Analysis
-
max time kernel
146s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 12:50
Static task
static1
Behavioral task
behavioral1
Sample
PO - 04755 .bat.exe
Resource
win7-20240419-en
General
-
Target
PO - 04755 .bat.exe
-
Size
541KB
-
MD5
37f3b2a7f84422ea9fce13bcc170461b
-
SHA1
b2d8ac2774b12ffc4412435224398f3909bc8ceb
-
SHA256
7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71
-
SHA512
604aeeaf52c3aaab4e1a46ec2879d7b8e6f68ce0168e2f7ffc4f970b1633a2752959816bde10bbe19946a0ae7a2e9d373979554729fc7ed9366e1c5516b6639a
-
SSDEEP
12288:YEuIQ8LBZ0BJxONHZZZxa3qBHkKbdUKSaEpkAE5YWOzxRwzPE58bm:XlXBWDxOpxk3qBHkcWgEppEWzxRw458K
Malware Config
Extracted
formbook
4.1
45er
depotpulsa.com
k2bilbao.online
bb4uoficial.com
rwc666.club
us-pservice.cyou
tricegottreats.com
zsystems.pro
qudouyin6.com
sfumaturedamore.net
pcetyy.icu
notbokin.online
beqprod.tech
flipbuilding.com
errormitigationzoo.com
zj5u603.xyz
jezzatravel.com
zmdniavysyi.shop
quinnsteele.com
522334.com
outdoorshopping.net
7140k.vip
appmonster.live
rvrentalsusane.com
berry-hut.com
h-m-32.com
aklnk.xyz
project.fail
thelbacollection.com
ternkm.com
331022.xyz
qhr86.com
casvivip.com
f661dsa-dsf564a.biz
holisticfox.com
taobaoo03.com
kursy-parikmaher.store
reignscents.com
wot4x4.com
axoloterosa.com
instzn.site
nn477.xyz
jwsalestx.com
cualuoinuhoang.com
sagehrsuiteindercloud.solutions
2ecxab.vip
lottery99nft.xyz
budakbetingbet43.click
plaay.live
drmediapulsehub.com
bahismax.com
clareleeuwinclark.com
clarimix.com
ssongg11913.cfd
shapoorji-kingstown.com
detoxifysupplements.info
easy100ksidegig.com
abramovatata.online
barillonfo.net
keendeed.com
yunosave.online
pptv05.xyz
malianbeini.net
polariscicuit.com
sahibindencomparamguvend.link
used-cars-99583.bond
Signatures
-
Formbook payload 2 IoCs
resource yara_rule behavioral1/memory/2520-24-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/3024-29-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2568 powershell.exe 2748 powershell.exe -
Deletes itself 1 IoCs
pid Process 2880 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2036 set thread context of 2520 2036 PO - 04755 .bat.exe 34 PID 2520 set thread context of 1200 2520 PO - 04755 .bat.exe 21 PID 3024 set thread context of 1200 3024 msdt.exe 21 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2620 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
pid Process 2036 PO - 04755 .bat.exe 2036 PO - 04755 .bat.exe 2036 PO - 04755 .bat.exe 2036 PO - 04755 .bat.exe 2036 PO - 04755 .bat.exe 2036 PO - 04755 .bat.exe 2036 PO - 04755 .bat.exe 2520 PO - 04755 .bat.exe 2520 PO - 04755 .bat.exe 2568 powershell.exe 2748 powershell.exe 3024 msdt.exe 3024 msdt.exe 3024 msdt.exe 3024 msdt.exe 3024 msdt.exe 3024 msdt.exe 3024 msdt.exe 3024 msdt.exe 3024 msdt.exe 3024 msdt.exe 3024 msdt.exe 3024 msdt.exe 3024 msdt.exe 3024 msdt.exe 3024 msdt.exe 3024 msdt.exe 3024 msdt.exe 3024 msdt.exe 3024 msdt.exe 3024 msdt.exe 3024 msdt.exe 3024 msdt.exe 3024 msdt.exe 3024 msdt.exe 3024 msdt.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 2520 PO - 04755 .bat.exe 2520 PO - 04755 .bat.exe 2520 PO - 04755 .bat.exe 3024 msdt.exe 3024 msdt.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2036 PO - 04755 .bat.exe Token: SeDebugPrivilege 2520 PO - 04755 .bat.exe Token: SeDebugPrivilege 2568 powershell.exe Token: SeDebugPrivilege 2748 powershell.exe Token: SeDebugPrivilege 3024 msdt.