Analysis
-
max time kernel
149s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
08-05-2024 02:59
Static task
static1
Behavioral task
behavioral1
Sample
9dad6e1350810eaee247d225c134a39441f286907c861fd6c825656cc9224613.exe
Resource
win7-20240221-en
General
-
Target
9dad6e1350810eaee247d225c134a39441f286907c861fd6c825656cc9224613.exe
-
Size
816KB
-
MD5
240f134e5318c9efc8f4edb219a9b16f
-
SHA1
7150a57a5817c1602524fc2b3b8dfc2910b77148
-
SHA256
9dad6e1350810eaee247d225c134a39441f286907c861fd6c825656cc9224613
-
SHA512
704090e6007ae618f397d86ec1c7ffd8b2152cb2dfcbe6813a4d04963f07805ff7fd7f3ae4bdf99477f0791c31ede7609f59265a803893c7c89f07b62841f581
-
SSDEEP
12288:JYuePwisfcgWf/j5VtK+CVINMX9yKBg7vj1UJ:2uIydk/jPoi+9yKe/1U
Malware Config
Extracted
formbook
4.1
ij84
resetter.xyz
simonbelanger.me
kwip.xyz
7dbb9.baby
notion-everyday.com
saftiwall.com
pulse-gaming.com
fafafa1.shop
ihaveahole.com
sxtzzj.com
996688x.xyz
komalili.monster
haberdashere.store
nurselifegng.com
kidtryz.com
ghvx.xyz
1minvideopro.com
hidef.group
stylishbeststyler.space
spx21.com
spatialad.net
btstarvip.xyz
gofetcher.net
cqcready.net
thecommunitycatalyst.com
ssduckduckgo.com
hastingsmortgagegroup.com
mcminniespostersandmore.com
xn--vaffelppinne-zcb.com
thelsao.com
muddybootssalisbury.com
repetitionlaces.com
yao-med.com
hometotheworldcleaning.com
ampowersolar.com
xn--dtruire-bya.com
cryptofarm.space
ventaonline.site
davidedema.com
forklift-jobs-50425.bond
laserfusionart.com
mundosaludable.club
bndl.fit
lbexpress.shop
matthewbrownlee.com
viega.pro
recrooglobal.com
langzzzblog.online
m-1263bets10.com
surfacespecialistsnc.com
conallnolankitchens.com
80n.icu
bleeckha.us
thyselftrench.com
bawaslu-tual.com
elevatebuilders.co.za
spacekat.xyz
seniorlivinghub.today
aloyoga-southafricas.com
pickstreak.com
boutiquelrdesign.com
nazook.net
ifoxclicks.com
clinicallabpartner.com
budget-harmony.com
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3984-25-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4324-29-0x0000000000770000-0x000000000079F000-memory.dmp formbook -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9dad6e1350810eaee247d225c134a39441f286907c861fd6c825656cc9224613.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation 9dad6e1350810eaee247d225c134a39441f286907c861fd6c825656cc9224613.exe -
Drops startup file 3 IoCs
Processes:
9dad6e1350810eaee247d225c134a39441f286907c861fd6c825656cc9224613.execmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\83je7dhd73hyh.lnk 9dad6e1350810eaee247d225c134a39441f286907c861fd6c825656cc9224613.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6y363yshy3\83je7dhd73hyh.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6y363yshy3\83je7dhd73hyh.exe cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
83je7dhd73hyh.exepid process 3740 83je7dhd73hyh.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
83je7dhd73hyh.exeAddInProcess32.exeNETSTAT.EXEdescription pid process target process PID 3740 set thread context of 3984 3740 83je7dhd73hyh.exe AddInProcess32.exe PID 3984 set thread context of 3520 3984 AddInProcess32.exe Explorer.EXE PID 4324 set thread context of 3520 4324 NETSTAT.EXE Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 4324 NETSTAT.EXE -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
