Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
11-07-2024 18:30
Static task
static1
Behavioral task
behavioral1
Sample
Akb38lKYd6rDV8l.exe
Resource
win7-20240705-en
General
-
Target
Akb38lKYd6rDV8l.exe
-
Size
760KB
-
MD5
c9101fc66be35a3746ffea8e448c5119
-
SHA1
453297f427c9c7a9b0e3a79fe4885d5d7c12af98
-
SHA256
9022ec12d1c63779111d34993afd7aa58f7a7ed7087271c52f2300dee80c7f89
-
SHA512
76efa88ad4a8d82b0b10abdc4dbb91db659e7ed4e9a9e4df6be8942f4235ad11ca27492907892da4cc82321be54056401b7caa1725a953784cab5bd1744bbdad
-
SSDEEP
12288:ICc0CBN2iN/ougr+OAnK3Uv4ybDHpT4fN6AhDALgVWTsY/sQj14GB:ICc0CBN1F7tOcK3Uv4yB4dhcMgAAJ
Malware Config
Extracted
formbook
4.1
dy13
manga-house.com
kjsdhklssk51.xyz
b0ba138.xyz
bt365033.com
ccbsinc.net
mrwine.xyz
nrxkrd527o.xyz
hoshi.social
1912ai.com
serco2020.com
byfchfyr.xyz
imuschestvostorgov.online
austinheafey.com
mrdfa.club
883106.photos
profitablefxmarkets.com
taini00.net
brye.top
ginsm.com
sportglid.com
hdretailllc.com
umeshraja.com
bum-arch.com
carefulapp.com
kjqlq.top
3dsciagames.com
520yhy.com
magahatinu.com
freedompopo.com
directgaragedoor.com
tyupok.xyz
thecrystore.com
camperelektrikde.shop
soloparentconnect.com
sonderfullcoaching.com
jesuscrewofficial.com
oioc.xyz
assineunitv.com
whysco.com
484844.vip
gdctus840t.top
acc-pay.top
bdsmnutzbar.info
sdplat.media
cioncarp4213.com
facecasino2.top
bankablebark.com
gulerweb.online
radheyranidailyproduct.com
fin4d-sl.com
northshorehousekeeping.com
femmeteefatale.com
d0ge6or54x07cfn.xyz
craftwhirl.com
kgfna.biz
real-estate-96841.bond
cfuhtkwo.xyz
nestormediaproduction.com
txglobedev.com
kermoal.dev
yr8gl32.vip
bathroomremodelnearyou.today
nearmeacupuncture.com
chicstop.store
cpuk-finance.com
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/408-11-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/408-16-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/984-21-0x0000000000CD0000-0x0000000000CFF000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Akb38lKYd6rDV8l.exeAkb38lKYd6rDV8l.exeNETSTAT.EXEdescription pid process target process PID 4684 set thread context of 408 4684 Akb38lKYd6rDV8l.exe Akb38lKYd6rDV8l.exe PID 408 set thread context of 3532 408 Akb38lKYd6rDV8l.exe Explorer.EXE PID 984 set thread context of 3532 984 NETSTAT.EXE Explorer.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 984 NETSTAT.EXE -
Modifies registry class 1 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
Akb38lKYd6rDV8l.exeAkb38lKYd6rDV8l.exeNETSTAT.EXEpid process 4684 Akb38lKYd6rDV8l.exe 4684 Akb38lKYd6rDV8l.exe 408 Akb38lKYd6rDV8l.exe 408 Akb38lKYd6rDV8l.exe 408 Akb38lKYd6rDV8l.exe 408 Akb38lKYd6rDV8l.exe 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE 984 NETSTAT.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Akb38lKYd6rDV8l.exeNETSTAT.EXEpid process 408 Akb38lKYd6rDV8l.exe 408 Akb38lKYd6rDV8l.exe 408 Akb38lKYd6rDV8l.exe 984 NETSTAT.EXE 984 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
Akb38lKYd6rDV8l.exeAkb38lKYd6rDV8l.exeNETSTAT.EXEExplorer.EXEdescription pid process Token: SeDebugPrivilege 4684 Akb38lKYd6rDV8l.exe Token: SeDebugPrivilege 408 Akb38lKYd6rDV8l.exe Token: SeDebugPrivilege 984 NETSTAT.EXE Token: SeShutdownPrivilege 3532 Explorer.EXE Token: SeCreatePagefilePrivilege 3532 Explorer.EXE Token: SeShutdownPrivilege 3532 Explorer.EXE Token: SeCreatePagefilePrivilege 3532 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 3532 Explorer.EXE 3532 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3532 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Akb38lKYd6rDV8l.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 4684 wrote to memory of 3872 4684 Akb38lKYd6rDV8l.exe Akb38lKYd6rDV8l.exe PID 4684 wrote to memory of 3872 4684 Akb38lKYd6rDV8l.exe Akb38lKYd6rDV8l.exe PID 4684 wrote to memory of 3872 4684 Akb38lKYd6rDV8l.exe Akb38lKYd6rDV8l.exe PID 4684 wrote to memory of 408 4684 Akb38lKYd6rDV8l.exe Akb38lKYd6rDV8l.exe PID 4684 wrote to memory of 408 4684 Akb38lKYd6rDV8l.exe Akb38lKYd6rDV8l.exe PID 4684 wrote to memory of 408 4684 Akb38lKYd6rDV8l.exe Akb38lKYd6rDV8l.exe PID 4684 wrote to memory of 408 4684 Akb38lKYd6rDV8l.exe Akb38lKYd6rDV8l.exe PID 4684 wrote to memory of 408 4684 Akb38lKYd6rDV8l.exe Akb38lKYd6rDV8l.exe PID 4684 wrote to memory of 408 4684 Akb38lKYd6rDV8l.exe Akb38lKYd6rDV8l.exe PID 3532 wrote to memory of 984 3532 Explorer.EXE NETSTAT.EXE PID 3532 wrote to memory of 984 3532 Explorer.EXE NETSTAT.EXE PID 3532 wrote to memory of 984 3532 Explorer.EXE NETSTAT.EXE PID 984 wrote to memory of 3320 984 NETSTAT.EXE cmd.exe PID 984 wrote to memory of 3320 984 NETSTAT.EXE cmd.exe PID 984 wrote to memory of 3320 984 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Users\Admin\AppData\Local\Temp\Akb38lKYd6rDV8l.exe"C:\Users\Admin\AppData\Local\Temp\Akb38lKYd6rDV8l.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Users\Admin\AppData\Local\Temp\Akb38lKYd6rDV8l.exe"C:\Users\Admin\AppData\Local\Temp\Akb38lKYd6rDV8l.exe"3⤵PID:3872
-
C:\Users\Admin\AppData\Local\Temp\Akb38lKYd6rDV8l.exe"C:\Users\Admin\AppData\Local\Temp\Akb38lKYd6rDV8l.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:408 -
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Akb38lKYd6rDV8l.exe"3⤵PID:3320