Analysis
-
max time kernel
149s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11-05-2024 01:11
Static task
static1
Behavioral task
behavioral1
Sample
29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe
Resource
win7-20240221-en
General
-
Target
29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe
-
Size
1.3MB
-
MD5
3cf399ac1e7a741fa3942a907f29573a
-
SHA1
5e33b0e06d0a0527c18367376c31ad85ed15993c
-
SHA256
29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63
-
SHA512
f5ada832edf1c251f1d314a31251cae5b8c9e9fa3f406ea4ecc377588cffa4be88d470f0a8ffa6c50daf5cc90b742e106f64e52f01b832911d1b5a4b233264d6
-
SSDEEP
24576:MAHnh+eWsN3skA4RV1Hom2KXMmHa6it5oGkezi5:rh+ZkldoPK8Ya6it+3
Malware Config
Extracted
formbook
4.1
se62
wkb41961shv.com
bdsxm.com
renovationslandscaping.info
qhsmgysm.com
fetbody.com
injured444.live
teensfeel.us
zi59wp1h.com
dfrtrucking.com
16milevet.com
patternzi.com
homeinsectcontrolpros.com
alcosa-peru.com
rmicompletesolutions.co.za
nnhealthhk.com
fitversus.com
hgxaf155.com
hizlitakibin.com
kjhwbk.top
gokarpemed.com
isthistheyearofsrt.com
keescollection.net
521745.cc
9072316z.vip
fukada.shop
citylinechimneytrevosepa.us
yigongqi.sbs
telehealth.fitness
seo-andorra.com
roofing-companies-in-usa.bond
hmnna.us
motoslolo55.com
bbest6.com
fafalie.buzz
miltonhess.com
gleamhorizon.shop
lupoq.xyz
465172.com
gljjw.com
839laurelwood.com
e-touwbrommer.site
4ast6.us
jalogistic.com
1658012cc.com
geenginering.com
crazyestvault.com
smartpremium.net
kinghood.co
pacificalashes.com
jolssucksmade.shop
powerfitfoods.com
loveisactionfoundation.com
blackred.bet
omf.fo
herendkdocsmicroviewj.com
qw1so.us
udioh.com
ddo-constructions.com
homeschoolgymnastics.com
dental-implants-40961.bond
foret-cineraire.net
minicartoontv.xyz
isowrdi443.xyz
laboujeebar.com
berbarry.com
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1548-11-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/1548-14-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4688-20-0x00000000012D0000-0x00000000012FF000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exesvchost.exeexplorer.exedescription pid process target process PID 3536 set thread context of 1548 3536 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe svchost.exe PID 1548 set thread context of 3408 1548 svchost.exe Explorer.EXE PID 4688 set thread context of 3408 4688 explorer.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
svchost.exeexplorer.exepid process 1548 svchost.exe 1548 svchost.exe 1548 svchost.exe 1548 svchost.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exesvchost.exeexplorer.exepid process 3536 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe 1548 svchost.exe 1548 svchost.exe 1548 svchost.exe 4688 explorer.exe 4688 explorer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
svchost.exeexplorer.exedescription pid process Token: SeDebugPrivilege 1548 svchost.exe Token: SeDebugPrivilege 4688 explorer.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exepid process 3536 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe 3536 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exepid process 3536 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe 3536 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3408 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exeExplorer.EXEexplorer.exedescription pid process target process PID 3536 wrote to memory of 1548 3536 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe svchost.exe PID 3536 wrote to memory of 1548 3536 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe svchost.exe PID 3536 wrote to memory of 1548 3536 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe svchost.exe PID 3536 wrote to memory of 1548 3536 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe svchost.exe PID 3408 wrote to memory of 4688 3408 Explorer.EXE explorer.exe PID 3408 wrote to memory of 4688 3408 Explorer.EXE explorer.exe PID 3408 wrote to memory of 4688 3408 Explorer.EXE explorer.exe PID 4688 wrote to memory of 1220 4688 explorer.exe cmd.exe PID 4688 wrote to memory of 1220 4688 explorer.exe cmd.exe PID 4688 wrote to memory of 1220 4688 explorer.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe"C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1548 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\svchost.exe"3⤵PID:1220