Analysis
-
max time kernel
147s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
17-07-2024 09:25
Static task
static1
Behavioral task
behavioral1
Sample
nell.scr.exe
Resource
win7-20240708-en
General
-
Target
nell.scr.exe
-
Size
617KB
-
MD5
bbb12cd2696ac986ad79c0116da987f4
-
SHA1
802f65e20825ee6b2b5074e6084bc284241278d8
-
SHA256
d8e6a83561b9d8dbe84de21795763589d2626904ac6406ddfe2dc2342c4edb8e
-
SHA512
318e885d898a42b2751d387ba48b6fb359d3665d18637de48f35a53ea525bccbd1d9175a1f0429051d0a714ee887900ad3577db36d31d65f89ba7fb185484911
-
SSDEEP
12288:G4ndmoGCQmm6f9NKxQYtwk+4oK40FxvBF4Ek3zCVbT/Z7p:TnghCFfHK99b/B6zyT
Malware Config
Extracted
formbook
4.1
btrd
everslane.com
prairieviewelectric.online
dszvhgd.com
papamuch.com
8129k.vip
jeffreestar.gold
bestguestrentals.com
nvzhuang1.net
anangtoto.com
yxfgor.top
practicalpoppers.com
thebestanglephotography.online
koormm.top
criika.net
audioflow.online
380747.net
jiuguanwang.net
bloxequities.com
v321c.com
sugar.monster
agriwithai.com
rd8.online
texanboxes.com
h7wlvwr4afx.top
furryfriendsupply.store
xmentorgroup.com
runccl.com
fairplaytavern.com
concretecountertopsolutios.com
wzxq.xyz
outletivo.com
studyasp.net
pure1027.com
xpffvn.cfd
liposuctionclinics2.today
rouchoug.top
rifasgados.com
tesourosobrerodas.site
1stclasstv.net
invest247on.com
watch2movie.xyz
martline.website
naddafornadda.com
drbtcbtc.com
turbrun.com
autounion999370.top
wirewizardselectric.net
0757hunyin.net
researchforhighschool.com
thedivorcesurvivalguide.com
emeraldsurrogatefabric.com
home-repair-contractors-kfm.xyz
onlynaturlpt.shop
agiletzal.site
dylanmoranrules.com
ngbbvuhkm5.asia
proveedorafrac.com
pho3nixkidsghana.com
greatfightcompany.com
hotnerdsg.com
thecolourgrey.com
librarylatte.com
videomademagic.com
coinrun.net
cnoszirzbkaqz.com
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1612-9-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1612-13-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2488-20-0x0000000000070000-0x000000000009F000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2860 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
nell.scr.exenell.scr.exewscript.exedescription pid process target process PID 2556 set thread context of 1612 2556 nell.scr.exe nell.scr.exe PID 1612 set thread context of 1172 1612 nell.scr.exe Explorer.EXE PID 2488 set thread context of 1172 2488 wscript.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
nell.scr.exewscript.exepid process 1612 nell.scr.exe 1612 nell.scr.exe 2488 wscript.exe 2488 wscript.exe 2488 wscript.exe 2488 wscript.exe 2488 wscript.exe 2488 wscript.exe 2488 wscript.exe 2488 wscript.exe 2488 wscript.exe 2488 wscript.exe 2488 wscript.exe 2488 wscript.exe 2488 wscript.exe 2488 wscript.exe 2488 wscript.exe 2488 wscript.exe 2488 wscript.exe 2488 wscript.exe 2488 wscript.exe 2488 wscript.exe 2488 wscript.exe 2488 wscript.exe 2488 wscript.exe 2488 wscript.exe 2488 wscript.exe 2488 wscript.exe 2488 wscript.exe 2488 wscript.exe 2488 wscript.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
nell.scr.exewscript.exepid process 1612 nell.scr.exe 1612 nell.scr.exe 1612 nell.scr.exe 2488 wscript.exe 2488 wscript.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
nell.scr.exewscript.exedescription pid process Token: SeDebugPrivilege 1612 nell.scr.exe Token: SeDebugPrivilege 2488 wscript.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
nell.scr.exeExplorer.EXEwscript.exedescription pid process target process PID 2556 wrote to memory of 1612 2556 nell.scr.exe nell.scr.exe PID 2556 wrote to memory of 1612 2556 nell.scr.exe nell.scr.exe PID 2556 wrote to memory of 1612 2556 nell.scr.exe nell.scr.exe PID 2556 wrote to memory of 1612 2556 nell.scr.exe nell.scr.exe PID 2556 wrote to memory of 1612 2556 nell.scr.exe nell.scr.exe PID 2556 wrote to memory of 1612 2556 nell.scr.exe nell.scr.exe PID 2556 wrote to memory of 1612 2556 nell.scr.exe nell.scr.exe PID 1172 wrote to memory of 2488 1172 Explorer.EXE wscript.exe PID 1172 wrote to memory of 2488 1172 Explorer.EXE wscript.exe PID 1172 wrote to memory of 2488 1172 Explorer.EXE wscript.exe PID 1172 wrote to memory of 2488 1172 Explorer.EXE wscript.exe PID 2488 wrote to memory of 2860 2488 wscript.exe cmd.exe PID 2488 wrote to memory of 2860 2488 wscript.exe cmd.exe PID 2488 wrote to memory of 2860 2488 wscript.exe cmd.exe PID 2488 wrote to memory of 2860 2488 wscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Users\Admin\AppData\Local\Temp\nell.scr.exe"C:\Users\Admin\AppData\Local\Temp\nell.scr.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Users\Admin\AppData\Local\Temp\nell.scr.exe"C:\Users\Admin\AppData\Local\Temp\nell.scr.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1612 -
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\nell.scr.exe"3⤵
- Deletes itself
PID:2860