Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
17-07-2024 06:40
Static task
static1
Behavioral task
behavioral1
Sample
9RogliUNrK3XMIU.exe
Resource
win7-20240708-en
General
-
Target
9RogliUNrK3XMIU.exe
-
Size
636KB
-
MD5
66645c931f0efe0978e4e6f3a208355a
-
SHA1
a8d4f42410e8c03afbe6edff9fb7515811590f7f
-
SHA256
b362ced287b5f00b3b2ab2c3a7bbc85b57e13271d76a6c65423a831fde92876c
-
SHA512
7ee22cbc3f80cf079a47fc6c1aff047e3c48106b8b800163227be0d2bb1530654876503947ab75e44b2bcd0a89e89261c9e85c329e46d8f19ec3375e4e9a852e
-
SSDEEP
12288:O5bmfm3V8eY73Sv9+Vcfx4sWo7FxpLq0ubuIKOTeh2AQdRlF6U:IQ73a9+Vcl7FxpG0dhqemRv6U
Malware Config
Extracted
formbook
4.1
v15n
dyahwoahjuk.store
toysstorm.com
y7rak9.com
2222233p6.shop
betbox2341.com
visualvarta.com
nijssenadventures.com
main-12.site
leng4d.net
kurainu.xyz
hatesa.xyz
culturamosaica.com
supermallify.store
gigboard.app
rxforgive.com
ameliestones.com
kapalwin.live
tier.credit
sobol-ksa.com
faredeal.online
226b.xyz
talktohannaford500.shop
mxrkpkngishbdss.xyz
mirotcg.info
turbo3club.site
hjnd28t010cop.cyou
marveloustep.shop
syedlatief.com
comfortableleather.com
alltradescortland.com
dnwgt80508yoec8pzq.top
kedai168ef.com
gelgoodlife.com
nxtskey.com
milliedevine.store
wordcraftart.fun
mpo525.monster
bt365851.com
dogeversetoken.net
boostgrowmode.com
dacapital.net
project21il.com
go4stores.com
brunoduarte.online
sexgodmasterclass.com
wuhey.shop
jdginl892e.xyz
agenkilat-official.space
hacks.digital
suv.xyz
fwbsmg.life
vicmvm649n.top
wbahdfw.icu
creativelyloud.com
merrycleanteam.com
solar-systems-panels-58747.bond
rotaryclubofmukono.com
bethanyumcnola.info
breezafan.com
ny-robotictoys.com
lawyers-br-pt-9390663.fyi
neurasaudi.com
dgccb.com
sayuri-walk.com
gtur.top
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1508-10-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/1508-15-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/5044-20-0x0000000000B00000-0x0000000000B2F000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
9RogliUNrK3XMIU.exe9RogliUNrK3XMIU.exehelp.exedescription pid process target process PID 4808 set thread context of 1508 4808 9RogliUNrK3XMIU.exe 9RogliUNrK3XMIU.exe PID 1508 set thread context of 3588 1508 9RogliUNrK3XMIU.exe Explorer.EXE PID 5044 set thread context of 3588 5044 help.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
9RogliUNrK3XMIU.exe9RogliUNrK3XMIU.exehelp.exepid process 4808 9RogliUNrK3XMIU.exe 4808 9RogliUNrK3XMIU.exe 1508 9RogliUNrK3XMIU.exe 1508 9RogliUNrK3XMIU.exe 1508 9RogliUNrK3XMIU.exe 1508 9RogliUNrK3XMIU.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe 5044 help.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
9RogliUNrK3XMIU.exehelp.exepid process 1508 9RogliUNrK3XMIU.exe 1508 9RogliUNrK3XMIU.exe 1508 9RogliUNrK3XMIU.exe 5044 help.exe 5044 help.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
9RogliUNrK3XMIU.exe9RogliUNrK3XMIU.exehelp.exedescription pid process Token: SeDebugPrivilege 4808 9RogliUNrK3XMIU.exe Token: SeDebugPrivilege 1508 9RogliUNrK3XMIU.exe Token: SeDebugPrivilege 5044 help.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3588 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
9RogliUNrK3XMIU.exeExplorer.EXEhelp.exedescription pid process target process PID 4808 wrote to memory of 3232 4808 9RogliUNrK3XMIU.exe 9RogliUNrK3XMIU.exe PID 4808 wrote to memory of 3232 4808 9RogliUNrK3XMIU.exe 9RogliUNrK3XMIU.exe PID 4808 wrote to memory of 3232 4808 9RogliUNrK3XMIU.exe 9RogliUNrK3XMIU.exe PID 4808 wrote to memory of 1508 4808 9RogliUNrK3XMIU.exe 9RogliUNrK3XMIU.exe PID 4808 wrote to memory of 1508 4808 9RogliUNrK3XMIU.exe 9RogliUNrK3XMIU.exe PID 4808 wrote to memory of 1508 4808 9RogliUNrK3XMIU.exe 9RogliUNrK3XMIU.exe PID 4808 wrote to memory of 1508 4808 9RogliUNrK3XMIU.exe 9RogliUNrK3XMIU.exe PID 4808 wrote to memory of 1508 4808 9RogliUNrK3XMIU.exe 9RogliUNrK3XMIU.exe PID 4808 wrote to memory of 1508 4808 9RogliUNrK3XMIU.exe 9RogliUNrK3XMIU.exe PID 3588 wrote to memory of 5044 3588 Explorer.EXE help.exe PID 3588 wrote to memory of 5044 3588 Explorer.EXE help.exe PID 3588 wrote to memory of 5044 3588 Explorer.EXE help.exe PID 5044 wrote to memory of 4348 5044 help.exe cmd.exe PID 5044 wrote to memory of 4348 5044 help.exe cmd.exe PID 5044 wrote to memory of 4348 5044 help.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Users\Admin\AppData\Local\Temp\9RogliUNrK3XMIU.exe"C:\Users\Admin\AppData\Local\Temp\9RogliUNrK3XMIU.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Users\Admin\AppData\Local\Temp\9RogliUNrK3XMIU.exe"C:\Users\Admin\AppData\Local\Temp\9RogliUNrK3XMIU.exe"3⤵PID:3232
-
C:\Users\Admin\AppData\Local\Temp\9RogliUNrK3XMIU.exe"C:\Users\Admin\AppData\Local\Temp\9RogliUNrK3XMIU.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1508 -
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:1408
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\9RogliUNrK3XMIU.exe"3⤵PID:4348