Analysis
-
max time kernel
145s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
17-07-2024 16:35
Static task
static1
Behavioral task
behavioral1
Sample
ESW2091H52Y6.vbe
Resource
win7-20240705-en
General
-
Target
ESW2091H52Y6.vbe
-
Size
4.7MB
-
MD5
6d933e921beffff0992ccdb64bbfa968
-
SHA1
24149345e79200dc21fb6d853e62d7e9ceaf605c
-
SHA256
1d204cb5dccb45236e756ff1d5e1605ab30b67948a40af27c195b6d4f2e5a2ae
-
SHA512
9b8ea5fe63f9e3ae856bdf437bb18f94d923d2674f6d085d65a8d3cf95b58ff10fee530e7ed290fd87995e3c4ea7562334e7c9f2d48736410bd20f168272d4b4
-
SSDEEP
12288:sk+zeB3lLnyTHm63p8P+RQf77puZL0Sfr3ucJ6q53mxmaQEd1wZ4mjBRclC:skbhAFDu7pjSfaI52xmX4mjBRB
Malware Config
Extracted
formbook
4.1
de94
way2future.net
worldnewsdailys.online
rendamaisbr.com
s485.icu
vcxwpo.xyz
imagivilleartists.com
herbatyorganics.com
xn--80ado1abokv5d.xn--p1acf
invigoratewell.com
especialistaleitura.online
pkrstg.com
performacaretechnical.com
dreamgame55.net
hkitgugx.xyz
istanlikbilgiler.click
slotter99j.vip
exploringtheoutdoors.net
triberoots.com
energiaslotsbet.com
dkforcm.com
rtp1kijangwin.top
monkeytranslate.com
21stcut.shop
hgty866.xyz
shaktitest.site
monrocasino-508.com
level4d1.bet
nbcze.com
rtproketslotcsn.art
xjps.ltd
yoanamod.com
gv031.net
mceliteroofing.com
1wtrh.com
online-dating-24966.bond
dentalbrasstacks.com
kf7wzmuzv0w.xyz
gyosei-arimura.com
shopyzones.shop
bradleyboy.xyz
bradleyboy.xyz
nownzen.store
buysellrepresent.com
tateshades.xyz
club1stclass.com
2309238042.com
ashleymorgan.live
xn--pdr89n.vip
princecl.xyz
mindfulmanifest.net
c4ads.net
exlith.com
jiogskeojg.xyz
lxrtl.com
cshark-sguser.com
h021b.rest
alfiethorhalls.com
librosinfantiles.top
alazamexports.com
mehalhouse.com
slvtapeworld.com
mybest.engineer
legalix.xyz
kuuichi.xyz
happygreenfarm.com
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2992-25-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2992-32-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2992-38-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2908-45-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Adds policy Run key to start application 2 TTPs 1 IoCs
Processes:
help.exedescription ioc process Key created \Registry\User\S-1-5-21-1385883288-3042840365-2734249351-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run help.exe -
Executes dropped EXE 1 IoCs
Processes:
HHhHh.exepid process 1268 HHhHh.exe -
Loads dropped DLL 7 IoCs
Processes:
WScript.exeWerFault.exepid process 2380 WScript.exe 1236 2828 WerFault.exe 2828 WerFault.exe 2828 WerFault.exe 2828 WerFault.exe 2828 WerFault.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
help.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\4H5XFRP0W6 = "C:\\Program Files (x86)\\Windows Mail\\wab.exe" help.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
HHhHh.exewab.exehelp.exedescription pid process target process PID 1268 set thread context of 2992 1268 HHhHh.exe wab.exe PID 2992 set thread context of 1196 2992 wab.exe Explorer.EXE PID 2992 set thread context of 1196 2992 wab.exe Explorer.EXE PID 2908 set thread context of 1196 2908 help.exe Explorer.EXE PID 2908 set thread context of 2916 2908 help.exe notepad.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
help.exedescription ioc process Key created \Registry\User\S-1-5-21-1385883288-3042840365-2734249351-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 help.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
wab.exehelp.exepid process 2992 wab.exe 2992 wab.exe 2992 wab.exe 2908 help.exe 2908 help.exe 2908 help.exe 2908 help.exe 2908 help.exe 2908 help.exe 2908 help.exe 2908 help.exe 2908 help.exe 2908 help.exe 2908 help.exe 2908 help.exe 2908 help.exe 2908 help.exe 2908 help.exe 2908 help.exe 2908 help.exe 2908 help.exe 2908 help.exe 2908 help.exe 2908 help.exe 2908 help.exe 2908 help.exe 2908 help.exe 2908 help.exe -
Suspicious behavior: MapViewOfSection 10 IoCs
Processes:
wab.exehelp.exepid process 2992 wab.exe 2992 wab.exe 2992 wab.exe 2992 wab.exe 2908 help.exe 2908 help.exe 2908 help.exe 2908 help.exe 2908 help.exe 2908 help.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
wab.exeExplorer.EXEhelp.exedescription pid process Token: SeDebugPrivilege 2992 wab.exe Token: SeShutdownPrivilege 1196 Explorer.EXE Token: SeDebugPrivilege 2908 help.exe Token: SeShutdownPrivilege 1196 Explorer.EXE Token: SeShutdownPrivilege 1196 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 1196 Explorer.EXE -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
