Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09-05-2024 05:07
Static task
static1
Behavioral task
behavioral1
Sample
f49a18388f070afc8f7a17f6053666ba.exe
Resource
win7-20240221-en
General
-
Target
f49a18388f070afc8f7a17f6053666ba.exe
-
Size
718KB
-
MD5
f49a18388f070afc8f7a17f6053666ba
-
SHA1
d1062e2c38badf9aac1a2c2d0bf4ea7f3e07341b
-
SHA256
3b746894d0a71f6162d96d2af36bea8d794d7e23af44c5536fcf97d416510a6e
-
SHA512
6557e22c3e5542262cb8d9ae6c1a79a17f8ce2b9666dfab3ea2df5acd8c23bda607358569b75454cb49a3d36448c08a1a671923f27c13b2473d5925842a7cd34
-
SSDEEP
12288:Me0ReLAfP7wD6ZtqzvBzmAqdse00yzr+zdW4WgxUHPp8RGHwAOovhbuigPc20mk1:Me+537wDAtqFmAq500yuZWfK8QrQh
Malware Config
Extracted
formbook
4.1
ht3d
derlon.net
46gem.vip
bridal-heart-boutique.com
porarquitectura.com
durkal.online
9916k.vip
nativegarden.net
hoodjac.com
coachwunder.com
jutuowangluo.com
frankmontagna.com
jalenx.com
yhxg.net
brasserie-bro.com
whitecoatprivilege.com
sigmadriving.com
inhkipcmacau.com
freediveexperience.com
52iwin.com
aaditt.com
accesspathways.com
subhadarshini.online
zshoessale.com
rubyreverie.xyz
hrtacticalin.com
lordle.app
milfriedrichphotography.com
campbellforamerica.com
blessedunity.com
ema-blog.site
loxleyshop.com
mirfinans.com
xn--2o2b110a3rh.com
palmbarnj.com
weddingantonioemarina.com
debeukbv.net
rlknia.cfd
5redbull.com
dwbwoodworking.com
cab-bc.com
testingsol.com
scadamarket.com
ryan-waltz.com
62iwin.win
balkanapp.com
weatherproofit.net
1bytes.website
butterflygroup.net
sydneyridesfestival.net
licrodriguezpalma.com
sam2.site
data-list.online
fulhamwinebar.com
eissw.com
used-cars-77695.bond
get-bettingid.com
wow-professions.info
psicoimago.com
1788777.com
cikaslot.icu
sleepbetter.health
apple-ios-gps-us-19.ink
reallyrealclothing.store
earthoftender.com
isboston.net
Signatures
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2292-17-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
f49a18388f070afc8f7a17f6053666ba.exedescription pid process target process PID 2856 set thread context of 2292 2856 f49a18388f070afc8f7a17f6053666ba.exe f49a18388f070afc8f7a17f6053666ba.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
f49a18388f070afc8f7a17f6053666ba.exef49a18388f070afc8f7a17f6053666ba.exepowershell.exepid process 2856 f49a18388f070afc8f7a17f6053666ba.exe 2856 f49a18388f070afc8f7a17f6053666ba.exe 2292 f49a18388f070afc8f7a17f6053666ba.exe 2556 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
f49a18388f070afc8f7a17f6053666ba.exepowershell.exedescription pid process Token: SeDebugPrivilege 2856 f49a18388f070afc8f7a17f6053666ba.exe Token: SeDebugPrivilege 2556 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
f49a18388f070afc8f7a17f6053666ba.exedescription pid process target process PID 2856 wrote to memory of 2556 2856 f49a18388f070afc8f7a17f6053666ba.exe powershell.exe PID 2856 wrote to memory of 2556 2856 f49a18388f070afc8f7a17f6053666ba.exe powershell.exe PID 2856 wrote to memory of 2556 2856 f49a18388f070afc8f7a17f6053666ba.exe powershell.exe PID 2856 wrote to memory of 2556 2856 f49a18388f070afc8f7a17f6053666ba.exe powershell.exe PID 2856 wrote to memory of 2576 2856 f49a18388f070afc8f7a17f6053666ba.exe schtasks.exe PID 2856 wrote to memory of 2576 2856 f49a18388f070afc8f7a17f6053666ba.exe schtasks.exe PID 2856 wrote to memory of 2576 2856 f49a18388f070afc8f7a17f6053666ba.exe schtasks.exe PID 2856 wrote to memory of 2576 2856 f49a18388f070afc8f7a17f6053666ba.exe schtasks.exe PID 2856 wrote to memory of 2292 2856 f49a18388f070afc8f7a17f6053666ba.exe f49a18388f070afc8f7a17f6053666ba.exe PID 2856 wrote to memory of 2292 2856 f49a18388f070afc8f7a17f6053666ba.exe f49a18388f070afc8f7a17f6053666ba.exe PID 2856 wrote to memory of 2292 2856 f49a18388f070afc8f7a17f6053666ba.exe f49a18388f070afc8f7a17f6053666ba.exe PID 2856 wrote to memory of 2292 2856 f49a18388f070afc8f7a17f6053666ba.exe f49a18388f070afc8f7a17f6053666ba.exe PID 2856 wrote to memory of 2292 2856 f49a18388f070afc8f7a17f6053666ba.exe f49a18388f070afc8f7a17f6053666ba.exe PID 2856 wrote to memory of 2292 2856 f49a18388f070afc8f7a17f6053666ba.exe f49a18388f070afc8f7a17f6053666ba.exe PID 2856 wrote to memory of 2292 2856 f49a18388f070afc8f7a17f6053666ba.exe f49a18388f070afc8f7a17f6053666ba.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f49a18388f070afc8f7a17f6053666ba.exe"C:\Users\Admin\AppData\Local\Temp\f49a18388f070afc8f7a17f6053666ba.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\zNukUlepyAI.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zNukUlepyAI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4A78.tmp"2⤵
- Creates scheduled task(s)
PID:2576 -
C:\Users\Admin\AppData\Local\Temp\f49a18388f070afc8f7a17f6053666ba.exe"C:\Users\Admin\AppData\Local\Temp\f49a18388f070afc8f7a17f6053666ba.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2292
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ca21a5e7b93c2499f1bb2fb40f461e21
SHA1eebc3468c5e7975c6199fcbddaff8278dcb6aae2
SHA25667f24b9160aa46d068d1b1cdd20db158ff064a2736de68863a218c22952d80a5
SHA5123be73bd3329f8129e611c7d302f7eeb184787d97e8173787c651ffeee379b6cec4db458b6453d7e871c18369c9767bb6d7bd4f6a61466443a275431d573ccea5