Analysis
-
max time kernel
94s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
12-07-2024 11:54
Static task
static1
Behavioral task
behavioral1
Sample
9d8bba178d59f8e1a7bbf2d793b30c58.exe
Resource
win7-20240708-en
General
-
Target
9d8bba178d59f8e1a7bbf2d793b30c58.exe
-
Size
1.6MB
-
MD5
9d8bba178d59f8e1a7bbf2d793b30c58
-
SHA1
fcd9ddb47e8faac52d5f9450cbe8970d259cd63f
-
SHA256
2908b204b48c6e54598045bed024df0a256f41d0e53239f5d5606d2be8111c07
-
SHA512
e4e9223b006a7813ced3cf124ca25db3214929cc03d2b14688ba23f5b34949f4f156d646b5eb2f5d75ac17d526537b699f844bccdd19baa205a36de5b1d449b8
-
SSDEEP
12288:TNLnJocGYWkX35QDuPSzBzsFXFIntvrP9zVYL/EyN7T20:JLnrNWkXo1BzsdeFxzS4ydi0
Malware Config
Extracted
formbook
4.1
kmge
jia0752d.com
cq0jt.sbs
whimsicalweddingrentals.com
meetsex-here.life
hhe-crv220.com
bedbillionaire.com
soycmo.com
mrawkward.xyz
11ramshornroad.com
motoyonaturals.com
thischicloves.com
gacorbet.pro
ihsanid.com
pancaketurner.com
santanarstore.com
cr3dtv.com
negotools.com
landfillequip.com
sejasuapropriachefe.com
diamant-verkopen.store
builtonmybrother.art
teoti.beauty
kickssoccercamp.com
chickfrau.com
compare-energy.com
icvp5o.xyz
susan-writes.com
dropletcoin.com
sivertool.com
sup-25987659.com
weedz-seeds.today
agritamaperkasaindonesia.com
safwankhalil.com
jm2s8a3mz.com
wfjwjm.com
be-heatpumps.life
hcwoodpanel.com
n5l780.com
mandalah.art
szexvideokingyen.sbs
justinroemmick.com
thecoolkidsdontfitin.com
gsolartech.com
swisswearables.com
chicagocarpetcleaneril.com
terrazahills-cbre.com
santatainha.com
sacksmantenimiento.store
wzhem.rest
shearwaterpembrokeshire.com
baansantiburi.com
mid-size-suv-87652.com
solunchina.com
nandos.moe
blucretebistro.com
identificatiekvk.digital
8772876.com
longfangyun.com
litblacklit.com
mobilferrari.com
zeeedajewelermusic.com
allenbach.swiss
industrialrevolution.ink
cmgamingtrack.com
a2zglobalimports.com
Signatures
-
Processes:
9d8bba178d59f8e1a7bbf2d793b30c58.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9d8bba178d59f8e1a7bbf2d793b30c58.exe -
Processes:
9d8bba178d59f8e1a7bbf2d793b30c58.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths 9d8bba178d59f8e1a7bbf2d793b30c58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\9d8bba178d59f8e1a7bbf2d793b30c58.exe = "0" 9d8bba178d59f8e1a7bbf2d793b30c58.exe -
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1248-21-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9d8bba178d59f8e1a7bbf2d793b30c58.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation 9d8bba178d59f8e1a7bbf2d793b30c58.exe -
Processes:
9d8bba178d59f8e1a7bbf2d793b30c58.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths 9d8bba178d59f8e1a7bbf2d793b30c58.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions 9d8bba178d59f8e1a7bbf2d793b30c58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\9d8bba178d59f8e1a7bbf2d793b30c58.exe = "0" 9d8bba178d59f8e1a7bbf2d793b30c58.exe -
Processes:
9d8bba178d59f8e1a7bbf2d793b30c58.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 9d8bba178d59f8e1a7bbf2d793b30c58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9d8bba178d59f8e1a7bbf2d793b30c58.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
9d8bba178d59f8e1a7bbf2d793b30c58.exedescription pid process target process PID 4992 set thread context of 1248 4992 9d8bba178d59f8e1a7bbf2d793b30c58.exe ilasm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1800 1248 WerFault.exe ilasm.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1500 powershell.exe 1500 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