WScript.exeHHhHh.exeExplorer.EXEhelp.exedescription pid process target process PID 2380 wrote to memory of 1268 2380 WScript.exe HHhHh.exe PID 2380 wrote to memory of 1268 2380 WScript.exe HHhHh.exe PID 2380 wrote to memory of 1268 2380 WScript.exe HHhHh.exe PID 1268 wrote to memory of 2756 1268 HHhHh.exe csc.exe PID 1268 wrote to memory of 2756 1268 HHhHh.exe csc.exe PID 1268 wrote to memory of 2756 1268 HHhHh.exe csc.exe PID 1268 wrote to memory of 2756 1268 HHhHh.exe csc.exe PID 1268 wrote to memory of 2776 1268 HHhHh.exe ngen.exe PID 1268 wrote to memory of 2776 1268 HHhHh.exe ngen.exe PID 1268 wrote to memory of 2776 1268 HHhHh.exe ngen.exe PID 1268 wrote to memory of 2776 1268 HHhHh.exe ngen.exe PID 1268 wrote to memory of 2888 1268 HHhHh.exe calc.exe PID 1268 wrote to memory of 2888 1268 HHhHh.exe calc.exe PID 1268 wrote to memory of 2888 1268 HHhHh.exe calc.exe PID 1268 wrote to memory of 2888 1268 HHhHh.exe calc.exe PID 1268 wrote to memory of 2888 1268 HHhHh.exe calc.exe PID 1268 wrote to memory of 2916 1268 HHhHh.exe notepad.exe PID 1268 wrote to memory of 2916 1268 HHhHh.exe notepad.exe PID 1268 wrote to memory of 2916 1268 HHhHh.exe notepad.exe PID 1268 wrote to memory of 2916 1268 HHhHh.exe notepad.exe PID 1268 wrote to memory of 2916 1268 HHhHh.exe notepad.exe PID 1268 wrote to memory of 2992 1268 HHhHh.exe wab.exe PID 1268 wrote to memory of 2992 1268 HHhHh.exe wab.exe PID 1268 wrote to memory of 2992 1268 HHhHh.exe wab.exe PID 1268 wrote to memory of 2992 1268 HHhHh.exe wab.exe PID 1268 wrote to memory of 2992 1268 HHhHh.exe wab.exe PID 1268 wrote to memory of 2992 1268 HHhHh.exe wab.exe PID 1268 wrote to memory of 2992 1268 HHhHh.exe wab.exe PID 1268 wrote to memory of 2828 1268 HHhHh.exe WerFault.exe PID 1268 wrote to memory of 2828 1268 HHhHh.exe WerFault.exe PID 1268 wrote to memory of 2828 1268 HHhHh.exe WerFault.exe PID 1196 wrote to memory of 2908 1196 Explorer.EXE help.exe PID 1196 wrote to memory of 2908 1196 Explorer.EXE help.exe PID 1196 wrote to memory of 2908 1196 Explorer.EXE help.exe PID 1196 wrote to memory of 2908 1196 Explorer.EXE help.exe PID 2908 wrote to memory of 1664 2908 help.exe Firefox.exe PID 2908 wrote to memory of 1664 2908 help.exe Firefox.exe PID 2908 wrote to memory of 1664 2908 help.exe Firefox.exe PID 2908 wrote to memory of 1664 2908 help.exe Firefox.exe PID 2908 wrote to memory of 1664 2908 help.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ESW2091H52Y6.vbe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\HHhHh.exe"C:\Users\Admin\AppData\Local\Temp\HHhHh.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"4⤵PID:2756
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"4⤵PID:2776
-
C:\Windows\System32\calc.exe"C:\Windows\System32\calc.exe"4⤵PID:2888
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe"4⤵PID:2916
-
C:\Program Files (x86)\Windows Mail\wab.exe"C:\Program Files (x86)\Windows Mail\wab.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2992 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1268 -s 6564⤵
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1664
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94KB
MD5f096e655ee6ea3e468e5204124bc6d25
SHA132c4264d12f227f7b3919975f1ca740ce9e1d60d
SHA256024ae9be86ccc0e05cddeb5b6ac956dd99507d662862397c1b7dbaa5b77bfe61
SHA51237bcee3e64ab741724d734657649dff1e09ae75de245295ae2c5208673381d594e32fb11388487acc1dd103d9af69172c6906564c64f2ed17bc2f0899cc60b92
-
Filesize
40B
MD52f245469795b865bdd1b956c23d7893d
SHA16ad80b974d3808f5a20ea1e766c7d2f88b9e5895
SHA2561662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361
SHA512909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f
-
Filesize
40B
MD5d63a82e5d81e02e399090af26db0b9cb
SHA191d0014c8f54743bba141fd60c9d963f869d76c9
SHA256eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA51238afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad
-
Filesize
40B
MD5ba3b6bc807d4f76794c4b81b09bb9ba5
SHA124cb89501f0212ff3095ecc0aba97dd563718fb1
SHA2566eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507
SHA512ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf
-
Filesize
3.3MB
MD52e2001da412256e70357a85c584a5b61
SHA16d35c2d73b30d6fe0c428687210d591856243006
SHA256bad6f8d92ae8b460fa4cba747f45ca96d2292579375a5973a709b03a2e192aa3
SHA5121eef20ee569e98bd5d4f797489745713ab4b8b7c8a97f4367dd13d892afce0e1a5f72c51c6fa82f1fa3a30a1e95b1be03162a9f1ea3ba025356a18619e450d41