Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
12-07-2024 18:06
Static task
static1
Behavioral task
behavioral1
Sample
8bd0c48813f5c2578c3932b60ef84e4d62f7620f4f7e26d942f9765e2a589eae.exe
Resource
win7-20240705-en
General
-
Target
8bd0c48813f5c2578c3932b60ef84e4d62f7620f4f7e26d942f9765e2a589eae.exe
-
Size
620KB
-
MD5
6f6db1e7da6dcc039ad7a1bb95d153eb
-
SHA1
4e69bc26c9e11faececb76dfb4876165842a7383
-
SHA256
8bd0c48813f5c2578c3932b60ef84e4d62f7620f4f7e26d942f9765e2a589eae
-
SHA512
0088f6a5cae353de2d418d942b0f16d82883bdd55af64af433f4d10a1b29b044c8892c246fa3cc4b70b364b213be4ec05b4874bcccd316d9d475b52981ff98b6
-
SSDEEP
12288:eb+YVK+orv7oWukJFoimuR6W5lzi7Cq82cXEC1ki2rpEWdzFTTLyh:V1+jMBmu3zCxcj1kdEcF
Malware Config
Extracted
formbook
4.1
sp26
co37.top
00050525.xyz
gucci-official.asia
xb1111.vip
brandignitemarketing.com
smqhr.vip
neuroenergetichealing.com
huskyrecords.com
bt365962.com
sonicmfers.com
bytoi.xyz
52725.xyz
tantargobank.com
quantumsolutionsblr.com
webzlp.xyz
euroelitegear.store
xyffaa.com
pickleballtvchampionship.com
hyrdomist.com
dgaaa.click
freetobe.cloud
d9666iii.com
fortunascience.com
swanzybz.christmas
sentradiskon.store
aprche.com
thepoolpatriot.com
pttapp.sbs
vasot.info
warmlycy.christmas
vintagesnap.shop
bestinkspot.com
beaconhillaccountants.com
l2l5f.rest
shtnalof.xyz
rizkkizak.bond
platform.vision
souvenirecommerce.com
activebabygear.com
touristplacesintripura.com
abcmuoisau.store
rajitha.xyz
ratesexchange.xyz
vidalkraft.com
evriukpostres.sbs
winvegasplus-casino.net
globalstimes.xyz
bondi.store
bt36565.com
ericjmusic.com
delco.agency
df5kj58.top
aakharikhaber.com
nmglawchambers.com
qzaxv.asia
smartvelocitybanking.com
lukaswarner.com
tapchain.fun
dalksj.com
xgzpw564r.xyz
bcas.app
viggo.motorcycles
incognicanada.com
theebdesigns.com
6na8m8k.asia
Signatures
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1528-9-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8bd0c48813f5c2578c3932b60ef84e4d62f7620f4f7e26d942f9765e2a589eae.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation 8bd0c48813f5c2578c3932b60ef84e4d62f7620f4f7e26d942f9765e2a589eae.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
8bd0c48813f5c2578c3932b60ef84e4d62f7620f4f7e26d942f9765e2a589eae.exedescription pid process target process PID 4504 set thread context of 1528 4504 8bd0c48813f5c2578c3932b60ef84e4d62f7620f4f7e26d942f9765e2a589eae.exe 8bd0c48813f5c2578c3932b60ef84e4d62f7620f4f7e26d942f9765e2a589eae.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
8bd0c48813f5c2578c3932b60ef84e4d62f7620f4f7e26d942f9765e2a589eae.exepowershell.exepid process 1528 8bd0c48813f5c2578c3932b60ef84e4d62f7620f4f7e26d942f9765e2a589eae.exe 1528 8bd0c48813f5c2578c3932b60ef84e4d62f7620f4f7e26d942f9765e2a589eae.exe 32 powershell.exe 32 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 32 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
8bd0c48813f5c2578c3932b60ef84e4d62f7620f4f7e26d942f9765e2a589eae.exedescription pid process target process PID 4504 wrote to memory of 32 4504 8bd0c48813f5c2578c3932b60ef84e4d62f7620f4f7e26d942f9765e2a589eae.exe powershell.exe PID 4504 wrote to memory of 32 4504 8bd0c48813f5c2578c3932b60ef84e4d62f7620f4f7e26d942f9765e2a589eae.exe powershell.exe PID 4504 wrote to memory of 32 4504 8bd0c48813f5c2578c3932b60ef84e4d62f7620f4f7e26d942f9765e2a589eae.exe powershell.exe PID 4504 wrote to memory of 1528 4504 8bd0c48813f5c2578c3932b60ef84e4d62f7620f4f7e26d942f9765e2a589eae.exe 8bd0c48813f5c2578c3932b60ef84e4d62f7620f4f7e26d942f9765e2a589eae.exe PID 4504 wrote to memory of 1528 4504 8bd0c48813f5c2578c3932b60ef84e4d62f7620f4f7e26d942f9765e2a589eae.exe 8bd0c48813f5c2578c3932b60ef84e4d62f7620f4f7e26d942f9765e2a589eae.exe PID 4504 wrote to memory of 1528 4504 8bd0c48813f5c2578c3932b60ef84e4d62f7620f4f7e26d942f9765e2a589eae.exe 8bd0c48813f5c2578c3932b60ef84e4d62f7620f4f7e26d942f9765e2a589eae.exe PID 4504 wrote to memory of 1528 4504 8bd0c48813f5c2578c3932b60ef84e4d62f7620f4f7e26d942f9765e2a589eae.exe 8bd0c48813f5c2578c3932b60ef84e4d62f7620f4f7e26d942f9765e2a589eae.exe PID 4504 wrote to memory of 1528 4504 8bd0c48813f5c2578c3932b60ef84e4d62f7620f4f7e26d942f9765e2a589eae.exe 8bd0c48813f5c2578c3932b60ef84e4d62f7620f4f7e26d942f9765e2a589eae.exe PID 4504 wrote to memory of 1528 4504 8bd0c48813f5c2578c3932b60ef84e4d62f7620f4f7e26d942f9765e2a589eae.exe 8bd0c48813f5c2578c3932b60ef84e4d62f7620f4f7e26d942f9765e2a589eae.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8bd0c48813f5c2578c3932b60ef84e4d62f7620f4f7e26d942f9765e2a589eae.exe"C:\Users\Admin\AppData\Local\Temp\8bd0c48813f5c2578c3932b60ef84e4d62f7620f4f7e26d942f9765e2a589eae.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\8bd0c48813f5c2578c3932b60ef84e4d62f7620f4f7e26d942f9765e2a589eae.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:32 -
C:\Users\Admin\AppData\Local\Temp\8bd0c48813f5c2578c3932b60ef84e4d62f7620f4f7e26d942f9765e2a589eae.exe"C:\Users\Admin\AppData\Local\Temp\8bd0c48813f5c2578c3932b60ef84e4d62f7620f4f7e26d942f9765e2a589eae.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1528
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82