9d8bba178d59f8e1a7bbf2d793b30c58.exepowershell.exedescription pid process Token: SeDebugPrivilege 4992 9d8bba178d59f8e1a7bbf2d793b30c58.exe Token: SeDebugPrivilege 1500 powershell.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
9d8bba178d59f8e1a7bbf2d793b30c58.exedescription pid process target process PID 4992 wrote to memory of 1500 4992 9d8bba178d59f8e1a7bbf2d793b30c58.exe powershell.exe PID 4992 wrote to memory of 1500 4992 9d8bba178d59f8e1a7bbf2d793b30c58.exe powershell.exe PID 4992 wrote to memory of 1072 4992 9d8bba178d59f8e1a7bbf2d793b30c58.exe cmd.exe PID 4992 wrote to memory of 1072 4992 9d8bba178d59f8e1a7bbf2d793b30c58.exe cmd.exe PID 4992 wrote to memory of 1072 4992 9d8bba178d59f8e1a7bbf2d793b30c58.exe cmd.exe PID 4992 wrote to memory of 1072 4992 9d8bba178d59f8e1a7bbf2d793b30c58.exe cmd.exe PID 4992 wrote to memory of 2852 4992 9d8bba178d59f8e1a7bbf2d793b30c58.exe csc.exe PID 4992 wrote to memory of 2852 4992 9d8bba178d59f8e1a7bbf2d793b30c58.exe csc.exe PID 4992 wrote to memory of 2852 4992 9d8bba178d59f8e1a7bbf2d793b30c58.exe csc.exe PID 4992 wrote to memory of 3548 4992 9d8bba178d59f8e1a7bbf2d793b30c58.exe calc.exe PID 4992 wrote to memory of 3548 4992 9d8bba178d59f8e1a7bbf2d793b30c58.exe calc.exe PID 4992 wrote to memory of 3548 4992 9d8bba178d59f8e1a7bbf2d793b30c58.exe calc.exe PID 4992 wrote to memory of 3548 4992 9d8bba178d59f8e1a7bbf2d793b30c58.exe calc.exe PID 4992 wrote to memory of 1600 4992 9d8bba178d59f8e1a7bbf2d793b30c58.exe wmplayer.exe PID 4992 wrote to memory of 1600 4992 9d8bba178d59f8e1a7bbf2d793b30c58.exe wmplayer.exe PID 4992 wrote to memory of 1600 4992 9d8bba178d59f8e1a7bbf2d793b30c58.exe wmplayer.exe PID 4992 wrote to memory of 1248 4992 9d8bba178d59f8e1a7bbf2d793b30c58.exe ilasm.exe PID 4992 wrote to memory of 1248 4992 9d8bba178d59f8e1a7bbf2d793b30c58.exe ilasm.exe PID 4992 wrote to memory of 1248 4992 9d8bba178d59f8e1a7bbf2d793b30c58.exe ilasm.exe PID 4992 wrote to memory of 1248 4992 9d8bba178d59f8e1a7bbf2d793b30c58.exe ilasm.exe PID 4992 wrote to memory of 1248 4992 9d8bba178d59f8e1a7bbf2d793b30c58.exe ilasm.exe PID 4992 wrote to memory of 1248 4992 9d8bba178d59f8e1a7bbf2d793b30c58.exe ilasm.exe PID 4992 wrote to memory of 804 4992 9d8bba178d59f8e1a7bbf2d793b30c58.exe ilasm.exe PID 4992 wrote to memory of 804 4992 9d8bba178d59f8e1a7bbf2d793b30c58.exe ilasm.exe PID 4992 wrote to memory of 804 4992 9d8bba178d59f8e1a7bbf2d793b30c58.exe ilasm.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
9d8bba178d59f8e1a7bbf2d793b30c58.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9d8bba178d59f8e1a7bbf2d793b30c58.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d8bba178d59f8e1a7bbf2d793b30c58.exe"C:\Users\Admin\AppData\Local\Temp\9d8bba178d59f8e1a7bbf2d793b30c58.exe"1⤵
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4992 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\9d8bba178d59f8e1a7bbf2d793b30c58.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1500 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:1072
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"2⤵PID:2852
-
C:\Windows\System32\calc.exe"C:\Windows\System32\calc.exe"2⤵PID:3548
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"2⤵PID:1600
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"2⤵PID:1248
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 243⤵
- Program crash
PID:1800 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"2⤵PID:804
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1248 -ip 12481⤵PID:400
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82