Analysis
-
max time kernel
148s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
04-06-2024 10:30
Behavioral task
behavioral1
Sample
New request for quotation9867875fdp.exe
Resource
win7-20240220-en
General
-
Target
New request for quotation9867875fdp.exe
-
Size
450KB
-
MD5
8bdeb6070b54bcbb362faea15aaf8f7f
-
SHA1
7708c09b98622341b13ffcb99fd61778f51c16fc
-
SHA256
63b52bedfe18fe9a059dafcf21ed7d2bd58b00e8b4078c98e165c36e3d347b60
-
SHA512
1033d22a99be996d10eea1affa1beaf067eb29c7235ae7080e86f8da71b0ee5252b4cdf45e0553897cdeae49154c113cf7ac8ed02bc2a38de8df1b1d042d0c23
-
SSDEEP
6144:9aUDG3Kp1O6VEJD6Lpzu5VGZ1xbt3oN/EqiOq762DOHXRSE8:9aUDd26VEt6pu5GbtwEqXq7pDOHw
Malware Config
Extracted
formbook
4.1
m1d
ecodezine.com
petshoot.com
finamoreservices.com
blcbbs.com
isarlog.com
vitall-holding.com
deeperootscbd.com
elizabethavan.com
xn--hizmetasistanm-igc.com
healing-with-touch.com
zebfx.com
optibm.com
mybrandsellsyourland.com
estebanell.com
average-gaming.net
beproudof.site
werrei.com
97mix.com
pastaneli.com
topryan.com
bfjhmahjong.com
zkdtest.com
zdijia.com
aisichem.com
yongchao.group
zifi.ltd
senior-planet.com
thewellbeingchef.com
eadi.solutions
inputy.com
cricketworld4u.party
722-722.com
topstockcasestudies.net
missionchoose.com
conscienciadelser.net
opticalmediaaccessoriesbest.win
folkhatti.com
0pe966.com
paperhelp10.com
thomasdraws.com
seoerwireless.win
canadaoba.com
xr-optima.com
afeducia.info
metrichubtechnologies.com
uglybeersweaters.com
onlinemarketing.group
man340.com
startup-365.com
bogoum.com
gaumt.com
luohehe.com
locationchocolate.com
bnuas.com
jovo.ltd
liwaclub.com
island-log.com
playcardstv.com
blirfint.com
groupnovalis.com
611ds.top
military-spouse-scholarship.com
768springfielde7.com
apolloroofingco.com
lodipytu.com
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2040-1-0x0000000000A80000-0x0000000000AF6000-memory.dmp formbook behavioral1/memory/2644-14-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral1/memory/2644-19-0x0000000000400000-0x000000000042D000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2684 cmd.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/2040-2-0x00000000002F0000-0x0000000000304000-memory.dmp agile_net -
Suspicious use of SetThreadContext 3 IoCs
Processes:
New request for quotation9867875fdp.exeNew request for quotation9867875fdp.exerundll32.exedescription pid process target process PID 2040 set thread context of 2644 2040 New request for quotation9867875fdp.exe New request for quotation9867875fdp.exe PID 2644 set thread context of 1152 2644 New request for quotation9867875fdp.exe Explorer.EXE PID 2408 set thread context of 1152 2408 rundll32.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
New request for quotation9867875fdp.exeNew request for quotation9867875fdp.exerundll32.exepid process 2040 New request for quotation9867875fdp.exe 2040 New request for quotation9867875fdp.exe 2040 New request for quotation9867875fdp.exe 2644 New request for quotation9867875fdp.exe 2644 New request for quotation9867875fdp.exe 2408 rundll32.exe 2408 rundll32.exe 2408 rundll32.exe 2408 rundll32.exe 2408 rundll32.exe 2408 rundll32.exe 2408 rundll32.exe 2408 rundll32.exe 2408 rundll32.exe 2408 rundll32.exe 2408 rundll32.exe 2408 rundll32.exe 2408 rundll32.exe 2408 rundll32.exe 2408 rundll32.exe 2408 rundll32.exe 2408 rundll32.exe 2408 rundll32.exe 2408 rundll32.exe 2408 rundll32.exe 2408 rundll32.exe 2408 rundll32.exe 2408 rundll32.exe 2408 rundll32.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
New request for quotation9867875fdp.exerundll32.exepid process 2644 New request for quotation9867875fdp.exe 2644 New request for quotation9867875fdp.exe 2644 New request for quotation9867875fdp.exe 2408 rundll32.exe 2408 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
