Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
17-07-2024 09:25
Static task
static1
Behavioral task
behavioral1
Sample
nell.scr.exe
Resource
win7-20240708-en
General
-
Target
nell.scr.exe
-
Size
617KB
-
MD5
bbb12cd2696ac986ad79c0116da987f4
-
SHA1
802f65e20825ee6b2b5074e6084bc284241278d8
-
SHA256
d8e6a83561b9d8dbe84de21795763589d2626904ac6406ddfe2dc2342c4edb8e
-
SHA512
318e885d898a42b2751d387ba48b6fb359d3665d18637de48f35a53ea525bccbd1d9175a1f0429051d0a714ee887900ad3577db36d31d65f89ba7fb185484911
-
SSDEEP
12288:G4ndmoGCQmm6f9NKxQYtwk+4oK40FxvBF4Ek3zCVbT/Z7p:TnghCFfHK99b/B6zyT
Malware Config
Extracted
formbook
4.1
btrd
everslane.com
prairieviewelectric.online
dszvhgd.com
papamuch.com
8129k.vip
jeffreestar.gold
bestguestrentals.com
nvzhuang1.net
anangtoto.com
yxfgor.top
practicalpoppers.com
thebestanglephotography.online
koormm.top
criika.net
audioflow.online
380747.net
jiuguanwang.net
bloxequities.com
v321c.com
sugar.monster
agriwithai.com
rd8.online
texanboxes.com
h7wlvwr4afx.top
furryfriendsupply.store
xmentorgroup.com
runccl.com
fairplaytavern.com
concretecountertopsolutios.com
wzxq.xyz
outletivo.com
studyasp.net
pure1027.com
xpffvn.cfd
liposuctionclinics2.today
rouchoug.top
rifasgados.com
tesourosobrerodas.site
1stclasstv.net
invest247on.com
watch2movie.xyz
martline.website
naddafornadda.com
drbtcbtc.com
turbrun.com
autounion999370.top
wirewizardselectric.net
0757hunyin.net
researchforhighschool.com
thedivorcesurvivalguide.com
emeraldsurrogatefabric.com
home-repair-contractors-kfm.xyz
onlynaturlpt.shop
agiletzal.site
dylanmoranrules.com
ngbbvuhkm5.asia
proveedorafrac.com
pho3nixkidsghana.com
greatfightcompany.com
hotnerdsg.com
thecolourgrey.com
librarylatte.com
videomademagic.com
coinrun.net
cnoszirzbkaqz.com
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/532-9-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/532-12-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4680-19-0x0000000000760000-0x000000000078F000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
nell.scr.exenell.scr.exemsdt.exedescription pid process target process PID 3064 set thread context of 532 3064 nell.scr.exe nell.scr.exe PID 532 set thread context of 3464 532 nell.scr.exe Explorer.EXE PID 4680 set thread context of 3464 4680 msdt.exe Explorer.EXE -
Modifies registry class 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
nell.scr.exemsdt.exepid process 532 nell.scr.exe 532 nell.scr.exe 532 nell.scr.exe 532 nell.scr.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe 4680 msdt.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
nell.scr.exemsdt.exepid process 532 nell.scr.exe 532 nell.scr.exe 532 nell.scr.exe 4680 msdt.exe 4680 msdt.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
nell.scr.exeExplorer.EXEmsdt.exedescription pid process Token: SeDebugPrivilege 532 nell.scr.exe Token: SeShutdownPrivilege 3464 Explorer.EXE Token: SeCreatePagefilePrivilege 3464 Explorer.EXE Token: SeShutdownPrivilege 3464 Explorer.EXE Token: SeCreatePagefilePrivilege 3464 Explorer.EXE Token: SeDebugPrivilege 4680 msdt.exe Token: SeShutdownPrivilege 3464 Explorer.EXE Token: SeCreatePagefilePrivilege 3464 Explorer.EXE Token: SeShutdownPrivilege 3464 Explorer.EXE Token: SeCreatePagefilePrivilege 3464 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3464 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
nell.scr.exeExplorer.EXEmsdt.exedescription pid process target process PID 3064 wrote to memory of 532 3064 nell.scr.exe nell.scr.exe PID 3064 wrote to memory of 532 3064 nell.scr.exe nell.scr.exe PID 3064 wrote to memory of 532 3064 nell.scr.exe nell.scr.exe PID 3064 wrote to memory of 532 3064 nell.scr.exe nell.scr.exe PID 3064 wrote to memory of 532 3064 nell.scr.exe nell.scr.exe PID 3064 wrote to memory of 532 3064 nell.scr.exe nell.scr.exe PID 3464 wrote to memory of 4680 3464 Explorer.EXE msdt.exe PID 3464 wrote to memory of 4680 3464 Explorer.EXE msdt.exe PID 3464 wrote to memory of 4680 3464 Explorer.EXE msdt.exe PID 4680 wrote to memory of 3092 4680 msdt.exe cmd.exe PID 4680 wrote to memory of 3092 4680 msdt.exe cmd.exe PID 4680 wrote to memory of 3092 4680 msdt.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Users\Admin\AppData\Local\Temp\nell.scr.exe"C:\Users\Admin\AppData\Local\Temp\nell.scr.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Users\Admin\AppData\Local\Temp\nell.scr.exe"C:\Users\Admin\AppData\Local\Temp\nell.scr.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:532 -
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\nell.scr.exe"3⤵PID:3092