Analysis
-
max time kernel
145s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 10:27
Static task
static1
Behavioral task
behavioral1
Sample
29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe
Resource
win7-20240215-en
General
-
Target
29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe
-
Size
1.3MB
-
MD5
3cf399ac1e7a741fa3942a907f29573a
-
SHA1
5e33b0e06d0a0527c18367376c31ad85ed15993c
-
SHA256
29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63
-
SHA512
f5ada832edf1c251f1d314a31251cae5b8c9e9fa3f406ea4ecc377588cffa4be88d470f0a8ffa6c50daf5cc90b742e106f64e52f01b832911d1b5a4b233264d6
-
SSDEEP
24576:MAHnh+eWsN3skA4RV1Hom2KXMmHa6it5oGkezi5:rh+ZkldoPK8Ya6it+3
Malware Config
Extracted
formbook
4.1
se62
wkb41961shv.com
bdsxm.com
renovationslandscaping.info
qhsmgysm.com
fetbody.com
injured444.live
teensfeel.us
zi59wp1h.com
dfrtrucking.com
16milevet.com
patternzi.com
homeinsectcontrolpros.com
alcosa-peru.com
rmicompletesolutions.co.za
nnhealthhk.com
fitversus.com
hgxaf155.com
hizlitakibin.com
kjhwbk.top
gokarpemed.com
isthistheyearofsrt.com
keescollection.net
521745.cc
9072316z.vip
fukada.shop
citylinechimneytrevosepa.us
yigongqi.sbs
telehealth.fitness
seo-andorra.com
roofing-companies-in-usa.bond
hmnna.us
motoslolo55.com
bbest6.com
fafalie.buzz
miltonhess.com
gleamhorizon.shop
lupoq.xyz
465172.com
gljjw.com
839laurelwood.com
e-touwbrommer.site
4ast6.us
jalogistic.com
1658012cc.com
geenginering.com
crazyestvault.com
smartpremium.net
kinghood.co
pacificalashes.com
jolssucksmade.shop
powerfitfoods.com
loveisactionfoundation.com
blackred.bet
omf.fo
herendkdocsmicroviewj.com
qw1so.us
udioh.com
ddo-constructions.com
homeschoolgymnastics.com
dental-implants-40961.bond
foret-cineraire.net
minicartoontv.xyz
isowrdi443.xyz
laboujeebar.com
berbarry.com
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4456-11-0x00000000006F0000-0x000000000071F000-memory.dmp formbook behavioral2/memory/4456-15-0x00000000006F0000-0x000000000071F000-memory.dmp formbook behavioral2/memory/4856-21-0x00000000012E0000-0x000000000130F000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exesvchost.exewlanext.exedescription pid process target process PID 3884 set thread context of 4456 3884 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe svchost.exe PID 4456 set thread context of 3436 4456 svchost.exe Explorer.EXE PID 4856 set thread context of 3436 4856 wlanext.exe Explorer.EXE -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4524 3884 WerFault.exe 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
svchost.exewlanext.exepid process 4456 svchost.exe 4456 svchost.exe 4456 svchost.exe 4456 svchost.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe 4856 wlanext.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exesvchost.exewlanext.exepid process 3884 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe 3884 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe 4456 svchost.exe 4456 svchost.exe 4456 svchost.exe 4856 wlanext.exe 4856 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
svchost.exeExplorer.EXEwlanext.exedescription pid process Token: SeDebugPrivilege 4456 svchost.exe Token: SeShutdownPrivilege 3436 Explorer.EXE Token: SeCreatePagefilePrivilege 3436 Explorer.EXE Token: SeShutdownPrivilege 3436 Explorer.EXE Token: SeCreatePagefilePrivilege 3436 Explorer.EXE Token: SeDebugPrivilege 4856 wlanext.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exepid process 3884 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe 3884 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exepid process 3884 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe 3884 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exeExplorer.EXEwlanext.exedescription pid process target process PID 3884 wrote to memory of 4456 3884 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe svchost.exe PID 3884 wrote to memory of 4456 3884 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe svchost.exe PID 3884 wrote to memory of 4456 3884 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe svchost.exe PID 3884 wrote to memory of 4456 3884 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe svchost.exe PID 3436 wrote to memory of 4856 3436 Explorer.EXE wlanext.exe PID 3436 wrote to memory of 4856 3436 Explorer.EXE wlanext.exe PID 3436 wrote to memory of 4856 3436 Explorer.EXE wlanext.exe PID 4856 wrote to memory of 2428 4856 wlanext.exe cmd.exe PID 4856 wrote to memory of 2428 4856 wlanext.exe cmd.exe PID 4856 wrote to memory of 2428 4856 wlanext.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe"C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4456 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 7043⤵
- Program crash
PID:4524 -
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\svchost.exe"3⤵PID:2428
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3884 -ip 38841⤵PID:312