Analysis
-
max time kernel
95s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
11-07-2024 20:35
Static task
static1
Behavioral task
behavioral1
Sample
06b48ac9172279cf7eb70a6d9ff15c30N.exe
Resource
win7-20240704-en
General
-
Target
06b48ac9172279cf7eb70a6d9ff15c30N.exe
-
Size
603KB
-
MD5
06b48ac9172279cf7eb70a6d9ff15c30
-
SHA1
badf55aaa4193ad376fdcbdf17a2ada34d5b1768
-
SHA256
3c530a35c470947ac248c63cc58f6eef1adef690d9aacdab86033e0781b4508d
-
SHA512
ef51f9c2038b3b4a12075f718a919bfdf6867c9d1007fca60484047b64ce26f016a7f2e8aa00c42bb0cd0419e4ae03acf52f852ef8c5a00ed5ec1455cc9ca938
-
SSDEEP
12288:W+DzsiMGcdB7QlWde8EkzSgPrKoV5nD3uu6Jxme5QH5N5ZMijh96yA:W+DDxcP7QlTRoKsFT0Jxm4ST5ZHX0
Malware Config
Extracted
formbook
4.1
mc10
sttcorp.one
jack88.lat
owl-protect.com
hnszrrn.com
at89v2.com
h147.top
takle4creators.com
fondsa.xyz
mantenopolice.com
shophansler.com
dessertt.com
thecollisionmagazine.com
tatesfluffyfrenchies.com
h1f2v.rest
bluewandltd.com
cuplaho2003.shop
2thetcleaningservice.com
yc85w.top
natursache.shop
allmyabilities.com
sorteioagora.shop
291van.fun
bforeplay.com
playcoy99.com
grapplegrid.app
machaiproductions.com
bjcysadz.xyz
hg44a.com
english4u.online
w15hh.rest
kurainu.xyz
psycrowolgy.com
quantron.xyz
realtors.biz
hjjhggh.top
767jogo.com
inspirationandhumor.com
basedawgz.live
jigofort.com
bonjourmignon.com
huttonsidel.online
iffacosmetics.com
483yes.com
motolimod.com
xatapartners.com
laurelhw.com
sztopsports.com
ethermail-register.com
ust-online.com
theofficescowork.com
arkonwheels.com
projectorvibe.com
xpanas.black
gemaroke2.shop
sofiastory.store
dealerxai.com
zerolength.xyz
marketmaventesfayellc.site
instrumentsurvey-dinarjatim.com
ajansyapai.net
llngx.com
onwardgrowth.com
useprize.com
zaki-argan.com
sainikshiksha.com
Signatures
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2020-10-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
Processes:
06b48ac9172279cf7eb70a6d9ff15c30N.exedescription pid process target process PID 1008 set thread context of 2020 1008 06b48ac9172279cf7eb70a6d9ff15c30N.exe 06b48ac9172279cf7eb70a6d9ff15c30N.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
06b48ac9172279cf7eb70a6d9ff15c30N.exepid process 2020 06b48ac9172279cf7eb70a6d9ff15c30N.exe 2020 06b48ac9172279cf7eb70a6d9ff15c30N.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
06b48ac9172279cf7eb70a6d9ff15c30N.exedescription pid process target process PID 1008 wrote to memory of 2020 1008 06b48ac9172279cf7eb70a6d9ff15c30N.exe 06b48ac9172279cf7eb70a6d9ff15c30N.exe PID 1008 wrote to memory of 2020 1008 06b48ac9172279cf7eb70a6d9ff15c30N.exe 06b48ac9172279cf7eb70a6d9ff15c30N.exe PID 1008 wrote to memory of 2020 1008 06b48ac9172279cf7eb70a6d9ff15c30N.exe 06b48ac9172279cf7eb70a6d9ff15c30N.exe PID 1008 wrote to memory of 2020 1008 06b48ac9172279cf7eb70a6d9ff15c30N.exe 06b48ac9172279cf7eb70a6d9ff15c30N.exe PID 1008 wrote to memory of 2020 1008 06b48ac9172279cf7eb70a6d9ff15c30N.exe 06b48ac9172279cf7eb70a6d9ff15c30N.exe PID 1008 wrote to memory of 2020 1008 06b48ac9172279cf7eb70a6d9ff15c30N.exe 06b48ac9172279cf7eb70a6d9ff15c30N.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\06b48ac9172279cf7eb70a6d9ff15c30N.exe"C:\Users\Admin\AppData\Local\Temp\06b48ac9172279cf7eb70a6d9ff15c30N.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Users\Admin\AppData\Local\Temp\06b48ac9172279cf7eb70a6d9ff15c30N.exe"C:\Users\Admin\AppData\Local\Temp\06b48ac9172279cf7eb70a6d9ff15c30N.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2020