Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
09-05-2024 05:07
Static task
static1
Behavioral task
behavioral1
Sample
cef1565654989742eaffa2cbc59947eb.exe
Resource
win7-20240220-en
General
-
Target
cef1565654989742eaffa2cbc59947eb.exe
-
Size
658KB
-
MD5
cef1565654989742eaffa2cbc59947eb
-
SHA1
afef46a08dc6a2e1b3c8a9c6b58627677403f7b5
-
SHA256
f23b020b5a3aab42525b80bef3474df287cc7fa80dc3c13229c571e32fb99fe9
-
SHA512
53b9b0cf0d8d1c815c269e1f152ee26cda3fe18e277341f753c2d98a134e32a1c4bc6691d99cee68942e497014785087a20b2563005fd7ce4aaac9511ccfcf97
-
SSDEEP
12288:v0nTYdzssaVbe+32tFnbEaluZO4LjAIzlalEhq6o7i4ID3/SH:7zsscbeWaj4LjBhs6oV5H
Malware Config
Extracted
formbook
4.1
ht3d
derlon.net
46gem.vip
bridal-heart-boutique.com
porarquitectura.com
durkal.online
9916k.vip
nativegarden.net
hoodjac.com
coachwunder.com
jutuowangluo.com
frankmontagna.com
jalenx.com
yhxg.net
brasserie-bro.com
whitecoatprivilege.com
sigmadriving.com
inhkipcmacau.com
freediveexperience.com
52iwin.com
aaditt.com
accesspathways.com
subhadarshini.online
zshoessale.com
rubyreverie.xyz
hrtacticalin.com
lordle.app
milfriedrichphotography.com
campbellforamerica.com
blessedunity.com
ema-blog.site
loxleyshop.com
mirfinans.com
xn--2o2b110a3rh.com
palmbarnj.com
weddingantonioemarina.com
debeukbv.net
rlknia.cfd
5redbull.com
dwbwoodworking.com
cab-bc.com
testingsol.com
scadamarket.com
ryan-waltz.com
62iwin.win
balkanapp.com
weatherproofit.net
1bytes.website
butterflygroup.net
sydneyridesfestival.net
licrodriguezpalma.com
sam2.site
data-list.online
fulhamwinebar.com
eissw.com
used-cars-77695.bond
get-bettingid.com
wow-professions.info
psicoimago.com
1788777.com
cikaslot.icu
sleepbetter.health
apple-ios-gps-us-19.ink
reallyrealclothing.store
earthoftender.com
isboston.net
Signatures
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2572-11-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
Processes:
cef1565654989742eaffa2cbc59947eb.exedescription pid process target process PID 3044 set thread context of 2572 3044 cef1565654989742eaffa2cbc59947eb.exe cef1565654989742eaffa2cbc59947eb.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
cef1565654989742eaffa2cbc59947eb.exepid process 2572 cef1565654989742eaffa2cbc59947eb.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cef1565654989742eaffa2cbc59947eb.exedescription pid process target process PID 3044 wrote to memory of 2572 3044 cef1565654989742eaffa2cbc59947eb.exe cef1565654989742eaffa2cbc59947eb.exe PID 3044 wrote to memory of 2572 3044 cef1565654989742eaffa2cbc59947eb.exe cef1565654989742eaffa2cbc59947eb.exe PID 3044 wrote to memory of 2572 3044 cef1565654989742eaffa2cbc59947eb.exe cef1565654989742eaffa2cbc59947eb.exe PID 3044 wrote to memory of 2572 3044 cef1565654989742eaffa2cbc59947eb.exe cef1565654989742eaffa2cbc59947eb.exe PID 3044 wrote to memory of 2572 3044 cef1565654989742eaffa2cbc59947eb.exe cef1565654989742eaffa2cbc59947eb.exe PID 3044 wrote to memory of 2572 3044 cef1565654989742eaffa2cbc59947eb.exe cef1565654989742eaffa2cbc59947eb.exe PID 3044 wrote to memory of 2572 3044 cef1565654989742eaffa2cbc59947eb.exe cef1565654989742eaffa2cbc59947eb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cef1565654989742eaffa2cbc59947eb.exe"C:\Users\Admin\AppData\Local\Temp\cef1565654989742eaffa2cbc59947eb.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Users\Admin\AppData\Local\Temp\cef1565654989742eaffa2cbc59947eb.exe"C:\Users\Admin\AppData\Local\Temp\cef1565654989742eaffa2cbc59947eb.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2572