Analysis
-
max time kernel
147s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
17-07-2024 14:21
Static task
static1
Behavioral task
behavioral1
Sample
Custom Clearance 5816641785332.exe
Resource
win7-20240704-en
General
-
Target
Custom Clearance 5816641785332.exe
-
Size
785KB
-
MD5
6d8d9238f841e55f9b34ac5f2a438495
-
SHA1
c7f8651a41b9ff7b0ca8e9e462f23758d76423bc
-
SHA256
98744503d8f81bb42030a999aa4e2284717cfca54c4395ddfd72fd7bfea44872
-
SHA512
9b1187eabf09aa32a4b2e88abb27390388d5b2a008fbeb3250ad8538f3f37fe7fb673ea1d0dbf437dd5006e38bd3c973ba7440e0ea571e7b2ccf6b520094da79
-
SSDEEP
12288:5q9VTNbF6zEkZVi8fPiQgrZEZR79Hcg1pRavD7R5GtYG2ucIqB/:c99QVpPiJ+9Hcg7G7GVcB/
Malware Config
Extracted
formbook
4.1
na10
tetheus.com
ventlikeyoumeanit.com
tintbliss.com
rinabet357.com
sapphireboutiqueusa.com
abc8bet6.com
xzcn3i7jb13cqei.buzz
pinktravelsnagpur.com
bt365038.com
rtpbossujang303.shop
osthirmaker.com
thelonelyteacup.com
rlc2019.com
couverture-charpente.com
productivagc.com
defendercarcare.com
abcentixdigital.com
petco.ltd
oypivh.top
micro.guru
hokivegasslots.club
5663876.com
symboleffekt.info
tworiverlabsintake.com
pegaso.store
sasoera.com
material.chat
taniamckirdy.com
dansistosproductions.com
moromorojp.com
z27e1thx976ez3u.buzz
skinrenue.com
nbvci.xyz
jakobniinja.xyz
snykee.com
sl24.top
wawturkiye.xyz
virtualeventsbyelaine.com
giorgiaclerico.com
d9psk8.xyz
hard-to-miss.space
awclog.com
topcomparativos.com
somoyboutique.com
findlove.pro
zbo170.app
dexcoenergy.com
nona23.lat
ingelset.com
hexatelier.com
nftees.tech
visionarymaterialsinstitute.com
khanyos.com
bz59.top
migraine-treatment-28778.bond
catboxbot.online
kkugames.com
llmsearchoptimization.com
fipbhvvb.xyz
vmytzptc.xyz
intermediafx.shop
lhrrs.com
grimreapervalley.com
discount-fess.space
liamcollinai.com
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2924-14-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2924-18-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2924-22-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/352-27-0x0000000000090000-0x00000000000BF000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2060 cmd.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
Custom Clearance 5816641785332.exeCustom Clearance 5816641785332.execmstp.exedescription pid process target process PID 2388 set thread context of 2924 2388 Custom Clearance 5816641785332.exe Custom Clearance 5816641785332.exe PID 2924 set thread context of 1196 2924 Custom Clearance 5816641785332.exe Explorer.EXE PID 2924 set thread context of 1196 2924 Custom Clearance 5816641785332.exe Explorer.EXE PID 352 set thread context of 1196 352 cmstp.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
Custom Clearance 5816641785332.exeCustom Clearance 5816641785332.execmstp.exepid process 2388 Custom Clearance 5816641785332.exe 2388 Custom Clearance 5816641785332.exe 2924 Custom Clearance 5816641785332.exe 2924 Custom Clearance 5816641785332.exe 2924 Custom Clearance 5816641785332.exe 352 cmstp.exe 352 cmstp.exe 352 cmstp.exe 352 cmstp.exe 352 cmstp.exe 352 cmstp.exe 352 cmstp.exe 352 cmstp.exe 352 cmstp.exe 352 cmstp.exe 352 cmstp.exe 352 cmstp.exe 352 cmstp.exe 352 cmstp.exe 352 cmstp.exe 352 cmstp.exe 352 cmstp.exe 352 cmstp.exe 352 cmstp.exe 352 cmstp.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Custom Clearance 5816641785332.execmstp.exepid process 2924 Custom Clearance 5816641785332.exe 2924 Custom Clearance 5816641785332.exe 2924 Custom Clearance 5816641785332.exe 2924 Custom Clearance 5816641785332.exe 352 cmstp.exe 352 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Custom Clearance 5816641785332.exeCustom Clearance 5816641785332.execmstp.exedescription pid process Token: SeDebugPrivilege 2388 Custom Clearance 5816641785332.exe Token: SeDebugPrivilege 2924 Custom Clearance 5816641785332.exe Token: SeDebugPrivilege 352 cmstp.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Custom Clearance 5816641785332.exeExplorer.EXEcmstp.exedescription pid process target process PID 2388 wrote to memory of 2924 2388 Custom Clearance 5816641785332.exe Custom Clearance 5816641785332.exe PID 2388 wrote to memory of 2924 2388 Custom Clearance 5816641785332.exe Custom Clearance 5816641785332.exe PID 2388 wrote to memory of 2924 2388 Custom Clearance 5816641785332.exe Custom Clearance 5816641785332.exe PID 2388 wrote to memory of 2924 2388 Custom Clearance 5816641785332.exe Custom Clearance 5816641785332.exe PID 2388 wrote to memory of 2924 2388 Custom Clearance 5816641785332.exe Custom Clearance 5816641785332.exe PID 2388 wrote to memory of 2924 2388 Custom Clearance 5816641785332.exe Custom Clearance 5816641785332.exe PID 2388 wrote to memory of 2924 2388 Custom Clearance 5816641785332.exe Custom Clearance 5816641785332.exe PID 1196 wrote to memory of 352 1196 Explorer.EXE cmstp.exe PID 1196 wrote to memory of 352 1196 Explorer.EXE cmstp.exe PID 1196 wrote to memory of 352 1196 Explorer.EXE cmstp.exe PID 1196 wrote to memory of 352 1196 Explorer.EXE cmstp.exe PID 1196 wrote to memory of 352 1196 Explorer.EXE cmstp.exe PID 1196 wrote to memory of 352 1196 Explorer.EXE cmstp.exe PID 1196 wrote to memory of 352 1196 Explorer.EXE cmstp.exe PID 352 wrote to memory of 2060 352 cmstp.exe cmd.exe PID 352 wrote to memory of 2060 352 cmstp.exe cmd.exe PID 352 wrote to memory of 2060 352 cmstp.exe cmd.exe PID 352 wrote to memory of 2060 352 cmstp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Users\Admin\AppData\Local\Temp\Custom Clearance 5816641785332.exe"C:\Users\Admin\AppData\Local\Temp\Custom Clearance 5816641785332.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Users\Admin\AppData\Local\Temp\Custom Clearance 5816641785332.exe"C:\Users\Admin\AppData\Local\Temp\Custom Clearance 5816641785332.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2924 -
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:2640
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:2800
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:2792
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:2012
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:2780
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:2788
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:2660
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:2668
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:1192
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:2616
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:2624
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:2632
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:2680
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:2688
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:1728
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:2232
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:1972
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:2676
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:2324
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:2172
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:2332
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:680
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:352 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Custom Clearance 5816641785332.exe"3⤵
- Deletes itself
PID:2060