New request for quotation9867875fdp.exeNew request for quotation9867875fdp.exerundll32.exedescription pid process Token: SeDebugPrivilege 2040 New request for quotation9867875fdp.exe Token: SeDebugPrivilege 2644 New request for quotation9867875fdp.exe Token: SeDebugPrivilege 2408 rundll32.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
New request for quotation9867875fdp.exeExplorer.EXErundll32.exedescription pid process target process PID 2040 wrote to memory of 2644 2040 New request for quotation9867875fdp.exe New request for quotation9867875fdp.exe PID 2040 wrote to memory of 2644 2040 New request for quotation9867875fdp.exe New request for quotation9867875fdp.exe PID 2040 wrote to memory of 2644 2040 New request for quotation9867875fdp.exe New request for quotation9867875fdp.exe PID 2040 wrote to memory of 2644 2040 New request for quotation9867875fdp.exe New request for quotation9867875fdp.exe PID 2040 wrote to memory of 2644 2040 New request for quotation9867875fdp.exe New request for quotation9867875fdp.exe PID 2040 wrote to memory of 2644 2040 New request for quotation9867875fdp.exe New request for quotation9867875fdp.exe PID 2040 wrote to memory of 2644 2040 New request for quotation9867875fdp.exe New request for quotation9867875fdp.exe PID 1152 wrote to memory of 2408 1152 Explorer.EXE rundll32.exe PID 1152 wrote to memory of 2408 1152 Explorer.EXE rundll32.exe PID 1152 wrote to memory of 2408 1152 Explorer.EXE rundll32.exe PID 1152 wrote to memory of 2408 1152 Explorer.EXE rundll32.exe PID 1152 wrote to memory of 2408 1152 Explorer.EXE rundll32.exe PID 1152 wrote to memory of 2408 1152 Explorer.EXE rundll32.exe PID 1152 wrote to memory of 2408 1152 Explorer.EXE rundll32.exe PID 2408 wrote to memory of 2684 2408 rundll32.exe cmd.exe PID 2408 wrote to memory of 2684 2408 rundll32.exe cmd.exe PID 2408 wrote to memory of 2684 2408 rundll32.exe cmd.exe PID 2408 wrote to memory of 2684 2408 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\New request for quotation9867875fdp.exe"C:\Users\Admin\AppData\Local\Temp\New request for quotation9867875fdp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\New request for quotation9867875fdp.exe"C:\Users\Admin\AppData\Local\Temp\New request for quotation9867875fdp.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\New request for quotation9867875fdp.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1152-20-0x0000000003BD0000-0x0000000003CD0000-memory.dmpFilesize
1024KB
-
memory/1152-28-0x0000000006510000-0x00000000066B4000-memory.dmpFilesize
1.6MB
-
memory/1152-21-0x0000000006510000-0x00000000066B4000-memory.dmpFilesize
1.6MB
-
memory/2040-13-0x0000000074920000-0x000000007500E000-memory.dmpFilesize
6.9MB
-
memory/2040-15-0x0000000074920000-0x000000007500E000-memory.dmpFilesize
6.9MB
-
memory/2040-5-0x0000000074920000-0x000000007500E000-memory.dmpFilesize
6.9MB
-
memory/2040-1-0x0000000000A80000-0x0000000000AF6000-memory.dmpFilesize
472KB
-
memory/2040-2-0x00000000002F0000-0x0000000000304000-memory.dmpFilesize
80KB
-
memory/2040-10-0x000000007492E000-0x000000007492F000-memory.dmpFilesize
4KB
-
memory/2040-3-0x0000000000310000-0x0000000000318000-memory.dmpFilesize
32KB
-
memory/2040-0-0x000000007492E000-0x000000007492F000-memory.dmpFilesize
4KB
-
memory/2040-4-0x0000000000340000-0x0000000000348000-memory.dmpFilesize
32KB
-
memory/2408-23-0x0000000000630000-0x000000000063E000-memory.dmpFilesize
56KB
-
memory/2408-22-0x0000000000630000-0x000000000063E000-memory.dmpFilesize
56KB
-
memory/2408-25-0x0000000000630000-0x000000000063E000-memory.dmpFilesize
56KB
-
memory/2644-14-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/2644-17-0x0000000000B00000-0x0000000000E03000-memory.dmpFilesize
3.0MB
-
memory/2644-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2644-19-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/2644-18-0x0000000000210000-0x0000000000224000-memory.dmpFilesize
80KB
-
memory/2644-9-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/2644-6-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB