Analysis
-
max time kernel
25s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
14-07-2024 21:23
Static task
static1
Behavioral task
behavioral1
Sample
2200b8da7972eb3348a0088d1b8147c0N.exe
Resource
win7-20240704-en
General
-
Target
2200b8da7972eb3348a0088d1b8147c0N.exe
-
Size
772KB
-
MD5
2200b8da7972eb3348a0088d1b8147c0
-
SHA1
0ba3ddefd855519594cc6865ea4ebd9ce5bdb235
-
SHA256
3335161ade4a4cc3865415f0e0b15e9fcedfd2ea6341b6d2d3848bd1e3b5d607
-
SHA512
554d59e17aca85ff1be7d4892d59c7b867f9c2c6be2fbf32501034bffc437f6c75570ad31aa4c0054833a405f03e0d749602072fcf0d6af7fd3235381cc732c4
-
SSDEEP
24576:t0mljjkY881WPQSiyQt1GUS25p97k6ni:iM3kN895t1Gy5pxk6
Malware Config
Extracted
formbook
4.1
qt22
tryventura.co
cashstash.online
keiramcwilliams.site
ytdnb558.com
huq.homes
ib999.cc
ivy001.com
militaryjobs.site
mfhospitality.net
landtour-outdoor.com
cosmicdustclub.com
ssskjv.com
bigremporium.com
network221.com
thegfshops.com
iase.in
alliednp.com
tprovenance.io
massimaidratazione.com
dominodarts.com
pnueprocomp.com
mailmondasconsulting.com
10383ww.com
dew-swimwear.com
yuhb.xyz
311979.com
jiuber.com
aserviceapp.com
fgeozxdr.shop
balisicatnakami.com
kp4fj.cc
606667.xyz
giudaskincare.com
zhiwei-tc.com
rimowa-official.shop
roseforport.com
zenith8commerce.com
zzhtec.com
zhongrentong.fun
sydneyof.com
usps1-updatemyparcel.cc
amritresorts.com
beckerprotocol.com
mstudio44.online
goodmarkets.store
needasystem.com
vitronet.design
jwwallets.com
urban-bag.us
basebasing.com
f4mc10gw.shop
nrdrz.com
tipsylemonade.com
odvip639.com
globesec.io
gevojyt.cfd
moodindigo.rocks
nrteam.store
iierviw510.top
bsuc.in
sicilygate.com
dairybar2024.com
yagonbo.lol
odty312.net
pingshishijie.com
Signatures
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2668-13-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2200b8da7972eb3348a0088d1b8147c0N.exedescription pid process target process PID 2292 set thread context of 2668 2292 2200b8da7972eb3348a0088d1b8147c0N.exe 2200b8da7972eb3348a0088d1b8147c0N.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
2200b8da7972eb3348a0088d1b8147c0N.exe2200b8da7972eb3348a0088d1b8147c0N.exepid process 2292 2200b8da7972eb3348a0088d1b8147c0N.exe 2292 2200b8da7972eb3348a0088d1b8147c0N.exe 2292 2200b8da7972eb3348a0088d1b8147c0N.exe 2292 2200b8da7972eb3348a0088d1b8147c0N.exe 2292 2200b8da7972eb3348a0088d1b8147c0N.exe 2292 2200b8da7972eb3348a0088d1b8147c0N.exe 2292 2200b8da7972eb3348a0088d1b8147c0N.exe 2292 2200b8da7972eb3348a0088d1b8147c0N.exe 2668 2200b8da7972eb3348a0088d1b8147c0N.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
2200b8da7972eb3348a0088d1b8147c0N.exedescription pid process Token: SeDebugPrivilege 2292 2200b8da7972eb3348a0088d1b8147c0N.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
2200b8da7972eb3348a0088d1b8147c0N.exedescription pid process target process PID 2292 wrote to memory of 2668 2292 2200b8da7972eb3348a0088d1b8147c0N.exe 2200b8da7972eb3348a0088d1b8147c0N.exe PID 2292 wrote to memory of 2668 2292 2200b8da7972eb3348a0088d1b8147c0N.exe 2200b8da7972eb3348a0088d1b8147c0N.exe PID 2292 wrote to memory of 2668 2292 2200b8da7972eb3348a0088d1b8147c0N.exe 2200b8da7972eb3348a0088d1b8147c0N.exe PID 2292 wrote to memory of 2668 2292 2200b8da7972eb3348a0088d1b8147c0N.exe 2200b8da7972eb3348a0088d1b8147c0N.exe PID 2292 wrote to memory of 2668 2292 2200b8da7972eb3348a0088d1b8147c0N.exe 2200b8da7972eb3348a0088d1b8147c0N.exe PID 2292 wrote to memory of 2668 2292 2200b8da7972eb3348a0088d1b8147c0N.exe 2200b8da7972eb3348a0088d1b8147c0N.exe PID 2292 wrote to memory of 2668 2292 2200b8da7972eb3348a0088d1b8147c0N.exe 2200b8da7972eb3348a0088d1b8147c0N.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2200b8da7972eb3348a0088d1b8147c0N.exe"C:\Users\Admin\AppData\Local\Temp\2200b8da7972eb3348a0088d1b8147c0N.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Users\Admin\AppData\Local\Temp\2200b8da7972eb3348a0088d1b8147c0N.exe"C:\Users\Admin\AppData\Local\Temp\2200b8da7972eb3348a0088d1b8147c0N.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2668