Analysis
-
max time kernel
145s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11-05-2024 01:11
Static task
static1
Behavioral task
behavioral1
Sample
29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe
Resource
win7-20240221-en
General
-
Target
29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe
-
Size
1.3MB
-
MD5
3cf399ac1e7a741fa3942a907f29573a
-
SHA1
5e33b0e06d0a0527c18367376c31ad85ed15993c
-
SHA256
29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63
-
SHA512
f5ada832edf1c251f1d314a31251cae5b8c9e9fa3f406ea4ecc377588cffa4be88d470f0a8ffa6c50daf5cc90b742e106f64e52f01b832911d1b5a4b233264d6
-
SSDEEP
24576:MAHnh+eWsN3skA4RV1Hom2KXMmHa6it5oGkezi5:rh+ZkldoPK8Ya6it+3
Malware Config
Extracted
formbook
4.1
se62
wkb41961shv.com
bdsxm.com
renovationslandscaping.info
qhsmgysm.com
fetbody.com
injured444.live
teensfeel.us
zi59wp1h.com
dfrtrucking.com
16milevet.com
patternzi.com
homeinsectcontrolpros.com
alcosa-peru.com
rmicompletesolutions.co.za
nnhealthhk.com
fitversus.com
hgxaf155.com
hizlitakibin.com
kjhwbk.top
gokarpemed.com
isthistheyearofsrt.com
keescollection.net
521745.cc
9072316z.vip
fukada.shop
citylinechimneytrevosepa.us
yigongqi.sbs
telehealth.fitness
seo-andorra.com
roofing-companies-in-usa.bond
hmnna.us
motoslolo55.com
bbest6.com
fafalie.buzz
miltonhess.com
gleamhorizon.shop
lupoq.xyz
465172.com
gljjw.com
839laurelwood.com
e-touwbrommer.site
4ast6.us
jalogistic.com
1658012cc.com
geenginering.com
crazyestvault.com
smartpremium.net
kinghood.co
pacificalashes.com
jolssucksmade.shop
powerfitfoods.com
loveisactionfoundation.com
blackred.bet
omf.fo
herendkdocsmicroviewj.com
qw1so.us
udioh.com
ddo-constructions.com
homeschoolgymnastics.com
dental-implants-40961.bond
foret-cineraire.net
minicartoontv.xyz
isowrdi443.xyz
laboujeebar.com
berbarry.com
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2520-11-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2520-14-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2228-19-0x00000000000C0000-0x00000000000EF000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exesvchost.exechkdsk.exedescription pid process target process PID 2188 set thread context of 2520 2188 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe svchost.exe PID 2520 set thread context of 1192 2520 svchost.exe Explorer.EXE PID 2228 set thread context of 1192 2228 chkdsk.exe Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
svchost.exechkdsk.exepid process 2520 svchost.exe 2520 svchost.exe 2228 chkdsk.exe 2228 chkdsk.exe 2228 chkdsk.exe 2228 chkdsk.exe 2228 chkdsk.exe 2228 chkdsk.exe 2228 chkdsk.exe 2228 chkdsk.exe 2228 chkdsk.exe 2228 chkdsk.exe 2228 chkdsk.exe 2228 chkdsk.exe 2228 chkdsk.exe 2228 chkdsk.exe 2228 chkdsk.exe 2228 chkdsk.exe 2228 chkdsk.exe 2228 chkdsk.exe 2228 chkdsk.exe 2228 chkdsk.exe 2228 chkdsk.exe 2228 chkdsk.exe 2228 chkdsk.exe 2228 chkdsk.exe 2228 chkdsk.exe 2228 chkdsk.exe 2228 chkdsk.exe 2228 chkdsk.exe 2228 chkdsk.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exesvchost.exechkdsk.exepid process 2188 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2228 chkdsk.exe 2228 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
svchost.exechkdsk.exedescription pid process Token: SeDebugPrivilege 2520 svchost.exe Token: SeDebugPrivilege 2228 chkdsk.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exeExplorer.EXEpid process 2188 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe 2188 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exeExplorer.EXEpid process 2188 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe 2188 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe 1192 Explorer.EXE 1192 Explorer.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exeExplorer.EXEchkdsk.exedescription pid process target process PID 2188 wrote to memory of 2520 2188 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe svchost.exe PID 2188 wrote to memory of 2520 2188 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe svchost.exe PID 2188 wrote to memory of 2520 2188 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe svchost.exe PID 2188 wrote to memory of 2520 2188 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe svchost.exe PID 2188 wrote to memory of 2520 2188 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe svchost.exe PID 1192 wrote to memory of 2228 1192 Explorer.EXE chkdsk.exe PID 1192 wrote to memory of 2228 1192 Explorer.EXE chkdsk.exe PID 1192 wrote to memory of 2228 1192 Explorer.EXE chkdsk.exe PID 1192 wrote to memory of 2228 1192 Explorer.EXE chkdsk.exe PID 2228 wrote to memory of 2580 2228 chkdsk.exe cmd.exe PID 2228 wrote to memory of 2580 2228 chkdsk.exe cmd.exe PID 2228 wrote to memory of 2580 2228 chkdsk.exe cmd.exe PID 2228 wrote to memory of 2580 2228 chkdsk.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe"C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2520 -
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\svchost.exe"3⤵PID:2580