Analysis
-
max time kernel
92s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
13-07-2024 07:37
Static task
static1
Behavioral task
behavioral1
Sample
6887db1f6c75ae73f95dc1e8b7ba45f0N.exe
Resource
win7-20240704-en
General
-
Target
6887db1f6c75ae73f95dc1e8b7ba45f0N.exe
-
Size
700KB
-
MD5
6887db1f6c75ae73f95dc1e8b7ba45f0
-
SHA1
a6eae243627dd243dfc1ba7d8ecb0db32d2b04e0
-
SHA256
e1153fa8e128ce45bc1fd82c073aa9724653ae65a621f7accf41a7b4ea542906
-
SHA512
8ce6ac3dd86793027a12f48f451d141d809b0c757177e60aedfef2d8e57ae12f039035f43e45696e059edffe4edf7f10e42a53f1b796f7740f23483399984fad
-
SSDEEP
12288:GVkFuwcbZzHNoW1XMn+oCUufZv7ftOwz3geqeDWSmb6+Sg:hZAZzHNoW1O+oWZv7frzwvTb6+Sg
Malware Config
Extracted
formbook
4.1
h209
sbtstuff.site
omlyes.com
movershifting.com
gearballer.com
oketoto.pro
myringleader.com
lrcjc750s.xyz
ata2024.xyz
password-manager-89409.bond
aiassistanthub.net
changvolt.cfd
netino.site
wear-wale.com
omnipresenceagency.com
huangguan.ooo
propersonnelmedia.com
9332952.com
k3s.support
ciytrw.xyz
cb095.pro
royalreshortbooking.xyz
studio29photography.com
62472.xyz
offerseshop.com
xn--mjru74buk5boca.store
jzzkjvaz.com
qzbt7s.com
atsinvest.com
goldengoosemultiplier.com
investing-courses-66663.bond
blueflamenews.com
xn--72cb0bab2pc6b3j3b.com
damtv24.xyz
ya1w.top
margueritemeilleure.com
zinittech.com
testingdomain.xyz
zakenlatyn.xyz
jungdofire.com
jackpfenninger.com
comfyquiltsbysusan.com
weststarconstructions.com
accrevcenglobal.com
ok9km1.fun
cxbqchm.life
review-with-hossain.com
webmedianews.com
visioncaretutor.com
r9x4g.xyz
nicorinehart.com
airhead.icu
genesisproj.online
hebatduta77.com
xiaopangonsol.com
cilynder.com
nestnerd.xyz
95476.photos
wearepartisan.rocks
snowshop4.com
podoc.fun
psicologaceciliabarros.com
klassens.info
therocketlobsters.com
world-palace.com
antibirdnetservices.com
Signatures
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/5108-21-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6887db1f6c75ae73f95dc1e8b7ba45f0N.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
6887db1f6c75ae73f95dc1e8b7ba45f0N.exedescription pid process target process PID 2232 set thread context of 5108 2232 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
6887db1f6c75ae73f95dc1e8b7ba45f0N.exepowershell.exe6887db1f6c75ae73f95dc1e8b7ba45f0N.exepid process 2232 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe 2232 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe 2184 powershell.exe 5108 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe 5108 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe 2184 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
6887db1f6c75ae73f95dc1e8b7ba45f0N.exepowershell.exedescription pid process Token: SeDebugPrivilege 2232 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe Token: SeDebugPrivilege 2184 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
6887db1f6c75ae73f95dc1e8b7ba45f0N.exedescription pid process target process PID 2232 wrote to memory of 2184 2232 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe powershell.exe PID 2232 wrote to memory of 2184 2232 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe powershell.exe PID 2232 wrote to memory of 2184 2232 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe powershell.exe PID 2232 wrote to memory of 2696 2232 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe schtasks.exe PID 2232 wrote to memory of 2696 2232 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe schtasks.exe PID 2232 wrote to memory of 2696 2232 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe schtasks.exe PID 2232 wrote to memory of 2608 2232 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe PID 2232 wrote to memory of 2608 2232 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe PID 2232 wrote to memory of 2608 2232 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe PID 2232 wrote to memory of 5108 2232 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe PID 2232 wrote to memory of 5108 2232 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe PID 2232 wrote to memory of 5108 2232 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe PID 2232 wrote to memory of 5108 2232 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe PID 2232 wrote to memory of 5108 2232 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe PID 2232 wrote to memory of 5108 2232 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe 6887db1f6c75ae73f95dc1e8b7ba45f0N.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6887db1f6c75ae73f95dc1e8b7ba45f0N.exe"C:\Users\Admin\AppData\Local\Temp\6887db1f6c75ae73f95dc1e8b7ba45f0N.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PYyvJhGBctVHN.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2184 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PYyvJhGBctVHN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE87B.tmp"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2696 -
C:\Users\Admin\AppData\Local\Temp\6887db1f6c75ae73f95dc1e8b7ba45f0N.exe"C:\Users\Admin\AppData\Local\Temp\6887db1f6c75ae73f95dc1e8b7ba45f0N.exe"2⤵PID:2608
-
C:\Users\Admin\AppData\Local\Temp\6887db1f6c75ae73f95dc1e8b7ba45f0N.exe"C:\Users\Admin\AppData\Local\Temp\6887db1f6c75ae73f95dc1e8b7ba45f0N.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5108
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD567113f5224cdb3588a605cc26c33509e
SHA1d886ac77d0afadf8c553a6b414b32c1732d4d544
SHA256bc8e75fe93f08099e3bb8a6d152f5aa180fd32e03b35944b8f699cb0adae65ee
SHA512fe1a6fdd197fe95694f51330b3eb498cc02dea8d85f355db5e8fcb8e44580369d858036d59fe39dc0f32eecdfec3adad8e50e8c325539d087d957b40be1c7bbf