9dad6e1350810eaee247d225c134a39441f286907c861fd6c825656cc9224613.exeteget3eet36.exe83je7dhd73hyh.exeAddInProcess32.exeNETSTAT.EXEpid process 832 9dad6e1350810eaee247d225c134a39441f286907c861fd6c825656cc9224613.exe 2512 teget3eet36.exe 2512 teget3eet36.exe 2512 teget3eet36.exe 2512 teget3eet36.exe 2512 teget3eet36.exe 2512 teget3eet36.exe 2512 teget3eet36.exe 2512 teget3eet36.exe 2512 teget3eet36.exe 2512 teget3eet36.exe 2512 teget3eet36.exe 2512 teget3eet36.exe 2512 teget3eet36.exe 2512 teget3eet36.exe 2512 teget3eet36.exe 2512 teget3eet36.exe 2512 teget3eet36.exe 2512 teget3eet36.exe 2512 teget3eet36.exe 2512 teget3eet36.exe 2512 teget3eet36.exe 2512 teget3eet36.exe 2512 teget3eet36.exe 2512 teget3eet36.exe 2512 teget3eet36.exe 3740 83je7dhd73hyh.exe 3740 83je7dhd73hyh.exe 3984 AddInProcess32.exe 3984 AddInProcess32.exe 3984 AddInProcess32.exe 3984 AddInProcess32.exe 4324 NETSTAT.EXE 4324 NETSTAT.EXE 4324 NETSTAT.EXE 4324 NETSTAT.EXE 4324 NETSTAT.EXE 4324 NETSTAT.EXE 4324 NETSTAT.EXE 4324 NETSTAT.EXE 4324 NETSTAT.EXE 4324 NETSTAT.EXE 4324 NETSTAT.EXE 4324 NETSTAT.EXE 4324 NETSTAT.EXE 4324 NETSTAT.EXE 4324 NETSTAT.EXE 4324 NETSTAT.EXE 4324 NETSTAT.EXE 4324 NETSTAT.EXE 4324 NETSTAT.EXE 4324 NETSTAT.EXE 4324 NETSTAT.EXE 4324 NETSTAT.EXE 4324 NETSTAT.EXE 4324 NETSTAT.EXE 4324 NETSTAT.EXE 4324 NETSTAT.EXE 4324 NETSTAT.EXE 4324 NETSTAT.EXE 4324 NETSTAT.EXE 4324 NETSTAT.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
AddInProcess32.exeNETSTAT.EXEpid process 3984 AddInProcess32.exe 3984 AddInProcess32.exe 3984 AddInProcess32.exe 4324 NETSTAT.EXE 4324 NETSTAT.EXE -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
9dad6e1350810eaee247d225c134a39441f286907c861fd6c825656cc9224613.exepid process 832 9dad6e1350810eaee247d225c134a39441f286907c861fd6c825656cc9224613.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
9dad6e1350810eaee247d225c134a39441f286907c861fd6c825656cc9224613.exeteget3eet36.exe83je7dhd73hyh.exeAddInProcess32.exeNETSTAT.EXEExplorer.EXEdescription pid process Token: SeDebugPrivilege 832 9dad6e1350810eaee247d225c134a39441f286907c861fd6c825656cc9224613.exe Token: SeDebugPrivilege 2512 teget3eet36.exe Token: SeDebugPrivilege 3740 83je7dhd73hyh.exe Token: SeDebugPrivilege 3984 AddInProcess32.exe Token: SeDebugPrivilege 4324 NETSTAT.EXE Token: SeShutdownPrivilege 3520 Explorer.EXE Token: SeCreatePagefilePrivilege 3520 Explorer.EXE Token: SeShutdownPrivilege 3520 Explorer.EXE Token: SeCreatePagefilePrivilege 3520 Explorer.EXE Token: SeShutdownPrivilege 3520 Explorer.EXE Token: SeCreatePagefilePrivilege 3520 Explorer.EXE Token: SeShutdownPrivilege 3520 Explorer.EXE Token: SeCreatePagefilePrivilege 3520 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 3520 Explorer.EXE 3520 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3520 Explorer.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
