Analysis
-
max time kernel
140s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 19:02
Static task
static1
Behavioral task
behavioral1
Sample
PO181219.exe
Resource
win7-20240221-en
General
-
Target
PO181219.exe
-
Size
466KB
-
MD5
9f1c4ea29a9490e84c85ee622ebbee83
-
SHA1
03eb6bec9ca71f61726134e031ef1c96609c6fbf
-
SHA256
4cf3f2e4957d449f51f1a5dd6b20765aa7a1fe89231f1ea3748cd0c0e90d74c4
-
SHA512
2eccd244877aae74692294905fa6d11e7b1d67d03c44147f59dddf1b6d6ffe849529bf1e0ccd1b142d5767c281e229053d6d5d513bcc3c0ec9b428a735ed5f97
-
SSDEEP
12288:jGNJ561IweViPtQjDMEnSHTigQWX+T/XRfoxwo4P:jGGy+t8kTEOY/4wo4
Malware Config
Extracted
formbook
3.9
h332
mericashoppe.com
campbneiakiva.com
retronix.info
capellisnyc.com
lapcameratot.com
otheroffice.win
biofrez.com
servo-electric.com
hfhkjd.com
chemungccecornell.com
leanneetsaparure.com
collaboraveit.com
thecarewear.info
truymanhaaseinsurance.com
krishnagruhudhyog.com
maxwellbeing.store
cgevent35.com
easyclick.directory
andseniorhomesok.live
dagashiya-bitcoin.com
oww8bei.info
crackdownnews.com
manga888.com
ashleyandgeorge.com
niviram.com
masa-yoga.net
yourbigandgoodfreeupdate.win
centresystems.net
communitiology.com
preta.online
intelvn.com
570secure.com
broadiq.net
manuelanselmi.com
xiaosanduo.com
yvngb.info
gpr-survey.net
amalliboutique.com
cyberlab-forensics.com
centraleoop.com
download-files-storage.review
256ope.com
niajaappday.com
latinamericaexperienced.com
automoderna.com
blockchainassetshi.com
foley-garciafraile.com
zahnlexikon.online
benallaaeroclub.com
qnhtravel.com
gwhred.men
xn--love-412j.net
inkneyelash.com
gyogyszer.online
collarbguru.info
maxprozone.com
yena.ltd
visitflorenceaz.net
museodeamerica.com
frutasmazal.com
srimanasa.com
wohnmobilekaufen.com
xn--m7r99sv3rn1c9y9a.com
spcelectronics.net
muzary.com
Signatures
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4696-19-0x0000000000810000-0x000000000083A000-memory.dmp formbook -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
PO181219.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation PO181219.exe -
Executes dropped EXE 2 IoCs
Processes:
thxx.exethxx.exepid process 4424 thxx.exe 4696 thxx.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
thxx.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\thxx.exe -boot" thxx.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
thxx.exedescription pid process target process PID 4424 set thread context of 4696 4424 thxx.exe thxx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3044 4696 WerFault.exe thxx.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PO181219.exethxx.exedescription pid process Token: SeDebugPrivilege 2244 PO181219.exe Token: SeDebugPrivilege 4424 thxx.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
PO181219.execmd.exethxx.exedescription pid process target process PID 2244 wrote to memory of 4540 2244 PO181219.exe cmd.exe PID 2244 wrote to memory of 4540 2244 PO181219.exe cmd.exe PID 2244 wrote to memory of 4540 2244 PO181219.exe cmd.exe PID 2244 wrote to memory of 1648 2244 PO181219.exe cmd.exe PID 2244 wrote to memory of 1648 2244 PO181219.exe cmd.exe PID 2244 wrote to memory of 1648 2244 PO181219.exe cmd.exe PID 1648 wrote to memory of 4424 1648 cmd.exe thxx.exe PID 1648 wrote to memory of 4424 1648 cmd.exe thxx.exe PID 1648 wrote to memory of 4424 1648 cmd.exe thxx.exe PID 4424 wrote to memory of 4696 4424 thxx.exe thxx.exe PID 4424 wrote to memory of 4696 4424 thxx.exe thxx.exe PID 4424 wrote to memory of 4696 4424 thxx.exe thxx.exe PID 4424 wrote to memory of 4696 4424 thxx.exe thxx.exe PID 4424 wrote to memory of 4696 4424 thxx.exe thxx.exe PID 4424 wrote to memory of 4696 4424 thxx.exe thxx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO181219.exe"C:\Users\Admin\AppData\Local\Temp\PO181219.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\PO181219.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\thxx.exe"2⤵PID:4540
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\thxx.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\thxx.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\thxx.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\thxx.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\thxx.exe"4⤵
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 1845⤵
- Program crash
PID:3044
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4696 -ip 46961⤵PID:1976
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
466KB
MD59f1c4ea29a9490e84c85ee622ebbee83
SHA103eb6bec9ca71f61726134e031ef1c96609c6fbf
SHA2564cf3f2e4957d449f51f1a5dd6b20765aa7a1fe89231f1ea3748cd0c0e90d74c4
SHA5122eccd244877aae74692294905fa6d11e7b1d67d03c44147f59dddf1b6d6ffe849529bf1e0ccd1b142d5767c281e229053d6d5d513bcc3c0ec9b428a735ed5f97