorer.exe cmd.exe PID 3324 wrote to memory of 2708 3324 explorer.exe cmd.exe PID 3324 wrote to memory of 1084 3324 explorer.exe cmd.exe PID 3324 wrote to memory of 1084 3324 explorer.exe cmd.exe PID 3324 wrote to memory of 1084 3324 explorer.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3476 -
C:\Users\Admin\AppData\Local\Temp\Doc53436.exe"C:\Users\Admin\AppData\Local\Temp\Doc53436.exe"2⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Users\Admin\AppData\Local\Temp\Doc53436.exe"C:\Users\Admin\AppData\Local\Temp\Doc53436.exe"3⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Users\Admin\AppData\Local\Temp\Doc53436.exe"C:\Users\Admin\AppData\Local\Temp\Doc53436.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"5⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Doc53436.exe"6⤵PID:2708
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V6⤵PID:1084
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
77KB
MD5dc21f5eb39b15d350362712222df9b01
SHA121435796ca7efa60c57b87619a63d2ecee8deb9c
SHA2561647943a457b1c50ffd2ff12a1f1fecaa3f88ffea6181e9cbd4a6c62ca64de36
SHA51207ebd3eaaf0f41d3dbc1191fc1ff1424961327760721a440ad59a4fbc663f3566000490752b135531e59727d2f65a3fbfe48ea28b8055d020cfab9b8aaf87b91
-
Filesize
38B
MD54aadf49fed30e4c9b3fe4a3dd6445ebe
SHA11e332822167c6f351b99615eada2c30a538ff037
SHA25675034beb7bded9aeab5748f4592b9e1419256caec474065d43e531ec5cc21c56
SHA512eb5b3908d5e7b43ba02165e092f05578f45f15a148b4c3769036aa542c23a0f7cd2bc2770cf4119a7e437de3f681d9e398511f69f66824c516d9b451bb95f945
-
Filesize
40B
MD5d63a82e5d81e02e399090af26db0b9cb
SHA191d0014c8f54743bba141fd60c9d963f869d76c9
SHA256eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA51238afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad
-
Filesize
872B
MD5bbc41c78bae6c71e63cb544a6a284d94
SHA133f2c1d9fa0e9c99b80bc2500621e95af38b1f9a
SHA256ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb
SHA5120aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4
-
Filesize
123B
MD56bf517432f65eb7f0d18d574bf14124c
SHA15b9f37c1dd1318ebbec3bd2f07c109eb9d22c727
SHA2566e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46
SHA5127b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06