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2036 wrote to memory of 2568 2036 PO - 04755 .bat.exe 28 PID 2036 wrote to memory of 2568 2036 PO - 04755 .bat.exe 28 PID 2036 wrote to memory of 2568 2036 PO - 04755 .bat.exe 28 PID 2036 wrote to memory of 2568 2036 PO - 04755 .bat.exe 28 PID 2036 wrote to memory of 2748 2036 PO - 04755 .bat.exe 30 PID 2036 wrote to memory of 2748 2036 PO - 04755 .bat.exe 30 PID 2036 wrote to memory of 2748 2036 PO - 04755 .bat.exe 30 PID 2036 wrote to memory of 2748 2036 PO - 04755 .bat.exe 30 PID 2036 wrote to memory of 2620 2036 PO - 04755 .bat.exe 31 PID 2036 wrote to memory of 2620 2036 PO - 04755 .bat.exe 31 PID 2036 wrote to memory of 2620 2036 PO - 04755 .bat.exe 31 PID 2036 wrote to memory of 2620 2036 PO - 04755 .bat.exe 31 PID 2036 wrote to memory of 2520 2036 PO - 04755 .bat.exe 34 PID 2036 wrote to memory of 2520 2036 PO - 04755 .bat.exe 34 PID 2036 wrote to memory of 2520 2036 PO - 04755 .bat.exe 34 PID 2036 wrote to memory of 2520 2036 PO - 04755 .bat.exe 34 PID 2036 wrote to memory of 2520 2036 PO - 04755 .bat.exe 34 PID 2036 wrote to memory of 2520 2036 PO - 04755 .bat.exe 34 PID 2036 wrote to memory of 2520 2036 PO - 04755 .bat.exe 34 PID 1200 wrote to memory of 3024 1200 Explorer.EXE 37 PID 1200 wrote to memory of 3024 1200 Explorer.EXE 37 PID 1200 wrote to memory of 3024 1200 Explorer.EXE 37 PID 1200 wrote to memory of 3024 1200 Explorer.EXE 37 PID 3024 wrote to memory of 2880 3024 msdt.exe 38 PID 3024 wrote to memory of 2880 3024 msdt.exe 38 PID 3024 wrote to memory of 2880 3024 msdt.exe 38 PID 3024 wrote to memory of 2880 3024 msdt.exe 38
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\PO - 04755 .bat.exe"C:\Users\Admin\AppData\Local\Temp\PO - 04755 .bat.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO - 04755 .bat.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2568
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\iRfUxRRiZtkySe.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iRfUxRRiZtkySe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8112.tmp"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2620
-
-
C:\Users\Admin\AppData\Local\Temp\PO - 04755 .bat.exe"C:\Users\Admin\AppData\Local\Temp\PO - 04755 .bat.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2520
-
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:1052
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:1192
-
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PO - 04755 .bat.exe"3⤵
- Deletes itself
PID:2880
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d850c2ee81c4aeedbf67f158a6c932d5
SHA1f51fbfe1e68cb540ee96f8ceb83f508b95512473
SHA256c5454f9520d84b7bd00232cb831b8baf33c554e93035c242b04119a0fa55bf2a
SHA5120c7f5d640fba4b14463cecca1214cd339d625adbb7884325575f63f283b1bfb1e386e5556cbed3a27b3de1b3f9eb36b61cfb01b88a5eef5b022c34326433d4b5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD52098c08b79fa37a64cce4476f108bc97
SHA197132684986fe5b9daa2d433589160a498c4f916
SHA25682e1b93f3845980e29acb961a7f3a4bee58f7b2d117e46404143eb645532bae9
SHA512bfb1d1141c5081228ec2a3a02d0f17e17005503c57b10ce9978b9a41b4beeff5099cedc073f83357b624c281866f3301e42eb81c01ef671aac86876a528d348f