Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 10:26
Static task
static1
Behavioral task
behavioral1
Sample
29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe
Resource
win7-20240221-en
General
-
Target
29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe
-
Size
1.3MB
-
MD5
3cf399ac1e7a741fa3942a907f29573a
-
SHA1
5e33b0e06d0a0527c18367376c31ad85ed15993c
-
SHA256
29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63
-
SHA512
f5ada832edf1c251f1d314a31251cae5b8c9e9fa3f406ea4ecc377588cffa4be88d470f0a8ffa6c50daf5cc90b742e106f64e52f01b832911d1b5a4b233264d6
-
SSDEEP
24576:MAHnh+eWsN3skA4RV1Hom2KXMmHa6it5oGkezi5:rh+ZkldoPK8Ya6it+3
Malware Config
Extracted
formbook
4.1
se62
wkb41961shv.com
bdsxm.com
renovationslandscaping.info
qhsmgysm.com
fetbody.com
injured444.live
teensfeel.us
zi59wp1h.com
dfrtrucking.com
16milevet.com
patternzi.com
homeinsectcontrolpros.com
alcosa-peru.com
rmicompletesolutions.co.za
nnhealthhk.com
fitversus.com
hgxaf155.com
hizlitakibin.com
kjhwbk.top
gokarpemed.com
isthistheyearofsrt.com
keescollection.net
521745.cc
9072316z.vip
fukada.shop
citylinechimneytrevosepa.us
yigongqi.sbs
telehealth.fitness
seo-andorra.com
roofing-companies-in-usa.bond
hmnna.us
motoslolo55.com
bbest6.com
fafalie.buzz
miltonhess.com
gleamhorizon.shop
lupoq.xyz
465172.com
gljjw.com
839laurelwood.com
e-touwbrommer.site
4ast6.us
jalogistic.com
1658012cc.com
geenginering.com
crazyestvault.com
smartpremium.net
kinghood.co
pacificalashes.com
jolssucksmade.shop
powerfitfoods.com
loveisactionfoundation.com
blackred.bet
omf.fo
herendkdocsmicroviewj.com
qw1so.us
udioh.com
ddo-constructions.com
homeschoolgymnastics.com
dental-implants-40961.bond
foret-cineraire.net
minicartoontv.xyz
isowrdi443.xyz
laboujeebar.com
berbarry.com
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/232-11-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/232-14-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3076-21-0x0000000000980000-0x00000000009AF000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exesvchost.exeWWAHost.exedescription pid process target process PID 916 set thread context of 232 916 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe svchost.exe PID 232 set thread context of 3512 232 svchost.exe Explorer.EXE PID 3076 set thread context of 3512 3076 WWAHost.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
svchost.exeWWAHost.exepid process 232 svchost.exe 232 svchost.exe 232 svchost.exe 232 svchost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe 3076 WWAHost.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exesvchost.exeWWAHost.exepid process 916 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe 232 svchost.exe 232 svchost.exe 232 svchost.exe 3076 WWAHost.exe 3076 WWAHost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
svchost.exeWWAHost.exedescription pid process Token: SeDebugPrivilege 232 svchost.exe Token: SeDebugPrivilege 3076 WWAHost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exepid process 916 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe 916 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exepid process 916 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe 916 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exeExplorer.EXEWWAHost.exedescription pid process target process PID 916 wrote to memory of 232 916 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe svchost.exe PID 916 wrote to memory of 232 916 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe svchost.exe PID 916 wrote to memory of 232 916 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe svchost.exe PID 916 wrote to memory of 232 916 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe svchost.exe PID 3512 wrote to memory of 3076 3512 Explorer.EXE WWAHost.exe PID 3512 wrote to memory of 3076 3512 Explorer.EXE WWAHost.exe PID 3512 wrote to memory of 3076 3512 Explorer.EXE WWAHost.exe PID 3076 wrote to memory of 1820 3076 WWAHost.exe cmd.exe PID 3076 wrote to memory of 1820 3076 WWAHost.exe cmd.exe PID 3076 wrote to memory of 1820 3076 WWAHost.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe"C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:232 -
C:\Windows\SysWOW64\WWAHost.exe"C:\Windows\SysWOW64\WWAHost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\svchost.exe"3⤵PID:1820