Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
12-07-2024 06:30
Static task
static1
Behavioral task
behavioral1
Sample
vNrcPvMYLZmn2cc.exe
Resource
win7-20240708-en
General
-
Target
vNrcPvMYLZmn2cc.exe
-
Size
681KB
-
MD5
8e9b751ecbb040e9893199329566c826
-
SHA1
dee40b465783386a418bd5c4dc529b07659e1827
-
SHA256
0b2881dffc8cd0c36764d955f9478964c95822672da0f5ba29a5af5c16059b16
-
SHA512
71c59a006f0701427507261b6403c9a406f0193377bf8b6f473051e6461110438528656f3e6d6ffcc45da1eeb45629c20eff1d7938bfc01d915b8e9c09a00a3e
-
SSDEEP
12288:BnMN4Np0xC0eQiLEX6e51HHZt12FhT0g5kklyEhxcN5GJohLTo:BMN4NpECrREX6e51ZGhT6kgEjcNwJo1
Malware Config
Extracted
formbook
4.1
mc10
sttcorp.one
jack88.lat
owl-protect.com
hnszrrn.com
at89v2.com
h147.top
takle4creators.com
fondsa.xyz
mantenopolice.com
shophansler.com
dessertt.com
thecollisionmagazine.com
tatesfluffyfrenchies.com
h1f2v.rest
bluewandltd.com
cuplaho2003.shop
2thetcleaningservice.com
yc85w.top
natursache.shop
allmyabilities.com
sorteioagora.shop
291van.fun
bforeplay.com
playcoy99.com
grapplegrid.app
machaiproductions.com
bjcysadz.xyz
hg44a.com
english4u.online
w15hh.rest
kurainu.xyz
psycrowolgy.com
quantron.xyz
realtors.biz
hjjhggh.top
767jogo.com
inspirationandhumor.com
basedawgz.live
jigofort.com
bonjourmignon.com
huttonsidel.online
iffacosmetics.com
483yes.com
motolimod.com
xatapartners.com
laurelhw.com
sztopsports.com
ethermail-register.com
ust-online.com
theofficescowork.com
arkonwheels.com
projectorvibe.com
xpanas.black
gemaroke2.shop
sofiastory.store
dealerxai.com
zerolength.xyz
marketmaventesfayellc.site
instrumentsurvey-dinarjatim.com
ajansyapai.net
llngx.com
onwardgrowth.com
useprize.com
zaki-argan.com
sainikshiksha.com
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2064-11-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2064-16-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2868-21-0x00000000011C0000-0x00000000011EF000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
vNrcPvMYLZmn2cc.exevNrcPvMYLZmn2cc.exewscript.exedescription pid process target process PID 1832 set thread context of 2064 1832 vNrcPvMYLZmn2cc.exe vNrcPvMYLZmn2cc.exe PID 2064 set thread context of 3456 2064 vNrcPvMYLZmn2cc.exe Explorer.EXE PID 2868 set thread context of 3456 2868 wscript.exe Explorer.EXE -
Modifies registry class 1 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 56 IoCs
Processes:
vNrcPvMYLZmn2cc.exewscript.exepid process 2064 vNrcPvMYLZmn2cc.exe 2064 vNrcPvMYLZmn2cc.exe 2064 vNrcPvMYLZmn2cc.exe 2064 vNrcPvMYLZmn2cc.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe 2868 wscript.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
vNrcPvMYLZmn2cc.exewscript.exepid process 2064 vNrcPvMYLZmn2cc.exe 2064 vNrcPvMYLZmn2cc.exe 2064 vNrcPvMYLZmn2cc.exe 2868 wscript.exe 2868 wscript.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
vNrcPvMYLZmn2cc.exewscript.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 2064 vNrcPvMYLZmn2cc.exe Token: SeDebugPrivilege 2868 wscript.exe Token: SeShutdownPrivilege 3456 Explorer.EXE Token: SeCreatePagefilePrivilege 3456 Explorer.EXE Token: SeShutdownPrivilege 3456 Explorer.EXE Token: SeCreatePagefilePrivilege 3456 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 3456 Explorer.EXE 3456 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3456 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
vNrcPvMYLZmn2cc.exeExplorer.EXEwscript.exedescription pid process target process PID 1832 wrote to memory of 2064 1832 vNrcPvMYLZmn2cc.exe vNrcPvMYLZmn2cc.exe PID 1832 wrote to memory of 2064 1832 vNrcPvMYLZmn2cc.exe vNrcPvMYLZmn2cc.exe PID 1832 wrote to memory of 2064 1832 vNrcPvMYLZmn2cc.exe vNrcPvMYLZmn2cc.exe PID 1832 wrote to memory of 2064 1832 vNrcPvMYLZmn2cc.exe vNrcPvMYLZmn2cc.exe PID 1832 wrote to memory of 2064 1832 vNrcPvMYLZmn2cc.exe vNrcPvMYLZmn2cc.exe PID 1832 wrote to memory of 2064 1832 vNrcPvMYLZmn2cc.exe vNrcPvMYLZmn2cc.exe PID 3456 wrote to memory of 2868 3456 Explorer.EXE wscript.exe PID 3456 wrote to memory of 2868 3456 Explorer.EXE wscript.exe PID 3456 wrote to memory of 2868 3456 Explorer.EXE wscript.exe PID 2868 wrote to memory of 1768 2868 wscript.exe cmd.exe PID 2868 wrote to memory of 1768 2868 wscript.exe cmd.exe PID 2868 wrote to memory of 1768 2868 wscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Users\Admin\AppData\Local\Temp\vNrcPvMYLZmn2cc.exe"C:\Users\Admin\AppData\Local\Temp\vNrcPvMYLZmn2cc.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Users\Admin\AppData\Local\Temp\vNrcPvMYLZmn2cc.exe"C:\Users\Admin\AppData\Local\Temp\vNrcPvMYLZmn2cc.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2064 -
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:3196
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\vNrcPvMYLZmn2cc.exe"3⤵PID:1768