Analysis
-
max time kernel
116s -
max time network
116s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
12-07-2024 22:57
Static task
static1
Behavioral task
behavioral1
Sample
0b970eeae547c387822f30119aabda70N.exe
Resource
win7-20240704-en
General
-
Target
0b970eeae547c387822f30119aabda70N.exe
-
Size
1.0MB
-
MD5
0b970eeae547c387822f30119aabda70
-
SHA1
62802a786351d6d50f37f14088fd70eab3c2968e
-
SHA256
b7e70bb8f2c9e57840739fd9ec404d5bc0d16ff6d141b091f17317f7e308b876
-
SHA512
95aadb55329e23403654d7e1db483308e4b42672a46b953d113c2187e09ddfc6031c6a85cdde3c439743ec2fabf739ca68f6aef2a4a09bd872347a563d6aa26c
-
SSDEEP
24576:iAHnh+eWsN3skA4RV1Hom2KXMmHafbW2chd4Dp8A285:lh+ZkldoPK8YafKT495F
Malware Config
Extracted
formbook
4.1
ge34
aporyb.com
mwquas.xyz
apps-83842.bond
enebrium-peptide.com
sevenslot777-al.xyz
rdt999.com
fgaxercq.xyz
hooksandline.com
nadiiadrinkscoffee.com
bt365131.com
vinfast-hanam.com
smooease.com
stcpharmasolution.lat
rent-to-own-us-006.space
baka88rtp.xyz
iloveher.net
72428.club
smkjfw.com
tactprograms.com
nhasachdoanhnhan.click
www75650.vip
watchrams.com
phrarxni.xyz
cqgswzhs.com
aremanl.top
gefflux.com
lazygeek.cafe
asikarga.com
ax7y9q8s.top
holisticnutritionkh.com
homesbyblanton.com
hausicav.christmas
home-renovation-29218.bond
qtools.xyz
myportsudan.com
pastikanselalu10.click
ladespensagropecuaria.com
00050292.xyz
jouzyce.com
arounda.pro
17tk558p.com
wcnstsuh.xyz
granadaiighting.com
9950bg.com
visionarymaterialsinstitute.com
quavaar.com
olu85.com
softixbackend.com
nextnature.shop
tekstenbeeld.com
goodsimple.net
kjsdhklssk78.xyz
dogelexuss.quest
serenity-enterprise.com
universoshops.app
formacionesmaestras.com
00050304.xyz
lapakkuda.xyz
suporteaocliente.com
243b940.shop
mabaryukk.quest
coventgardensurveyors.com
744345.photos
86xzsypo.sbs
akimov.space
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2948-11-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2948-14-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2764-20-0x00000000000C0000-0x00000000000EF000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
0b970eeae547c387822f30119aabda70N.exesvchost.exemstsc.exedescription pid process target process PID 1972 set thread context of 2948 1972 0b970eeae547c387822f30119aabda70N.exe svchost.exe PID 2948 set thread context of 1352 2948 svchost.exe Explorer.EXE PID 2764 set thread context of 1352 2764 mstsc.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
svchost.exemstsc.exepid process 2948 svchost.exe 2948 svchost.exe 2764 mstsc.exe 2764 mstsc.exe 2764 mstsc.exe 2764 mstsc.exe 2764 mstsc.exe 2764 mstsc.exe 2764 mstsc.exe 2764 mstsc.exe 2764 mstsc.exe 2764 mstsc.exe 2764 mstsc.exe 2764 mstsc.exe 2764 mstsc.exe 2764 mstsc.exe 2764 mstsc.exe 2764 mstsc.exe 2764 mstsc.exe 2764 mstsc.exe 2764 mstsc.exe 2764 mstsc.exe 2764 mstsc.exe 2764 mstsc.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
0b970eeae547c387822f30119aabda70N.exesvchost.exemstsc.exepid process 1972 0b970eeae547c387822f30119aabda70N.exe 2948 svchost.exe 2948 svchost.exe 2948 svchost.exe 2764 mstsc.exe 2764 mstsc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
svchost.exemstsc.exedescription pid process Token: SeDebugPrivilege 2948 svchost.exe Token: SeDebugPrivilege 2764 mstsc.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
0b970eeae547c387822f30119aabda70N.exeExplorer.EXEpid process 1972 0b970eeae547c387822f30119aabda70N.exe 1972 0b970eeae547c387822f30119aabda70N.exe 1352 Explorer.EXE 1352 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
0b970eeae547c387822f30119aabda70N.exepid process 1972 0b970eeae547c387822f30119aabda70N.exe 1972 0b970eeae547c387822f30119aabda70N.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
0b970eeae547c387822f30119aabda70N.exeExplorer.EXEmstsc.exedescription pid process target process PID 1972 wrote to memory of 2948 1972 0b970eeae547c387822f30119aabda70N.exe svchost.exe PID 1972 wrote to memory of 2948 1972 0b970eeae547c387822f30119aabda70N.exe svchost.exe PID 1972 wrote to memory of 2948 1972 0b970eeae547c387822f30119aabda70N.exe svchost.exe PID 1972 wrote to memory of 2948 1972 0b970eeae547c387822f30119aabda70N.exe svchost.exe PID 1972 wrote to memory of 2948 1972 0b970eeae547c387822f30119aabda70N.exe svchost.exe PID 1352 wrote to memory of 2764 1352 Explorer.EXE mstsc.exe PID 1352 wrote to memory of 2764 1352 Explorer.EXE mstsc.exe PID 1352 wrote to memory of 2764 1352 Explorer.EXE mstsc.exe PID 1352 wrote to memory of 2764 1352 Explorer.EXE mstsc.exe PID 2764 wrote to memory of 2876 2764 mstsc.exe cmd.exe PID 2764 wrote to memory of 2876 2764 mstsc.exe cmd.exe PID 2764 wrote to memory of 2876 2764 mstsc.exe cmd.exe PID 2764 wrote to memory of 2876 2764 mstsc.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Users\Admin\AppData\Local\Temp\0b970eeae547c387822f30119aabda70N.exe"C:\Users\Admin\AppData\Local\Temp\0b970eeae547c387822f30119aabda70N.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\0b970eeae547c387822f30119aabda70N.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2948 -
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\svchost.exe"3⤵PID:2876