Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
13-07-2024 07:37
Static task
static1
Behavioral task
behavioral1
Sample
6887db1f6c75ae73f95dc1e8b7ba45f0N.exe
Resource
win7-20240704-en
General
-
Target
6887db1f6c75ae73f95dc1e8b7ba45f0N.exe
-
Size
700KB
-
MD5
6887db1f6c75ae73f95dc1e8b7ba45f0
-
SHA1
a6eae243627dd243dfc1ba7d8ecb0db32d2b04e0
-
SHA256
e1153fa8e128ce45bc1fd82c073aa9724653ae65a621f7accf41a7b4ea542906
-
SHA512
8ce6ac3dd86793027a12f48f451d141d809b0c757177e60aedfef2d8e57ae12f039035f43e45696e059edffe4edf7f10e42a53f1b796f7740f23483399984fad
-
SSDEEP
12288:GVkFuwcbZzHNoW1XMn+oCUufZv7ftOwz3geqeDWSmb6+Sg:hZAZzHNoW1O+oWZv7frzwvTb6+Sg
Malware Config
Extracted
formbook
4.1
h209
sbtstuff.site
omlyes.com
movershifting.com
gearballer.com
oketoto.pro
myringleader.com
lrcjc750s.xyz
ata2024.xyz
password-manager-89409.bond
aiassistanthub.net
changvolt.cfd
netino.site
wear-wale.com
omnipresenceagency.com
huangguan.ooo
propersonnelmedia.com
9332952.com
k3s.support
ciytrw.xyz
cb095.pro
royalreshortbooking.xyz
studio29photography.com
62472.xyz
offerseshop.com
xn--mjru74buk5boca.store
jzzkjvaz.com
qzbt7s.com
atsinvest.com
goldengoosemultiplier.com
investing-courses-66663.bond
blueflamenews.com
xn--72cb0bab2pc6b3j3b.com
damtv24.xyz
ya1w.top
margueritemeilleure.com
zinittech.com
testingdomain.xyz
zakenlatyn.xyz
jungdofire.com
jackpfenninger.com
comfyquiltsbysusan.com
weststarconstructions.com
accrevcenglobal.com
ok9km1.fun
cxbqchm.life
review-with-hossain.com
webmedianews.com
visioncaretutor.com
r9x4g.xyz
nicorinehart.com
airhead.icu
genesisproj.online
hebatduta77.com
xiaopangonsol.com
cilynder.com
nestnerd.xyz
95476.photos
wearepartisan.rocks
snowshop4.com
podoc.fun
psicologaceciliabarros.com
klassens.info
therocketlobsters.com
world-palace.com
antibirdnetservices.com
Signatures
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2640-20-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
6887db1f6c75ae73f95dc1e8b7ba45f0N.exedescription pid process target process PID 2680 set thread context of 2640 2680 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
6887db1f6c75ae73f95dc1e8b7ba45f0N.exepowershell.exepid process 2640 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe 2328 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2328 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
6887db1f6c75ae73f95dc1e8b7ba45f0N.exedescription pid process target process PID 2680 wrote to memory of 2328 2680 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe powershell.exe PID 2680 wrote to memory of 2328 2680 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe powershell.exe PID 2680 wrote to memory of 2328 2680 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe powershell.exe PID 2680 wrote to memory of 2328 2680 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe powershell.exe PID 2680 wrote to memory of 2844 2680 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe schtasks.exe PID 2680 wrote to memory of 2844 2680 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe schtasks.exe PID 2680 wrote to memory of 2844 2680 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe schtasks.exe PID 2680 wrote to memory of 2844 2680 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe schtasks.exe PID 2680 wrote to memory of 2640 2680 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe PID 2680 wrote to memory of 2640 2680 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe PID 2680 wrote to memory of 2640 2680 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe PID 2680 wrote to memory of 2640 2680 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe PID 2680 wrote to memory of 2640 2680 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe PID 2680 wrote to memory of 2640 2680 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe PID 2680 wrote to memory of 2640 2680 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6887db1f6c75ae73f95dc1e8b7ba45f0N.exe"C:\Users\Admin\AppData\Local\Temp\6887db1f6c75ae73f95dc1e8b7ba45f0N.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PYyvJhGBctVHN.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2328 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PYyvJhGBctVHN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA747.tmp"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2844 -
C:\Users\Admin\AppData\Local\Temp\6887db1f6c75ae73f95dc1e8b7ba45f0N.exe"C:\Users\Admin\AppData\Local\Temp\6887db1f6c75ae73f95dc1e8b7ba45f0N.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2640
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD570690f0092b4eebf94d5f13f9b4c6593
SHA1238129250a4d840a576a526a669bfe4e28bc4d03
SHA256224acdcafcd9c729fe993885834a9038bceed57d6d63ecfef363eb2606fa5f9d
SHA5127a339aa273f18f92c4ad3493c85f3cfdd7ba0e40892d4c0ca7a327e1f77667d44bf8a7de98f2d7ac3fa5284e1e2087d3ff1597dc7f4a8333b9fffec0d5e4d290