9dad6e1350810eaee247d225c134a39441f286907c861fd6c825656cc9224613.exeteget3eet36.execmd.exe83je7dhd73hyh.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 832 wrote to memory of 2512 832 9dad6e1350810eaee247d225c134a39441f286907c861fd6c825656cc9224613.exe teget3eet36.exe PID 832 wrote to memory of 2512 832 9dad6e1350810eaee247d225c134a39441f286907c861fd6c825656cc9224613.exe teget3eet36.exe PID 832 wrote to memory of 2512 832 9dad6e1350810eaee247d225c134a39441f286907c861fd6c825656cc9224613.exe teget3eet36.exe PID 2512 wrote to memory of 4472 2512 teget3eet36.exe cmd.exe PID 2512 wrote to memory of 4472 2512 teget3eet36.exe cmd.exe PID 2512 wrote to memory of 4472 2512 teget3eet36.exe cmd.exe PID 4472 wrote to memory of 4108 4472 cmd.exe PING.EXE PID 4472 wrote to memory of 4108 4472 cmd.exe PING.EXE PID 4472 wrote to memory of 4108 4472 cmd.exe PING.EXE PID 4472 wrote to memory of 1492 4472 cmd.exe PING.EXE PID 4472 wrote to memory of 1492 4472 cmd.exe PING.EXE PID 4472 wrote to memory of 1492 4472 cmd.exe PING.EXE PID 4472 wrote to memory of 3740 4472 cmd.exe 83je7dhd73hyh.exe PID 4472 wrote to memory of 3740 4472 cmd.exe 83je7dhd73hyh.exe PID 4472 wrote to memory of 3740 4472 cmd.exe 83je7dhd73hyh.exe PID 3740 wrote to memory of 3984 3740 83je7dhd73hyh.exe AddInProcess32.exe PID 3740 wrote to memory of 3984 3740 83je7dhd73hyh.exe AddInProcess32.exe PID 3740 wrote to memory of 3984 3740 83je7dhd73hyh.exe AddInProcess32.exe PID 3740 wrote to memory of 3984 3740 83je7dhd73hyh.exe AddInProcess32.exe PID 3740 wrote to memory of 3984 3740 83je7dhd73hyh.exe AddInProcess32.exe PID 3740 wrote to memory of 3984 3740 83je7dhd73hyh.exe AddInProcess32.exe PID 3520 wrote to memory of 4324 3520 Explorer.EXE NETSTAT.EXE PID 3520 wrote to memory of 4324 3520 Explorer.EXE NETSTAT.EXE PID 3520 wrote to memory of 4324 3520 Explorer.EXE NETSTAT.EXE PID 4324 wrote to memory of 884 4324 NETSTAT.EXE cmd.exe PID 4324 wrote to memory of 884 4324 NETSTAT.EXE cmd.exe PID 4324 wrote to memory of 884 4324 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Users\Admin\AppData\Local\Temp\9dad6e1350810eaee247d225c134a39441f286907c861fd6c825656cc9224613.exe"C:\Users\Admin\AppData\Local\Temp\9dad6e1350810eaee247d225c134a39441f286907c861fd6c825656cc9224613.exe"2⤵
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Users\Admin\AppData\Local\Temp\teget3eet36.exe"C:\Users\Admin\AppData\Local\Temp\teget3eet36.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 11 > nul && copy "C:\Users\Admin\AppData\Local\Temp\teget3eet36.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6y363yshy3\83je7dhd73hyh.exe" && ping 127.0.0.1 -n 11 > nul && "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6y363yshy3\83je7dhd73hyh.exe"4⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 115⤵
- Runs ping.exe
PID:4108 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 115⤵
- Runs ping.exe
PID:1492 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6y363yshy3\83je7dhd73hyh.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6y363yshy3\83je7dhd73hyh.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3984 -
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"3⤵PID:884
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6y363yshy3\83je7dhd73hyh.exe
Filesize816KB
MD5240f134e5318c9efc8f4edb219a9b16f
SHA17150a57a5817c1602524fc2b3b8dfc2910b77148
SHA2569dad6e1350810eaee247d225c134a39441f286907c861fd6c825656cc9224613
SHA512704090e6007ae618f397d86ec1c7ffd8b2152cb2dfcbe6813a4d04963f07805ff7fd7f3ae4bdf99477f0791c31ede7609f59265a803893c7c89f07b62841f581