Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
12-07-2024 22:57
Static task
static1
Behavioral task
behavioral1
Sample
0b970eeae547c387822f30119aabda70N.exe
Resource
win7-20240704-en
General
-
Target
0b970eeae547c387822f30119aabda70N.exe
-
Size
1.0MB
-
MD5
0b970eeae547c387822f30119aabda70
-
SHA1
62802a786351d6d50f37f14088fd70eab3c2968e
-
SHA256
b7e70bb8f2c9e57840739fd9ec404d5bc0d16ff6d141b091f17317f7e308b876
-
SHA512
95aadb55329e23403654d7e1db483308e4b42672a46b953d113c2187e09ddfc6031c6a85cdde3c439743ec2fabf739ca68f6aef2a4a09bd872347a563d6aa26c
-
SSDEEP
24576:iAHnh+eWsN3skA4RV1Hom2KXMmHafbW2chd4Dp8A285:lh+ZkldoPK8YafKT495F
Malware Config
Extracted
formbook
4.1
ge34
aporyb.com
mwquas.xyz
apps-83842.bond
enebrium-peptide.com
sevenslot777-al.xyz
rdt999.com
fgaxercq.xyz
hooksandline.com
nadiiadrinkscoffee.com
bt365131.com
vinfast-hanam.com
smooease.com
stcpharmasolution.lat
rent-to-own-us-006.space
baka88rtp.xyz
iloveher.net
72428.club
smkjfw.com
tactprograms.com
nhasachdoanhnhan.click
www75650.vip
watchrams.com
phrarxni.xyz
cqgswzhs.com
aremanl.top
gefflux.com
lazygeek.cafe
asikarga.com
ax7y9q8s.top
holisticnutritionkh.com
homesbyblanton.com
hausicav.christmas
home-renovation-29218.bond
qtools.xyz
myportsudan.com
pastikanselalu10.click
ladespensagropecuaria.com
00050292.xyz
jouzyce.com
arounda.pro
17tk558p.com
wcnstsuh.xyz
granadaiighting.com
9950bg.com
visionarymaterialsinstitute.com
quavaar.com
olu85.com
softixbackend.com
nextnature.shop
tekstenbeeld.com
goodsimple.net
kjsdhklssk78.xyz
dogelexuss.quest
serenity-enterprise.com
universoshops.app
formacionesmaestras.com
00050304.xyz
lapakkuda.xyz
suporteaocliente.com
243b940.shop
mabaryukk.quest
coventgardensurveyors.com
744345.photos
86xzsypo.sbs
akimov.space
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2360-11-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2360-14-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/364-20-0x0000000000520000-0x000000000054F000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
0b970eeae547c387822f30119aabda70N.exesvchost.exeraserver.exedescription pid process target process PID 1368 set thread context of 2360 1368 0b970eeae547c387822f30119aabda70N.exe svchost.exe PID 2360 set thread context of 3460 2360 svchost.exe Explorer.EXE PID 364 set thread context of 3460 364 raserver.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 50 IoCs
Processes:
svchost.exeraserver.exepid process 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 364 raserver.exe 364 raserver.exe 364 raserver.exe 364 raserver.exe 364 raserver.exe 364 raserver.exe 364 raserver.exe 364 raserver.exe 364 raserver.exe 364 raserver.exe 364 raserver.exe 364 raserver.exe 364 raserver.exe 364 raserver.exe 364 raserver.exe 364 raserver.exe 364 raserver.exe 364 raserver.exe 364 raserver.exe 364 raserver.exe 364 raserver.exe 364 raserver.exe 364 raserver.exe 364 raserver.exe 364 raserver.exe 364 raserver.exe 364 raserver.exe 364 raserver.exe 364 raserver.exe 364 raserver.exe 364 raserver.exe 364 raserver.exe 364 raserver.exe 364 raserver.exe 364 raserver.exe 364 raserver.exe 364 raserver.exe 364 raserver.exe 364 raserver.exe 364 raserver.exe 364 raserver.exe 364 raserver.exe 364 raserver.exe 364 raserver.exe 364 raserver.exe 364 raserver.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
0b970eeae547c387822f30119aabda70N.exesvchost.exeraserver.exepid process 1368 0b970eeae547c387822f30119aabda70N.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 364 raserver.exe 364 raserver.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
svchost.exeraserver.exedescription pid process Token: SeDebugPrivilege 2360 svchost.exe Token: SeDebugPrivilege 364 raserver.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
0b970eeae547c387822f30119aabda70N.exepid process 1368 0b970eeae547c387822f30119aabda70N.exe 1368 0b970eeae547c387822f30119aabda70N.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
0b970eeae547c387822f30119aabda70N.exepid process 1368 0b970eeae547c387822f30119aabda70N.exe 1368 0b970eeae547c387822f30119aabda70N.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3460 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
0b970eeae547c387822f30119aabda70N.exeExplorer.EXEraserver.exedescription pid process target process PID 1368 wrote to memory of 2360 1368 0b970eeae547c387822f30119aabda70N.exe svchost.exe PID 1368 wrote to memory of 2360 1368 0b970eeae547c387822f30119aabda70N.exe svchost.exe PID 1368 wrote to memory of 2360 1368 0b970eeae547c387822f30119aabda70N.exe svchost.exe PID 1368 wrote to memory of 2360 1368 0b970eeae547c387822f30119aabda70N.exe svchost.exe PID 3460 wrote to memory of 364 3460 Explorer.EXE raserver.exe PID 3460 wrote to memory of 364 3460 Explorer.EXE raserver.exe PID 3460 wrote to memory of 364 3460 Explorer.EXE raserver.exe PID 364 wrote to memory of 5064 364 raserver.exe cmd.exe PID 364 wrote to memory of 5064 364 raserver.exe cmd.exe PID 364 wrote to memory of 5064 364 raserver.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Users\Admin\AppData\Local\Temp\0b970eeae547c387822f30119aabda70N.exe"C:\Users\Admin\AppData\Local\Temp\0b970eeae547c387822f30119aabda70N.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\0b970eeae547c387822f30119aabda70N.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2360 -
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\svchost.exe"3⤵PID:5064