Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 10:30
Behavioral task
behavioral1
Sample
New request for quotation9867875fdp.exe
Resource
win7-20240220-en
General
-
Target
New request for quotation9867875fdp.exe
-
Size
450KB
-
MD5
8bdeb6070b54bcbb362faea15aaf8f7f
-
SHA1
7708c09b98622341b13ffcb99fd61778f51c16fc
-
SHA256
63b52bedfe18fe9a059dafcf21ed7d2bd58b00e8b4078c98e165c36e3d347b60
-
SHA512
1033d22a99be996d10eea1affa1beaf067eb29c7235ae7080e86f8da71b0ee5252b4cdf45e0553897cdeae49154c113cf7ac8ed02bc2a38de8df1b1d042d0c23
-
SSDEEP
6144:9aUDG3Kp1O6VEJD6Lpzu5VGZ1xbt3oN/EqiOq762DOHXRSE8:9aUDd26VEt6pu5GbtwEqXq7pDOHw
Malware Config
Extracted
formbook
4.1
m1d
ecodezine.com
petshoot.com
finamoreservices.com
blcbbs.com
isarlog.com
vitall-holding.com
deeperootscbd.com
elizabethavan.com
xn--hizmetasistanm-igc.com
healing-with-touch.com
zebfx.com
optibm.com
mybrandsellsyourland.com
estebanell.com
average-gaming.net
beproudof.site
werrei.com
97mix.com
pastaneli.com
topryan.com
bfjhmahjong.com
zkdtest.com
zdijia.com
aisichem.com
yongchao.group
zifi.ltd
senior-planet.com
thewellbeingchef.com
eadi.solutions
inputy.com
cricketworld4u.party
722-722.com
topstockcasestudies.net
missionchoose.com
conscienciadelser.net
opticalmediaaccessoriesbest.win
folkhatti.com
0pe966.com
paperhelp10.com
thomasdraws.com
seoerwireless.win
canadaoba.com
xr-optima.com
afeducia.info
metrichubtechnologies.com
uglybeersweaters.com
onlinemarketing.group
man340.com
startup-365.com
bogoum.com
gaumt.com
luohehe.com
locationchocolate.com
bnuas.com
jovo.ltd
liwaclub.com
island-log.com
playcardstv.com
blirfint.com
groupnovalis.com
611ds.top
military-spouse-scholarship.com
768springfielde7.com
apolloroofingco.com
lodipytu.com
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3064-1-0x0000000000A40000-0x0000000000AB6000-memory.dmp formbook behavioral2/memory/3948-13-0x0000000000550000-0x000000000057D000-memory.dmp formbook -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/3064-4-0x0000000002E00000-0x0000000002E14000-memory.dmp agile_net -
Suspicious use of SetThreadContext 1 IoCs
Processes:
New request for quotation9867875fdp.exedescription pid process target process PID 3064 set thread context of 3948 3064 New request for quotation9867875fdp.exe New request for quotation9867875fdp.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4936 3948 WerFault.exe New request for quotation9867875fdp.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
New request for quotation9867875fdp.exepid process 3064 New request for quotation9867875fdp.exe 3064 New request for quotation9867875fdp.exe 3064 New request for quotation9867875fdp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
New request for quotation9867875fdp.exedescription pid process Token: SeDebugPrivilege 3064 New request for quotation9867875fdp.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
New request for quotation9867875fdp.exedescription pid process target process PID 3064 wrote to memory of 3948 3064 New request for quotation9867875fdp.exe New request for quotation9867875fdp.exe PID 3064 wrote to memory of 3948 3064 New request for quotation9867875fdp.exe New request for quotation9867875fdp.exe PID 3064 wrote to memory of 3948 3064 New request for quotation9867875fdp.exe New request for quotation9867875fdp.exe PID 3064 wrote to memory of 3948 3064 New request for quotation9867875fdp.exe New request for quotation9867875fdp.exe PID 3064 wrote to memory of 3948 3064 New request for quotation9867875fdp.exe New request for quotation9867875fdp.exe PID 3064 wrote to memory of 3948 3064 New request for quotation9867875fdp.exe New request for quotation9867875fdp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\New request for quotation9867875fdp.exe"C:\Users\Admin\AppData\Local\Temp\New request for quotation9867875fdp.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\New request for quotation9867875fdp.exe"C:\Users\Admin\AppData\Local\Temp\New request for quotation9867875fdp.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 1843⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3948 -ip 39481⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3064-6-0x00000000056C0000-0x00000000056C8000-memory.dmpFilesize
32KB
-
memory/3064-0-0x000000007483E000-0x000000007483F000-memory.dmpFilesize
4KB
-
memory/3064-2-0x0000000005990000-0x0000000005F34000-memory.dmpFilesize
5.6MB
-
memory/3064-3-0x00000000054C0000-0x0000000005552000-memory.dmpFilesize
584KB
-
memory/3064-4-0x0000000002E00000-0x0000000002E14000-memory.dmpFilesize
80KB
-
memory/3064-5-0x0000000005420000-0x0000000005428000-memory.dmpFilesize
32KB
-
memory/3064-1-0x0000000000A40000-0x0000000000AB6000-memory.dmpFilesize
472KB
-
memory/3064-7-0x0000000074830000-0x0000000074FE0000-memory.dmpFilesize
7.7MB
-
memory/3064-10-0x000000007483E000-0x000000007483F000-memory.dmpFilesize
4KB
-
memory/3064-9-0x0000000006900000-0x0000000006922000-memory.dmpFilesize
136KB
-
memory/3064-8-0x00000000062E0000-0x0000000006324000-memory.dmpFilesize
272KB
-
memory/3064-11-0x0000000074830000-0x0000000074FE0000-memory.dmpFilesize
7.7MB
-
memory/3064-16-0x0000000074830000-0x0000000074FE0000-memory.dmpFilesize
7.7MB
-
memory/3948-13-0x0000000000550000-0x000000000057D000-memory.dmpFilesize
180KB