Analysis
-
max time kernel
147s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
10-05-2024 05:56
Static task
static1
Behavioral task
behavioral1
Sample
Doc20189700.exe
Resource
win7-20231129-en
General
-
Target
Doc20189700.exe
-
Size
545KB
-
MD5
7bce7d55931c5f34701501a38aa95cd3
-
SHA1
7af77f1afe68b94a6617ac9a1ed5d21b66ca4008
-
SHA256
742be802e5d909d41c46fd374e6682f0467003e03f5387f37fe18d407322e5a5
-
SHA512
7bb4e470452a1f0dcd2bcc247c179d3c41b3fdac2aa694f6c79f7af71605226648ad3b57129f3930f85c7b10fc4329a622cbb7ffc27fe9fbb1b7aa4258a742c7
-
SSDEEP
12288:WwSpsazDx3ScS946sj0kBFZWHcupoC+22bFK9Z47:1yDzcn4jrZTrJbG4
Malware Config
Extracted
formbook
3.9
h323
sanfransiscolotto.com
mcginnisformayor.com
puer-energy.net
hieusport.com
alevelcourse.net
excelcium-promotion.info
waehlergemeinschaft-bergen.com
capstone-asphalt.com
ppacspromsecureproved3.info
bm9993.com
zhuozixf119.com
sgy64dq.ink
qukuaifun.com
boletosdeavion.store
ministeriofaceaface.com
xn--fiq06lpuc3zab58o04p.com
sunglassessales.win
jano.tech
tillillishop.com
tyty544.com
mass.ink
evenext.com
rodantesmtbclub.com
diaral.com
rhytdmmusical.com
beautysaaz.party
proven--sa.com
youthfulfit.info
sondakikahaberci.net
mahneshan.com
ycxsms.com
appguanfang.com
carolsfitnesscenter.com
fibro.world
xn--cjrz24bhumrgi.com
yourclarityyouth.com
libertarian.loan
sandraitapia.com
xiwin.win
xn--uckc2azjh4j644xg68a.net
pewnahistoria.online
bearsop.com
freshwatercoaching.net
hentaicomicsforadults.info
kruvltd.com
2209liveoak.com
suohsex.com
littlebiologist.com
web-link.online
petronellanatalie.com
indyallcash.com
millennialmentorship.com
brehinier.com
22catcher.com
jinnuqu.com
pirate.exchange
scapegoatboutique.com
ugrowsocial.com
bumperrepairvan.com
piapower.world
junmaihonjikomi.com
hongnhustore.online
wirewp.com
7pinggui.com
phonelc.com
Signatures
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2736-12-0x0000000000400000-0x000000000042A000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
kist.exekist.exepid process 2660 kist.exe 2736 kist.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 2672 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
kist.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\kist.exe -boot" kist.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
kist.exekist.execmd.exedescription pid process target process PID 2660 set thread context of 2736 2660 kist.exe kist.exe PID 2736 set thread context of 1340 2736 kist.exe Explorer.EXE PID 2516 set thread context of 1340 2516 cmd.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
kist.execmd.exepid process 2736 kist.exe 2736 kist.exe 2516 cmd.exe 2516 cmd.exe 2516 cmd.exe 2516 cmd.exe 2516 cmd.exe 2516 cmd.exe 2516 cmd.exe 2516 cmd.exe 2516 cmd.exe 2516 cmd.exe 2516 cmd.exe 2516 cmd.exe 2516 cmd.exe 2516 cmd.exe 2516 cmd.exe 2516 cmd.exe 2516 cmd.exe 2516 cmd.exe 2516 cmd.exe 2516 cmd.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
kist.execmd.exepid process 2736 kist.exe 2736 kist.exe 2736 kist.exe 2516 cmd.exe 2516 cmd.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Doc20189700.exekist.exekist.execmd.exedescription pid process Token: SeDebugPrivilege 2240 Doc20189700.exe Token: SeDebugPrivilege 2660 kist.exe Token: SeDebugPrivilege 2736 kist.exe Token: SeDebugPrivilege 2516 cmd.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
Doc20189700.execmd.exekist.exeExplorer.EXEcmd.exedescription pid process target process PID 2240 wrote to memory of 3008 2240 Doc20189700.exe cmd.exe PID 2240 wrote to memory of 3008 2240 Doc20189700.exe cmd.exe PID 2240 wrote to memory of 3008 2240 Doc20189700.exe cmd.exe PID 2240 wrote to memory of 3008 2240 Doc20189700.exe cmd.exe PID 2240 wrote to memory of 2672 2240 Doc20189700.exe cmd.exe PID 2240 wrote to memory of 2672 2240 Doc20189700.exe cmd.exe PID 2240 wrote to memory of 2672 2240 Doc20189700.exe cmd.exe PID 2240 wrote to memory of 2672 2240 Doc20189700.exe cmd.exe PID 2672 wrote to memory of 2660 2672 cmd.exe kist.exe PID 2672 wrote to memory of 2660 2672 cmd.exe kist.exe PID 2672 wrote to memory of 2660 2672 cmd.exe kist.exe PID 2672 wrote to memory of 2660 2672 cmd.exe kist.exe PID 2660 wrote to memory of 2736 2660 kist.exe kist.exe PID 2660 wrote to memory of 2736 2660 kist.exe kist.exe PID 2660 wrote to memory of 2736 2660 kist.exe kist.exe PID 2660 wrote to memory of 2736 2660 kist.exe kist.exe PID 2660 wrote to memory of 2736 2660 kist.exe kist.exe PID 2660 wrote to memory of 2736 2660 kist.exe kist.exe PID 2660 wrote to memory of 2736 2660 kist.exe kist.exe PID 1340 wrote to memory of 2516 1340 Explorer.EXE cmd.exe PID 1340 wrote to memory of 2516 1340 Explorer.EXE cmd.exe PID 1340 wrote to memory of 2516 1340 Explorer.EXE cmd.exe PID 1340 wrote to memory of 2516 1340 Explorer.EXE cmd.exe PID 2516 wrote to memory of 1788 2516 cmd.exe cmd.exe PID 2516 wrote to memory of 1788 2516 cmd.exe cmd.exe PID 2516 wrote to memory of 1788 2516 cmd.exe cmd.exe PID 2516 wrote to memory of 1788 2516 cmd.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Users\Admin\AppData\Local\Temp\Doc20189700.exe"C:\Users\Admin\AppData\Local\Temp\Doc20189700.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\Doc20189700.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\kist.exe"3⤵PID:3008
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\kist.exe"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\kist.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\kist.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\kist.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\kist.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2736 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\kist.exe"3⤵PID:1788
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
545KB
MD57bce7d55931c5f34701501a38aa95cd3
SHA17af77f1afe68b94a6617ac9a1ed5d21b66ca4008
SHA256742be802e5d909d41c46fd374e6682f0467003e03f5387f37fe18d407322e5a5
SHA5127bb4e470452a1f0dcd2bcc247c179d3c41b3fdac2aa694f6c79f7af71605226648ad3b57129f3930f85c7b10fc4329a622cbb7ffc27fe9fbb1b7aa4258a742c7