Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
15-07-2024 13:33
Static task
static1
Behavioral task
behavioral1
Sample
Abu Dhabi Police Offenders Publishing Images WSAbuDhabi.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
Abu Dhabi Police Offenders Publishing Images WSAbuDhabi.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
Receipt-30927862-Ticket#0973726-Fines-19346383.exe
Resource
win7-20240705-en
General
-
Target
Receipt-30927862-Ticket#0973726-Fines-19346383.exe
-
Size
1.0MB
-
MD5
c64808bee3cbc24910d4a426d4123cce
-
SHA1
eeff1a128b756e5d4eaabbca3db35c765f7f03f8
-
SHA256
9039d85eec99722427577d83cfcf5464fa26d64ca5a40682ba3be7942a3e7155
-
SHA512
372e126b49c5a7c1081c92b73a010d84a89f6e7f3ac5c9b6dc0668ca6e6f8390c495f0ef28d31f8460145693d3cb342b81be40fa2fa920ef2ed17460944bad99
-
SSDEEP
24576:ntb20pkaCqT5TBWgNQ7a/zdBNeZXGraTPv6A:kVg5tQ7a/zdONGrab5
Malware Config
Extracted
formbook
4.1
gb29
deecentshop.xyz
agcpros.com
bzbbkmmf.xyz
marketprofissional.com
891237.com
hwqcoiu.xyz
ultimabet.store
nirikide.shop
rsstationary.com
sareease.com
genaidefense.com
mbn254.shop
92fwq.com
buses.life
zbcgf.shop
cheickfatoumata.com
jkendricksmusic.com
dokalopsia.digital
wr70.top
horebconstructioncorp.com
pqjzr.xyz
mardigreen.com
softlogic.xyz
trustealeaf.com
xzyetyp.com
56moon.com
learndropshippingindia.com
bt365726.com
home-renovation.quest
japclub.com
tinyhandsbreakshearts.com
agstudio.website
combustivelagua.online
azdesertvibes.com
meteorfrocks.fun
emailsports.com
minscbyfvagwye.com
zzzloutre.com
oncharge.news
bl7gik.rest
lsnhp.com
n9p5h7.com
7598812.com
playnene.com
abc8v66.com
finamixinvestments.com
www25716.vip
cb257.pro
24hrsisenough.com
fieldasarite.monster
41859956.com
up72.top
jiwo.life
kjsdhklssk35.xyz
sultan88togel.com
eulernumber.com
awsbrkb.com
ryzune.tech
imagivilleart.com
theinternote.com
cloudcomputingbenefits.com
xn--zfv40q1g814j.net
trikpolatombak3.site
njwaterproof.com
yoursouthjerseylawyer.com
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral4/memory/1956-11-0x0000000000390000-0x00000000003BF000-memory.dmp formbook behavioral4/memory/1956-15-0x0000000000390000-0x00000000003BF000-memory.dmp formbook behavioral4/memory/4012-21-0x0000000001200000-0x000000000122F000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 35 4012 rundll32.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Receipt-30927862-Ticket#0973726-Fines-19346383.exesvchost.exerundll32.exedescription pid process target process PID 4628 set thread context of 1956 4628 Receipt-30927862-Ticket#0973726-Fines-19346383.exe svchost.exe PID 1956 set thread context of 3440 1956 svchost.exe Explorer.EXE PID 4012 set thread context of 3440 4012 rundll32.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
svchost.exerundll32.exepid process 1956 svchost.exe 1956 svchost.exe 1956 svchost.exe 1956 svchost.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
Receipt-30927862-Ticket#0973726-Fines-19346383.exesvchost.exerundll32.exepid process 4628 Receipt-30927862-Ticket#0973726-Fines-19346383.exe 4628 Receipt-30927862-Ticket#0973726-Fines-19346383.exe 1956 svchost.exe 1956 svchost.exe 1956 svchost.exe 4012 rundll32.exe 4012 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
svchost.exerundll32.exedescription pid process Token: SeDebugPrivilege 1956 svchost.exe Token: SeDebugPrivilege 4012 rundll32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Receipt-30927862-Ticket#0973726-Fines-19346383.exepid process 4628 Receipt-30927862-Ticket#0973726-Fines-19346383.exe 4628 Receipt-30927862-Ticket#0973726-Fines-19346383.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Receipt-30927862-Ticket#0973726-Fines-19346383.exepid process 4628 Receipt-30927862-Ticket#0973726-Fines-19346383.exe 4628 Receipt-30927862-Ticket#0973726-Fines-19346383.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3440 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Receipt-30927862-Ticket#0973726-Fines-19346383.exeExplorer.EXErundll32.exedescription pid process target process PID 4628 wrote to memory of 1956 4628 Receipt-30927862-Ticket#0973726-Fines-19346383.exe svchost.exe PID 4628 wrote to memory of 1956 4628 Receipt-30927862-Ticket#0973726-Fines-19346383.exe svchost.exe PID 4628 wrote to memory of 1956 4628 Receipt-30927862-Ticket#0973726-Fines-19346383.exe svchost.exe PID 4628 wrote to memory of 1956 4628 Receipt-30927862-Ticket#0973726-Fines-19346383.exe svchost.exe PID 3440 wrote to memory of 4012 3440 Explorer.EXE rundll32.exe PID 3440 wrote to memory of 4012 3440 Explorer.EXE rundll32.exe PID 3440 wrote to memory of 4012 3440 Explorer.EXE rundll32.exe PID 4012 wrote to memory of 2400 4012 rundll32.exe cmd.exe PID 4012 wrote to memory of 2400 4012 rundll32.exe cmd.exe PID 4012 wrote to memory of 2400 4012 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Users\Admin\AppData\Local\Temp\Receipt-30927862-Ticket#0973726-Fines-19346383.exe"C:\Users\Admin\AppData\Local\Temp\Receipt-30927862-Ticket#0973726-Fines-19346383.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\Receipt-30927862-Ticket#0973726-Fines-19346383.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1956 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\svchost.exe"3⤵PID:2400