Analysis
-
max time kernel
146s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
17-07-2024 16:35
Static task
static1
Behavioral task
behavioral1
Sample
ESW2091H52Y6.vbe
Resource
win7-20240705-en
General
-
Target
ESW2091H52Y6.vbe
-
Size
4.7MB
-
MD5
6d933e921beffff0992ccdb64bbfa968
-
SHA1
24149345e79200dc21fb6d853e62d7e9ceaf605c
-
SHA256
1d204cb5dccb45236e756ff1d5e1605ab30b67948a40af27c195b6d4f2e5a2ae
-
SHA512
9b8ea5fe63f9e3ae856bdf437bb18f94d923d2674f6d085d65a8d3cf95b58ff10fee530e7ed290fd87995e3c4ea7562334e7c9f2d48736410bd20f168272d4b4
-
SSDEEP
12288:sk+zeB3lLnyTHm63p8P+RQf77puZL0Sfr3ucJ6q53mxmaQEd1wZ4mjBRclC:skbhAFDu7pjSfaI52xmX4mjBRB
Malware Config
Extracted
formbook
4.1
de94
way2future.net
worldnewsdailys.online
rendamaisbr.com
s485.icu
vcxwpo.xyz
imagivilleartists.com
herbatyorganics.com
xn--80ado1abokv5d.xn--p1acf
invigoratewell.com
especialistaleitura.online
pkrstg.com
performacaretechnical.com
dreamgame55.net
hkitgugx.xyz
istanlikbilgiler.click
slotter99j.vip
exploringtheoutdoors.net
triberoots.com
energiaslotsbet.com
dkforcm.com
rtp1kijangwin.top
monkeytranslate.com
21stcut.shop
hgty866.xyz
shaktitest.site
monrocasino-508.com
level4d1.bet
nbcze.com
rtproketslotcsn.art
xjps.ltd
yoanamod.com
gv031.net
mceliteroofing.com
1wtrh.com
online-dating-24966.bond
dentalbrasstacks.com
kf7wzmuzv0w.xyz
gyosei-arimura.com
shopyzones.shop
bradleyboy.xyz
bradleyboy.xyz
nownzen.store
buysellrepresent.com
tateshades.xyz
club1stclass.com
2309238042.com
ashleymorgan.live
xn--pdr89n.vip
princecl.xyz
mindfulmanifest.net
c4ads.net
exlith.com
jiogskeojg.xyz
lxrtl.com
cshark-sguser.com
h021b.rest
alfiethorhalls.com
librosinfantiles.top
alazamexports.com
mehalhouse.com
slvtapeworld.com
mybest.engineer
legalix.xyz
kuuichi.xyz
happygreenfarm.com
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4536-16-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4536-19-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4536-24-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4928-32-0x0000000000600000-0x000000000062F000-memory.dmp formbook -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 1 IoCs
Processes:
HHhHh.exepid process 4612 HHhHh.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
HHhHh.execsc.exemsiexec.exedescription pid process target process PID 4612 set thread context of 4536 4612 HHhHh.exe csc.exe PID 4536 set thread context of 3528 4536 csc.exe Explorer.EXE PID 4536 set thread context of 3528 4536 csc.exe Explorer.EXE PID 4928 set thread context of 3528 4928 msiexec.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.EXE -
Runs regedit.exe 1 IoCs
Processes:
regedit.exepid process 864 regedit.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
csc.exemsiexec.exepid process 4536 csc.exe 4536 csc.exe 4536 csc.exe 4536 csc.exe 4536 csc.exe 4536 csc.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe 4928 msiexec.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
csc.exemsiexec.exepid process 4536 csc.exe 4536 csc.exe 4536 csc.exe 4536 csc.exe 4928 msiexec.exe 4928 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
csc.exeExplorer.EXEmsiexec.exedescription pid process Token: SeDebugPrivilege 4536 csc.exe Token: SeShutdownPrivilege 3528 Explorer.EXE Token: SeCreatePagefilePrivilege 3528 Explorer.EXE Token: SeDebugPrivilege 4928 msiexec.exe Token: SeShutdownPrivilege 3528 Explorer.EXE Token: SeCreatePagefilePrivilege 3528 Explorer.EXE Token: SeShutdownPrivilege 3528 Explorer.EXE Token: SeCreatePagefilePrivilege 3528 Explorer.EXE Token: SeShutdownPrivilege 3528 Explorer.EXE Token: SeCreatePagefilePrivilege 3528 Explorer.EXE Token: SeShutdownPrivilege 3528 Explorer.EXE Token: SeCreatePagefilePrivilege 3528 Explorer.EXE Token: SeShutdownPrivilege 3528 Explorer.EXE Token: SeCreatePagefilePrivilege 3528 Explorer.EXE Token: SeShutdownPrivilege 3528 Explorer.EXE Token: SeCreatePagefilePrivilege 3528 Explorer.EXE Token: SeShutdownPrivilege 3528 Explorer.EXE Token: SeCreatePagefilePrivilege 3528 Explorer.EXE Token: SeShutdownPrivilege 3528 Explorer.EXE Token: SeCreatePagefilePrivilege 3528 Explorer.EXE Token: SeShutdownPrivilege 3528 Explorer.EXE Token: SeCreatePagefilePrivilege 3528 Explorer.EXE Token: SeShutdownPrivilege 3528 Explorer.EXE Token: SeCreatePagefilePrivilege 3528 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 3528 Explorer.EXE 3528 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3528 Explorer.EXE -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
WScript.exeHHhHh.exeExplorer.EXEmsiexec.exedescription pid process target process PID 3720 wrote to memory of 4612 3720 WScript.exe HHhHh.exe PID 3720 wrote to memory of 4612 3720 WScript.exe HHhHh.exe PID 4612 wrote to memory of 3948 4612 HHhHh.exe ngen.exe PID 4612 wrote to memory of 3948 4612 HHhHh.exe ngen.exe PID 4612 wrote to memory of 3948 4612 HHhHh.exe ngen.exe PID 4612 wrote to memory of 2284 4612 HHhHh.exe aspnet_wp.exe PID 4612 wrote to memory of 2284 4612 HHhHh.exe aspnet_wp.exe PID 4612 wrote to memory of 2284 4612 HHhHh.exe aspnet_wp.exe PID 4612 wrote to memory of 864 4612 HHhHh.exe regedit.exe PID 4612 wrote to memory of 864 4612 HHhHh.exe regedit.exe PID 4612 wrote to memory of 864 4612 HHhHh.exe regedit.exe PID 4612 wrote to memory of 864 4612 HHhHh.exe regedit.exe PID 4612 wrote to memory of 2156 4612 HHhHh.exe svchost.exe PID 4612 wrote to memory of 2156 4612 HHhHh.exe svchost.exe PID 4612 wrote to memory of 2156 4612 HHhHh.exe svchost.exe PID 4612 wrote to memory of 2156 4612 HHhHh.exe svchost.exe PID 4612 wrote to memory of 968 4612 HHhHh.exe calc.exe PID 4612 wrote to memory of 968 4612 HHhHh.exe calc.exe PID 4612 wrote to memory of 968 4612 HHhHh.exe calc.exe PID 4612 wrote to memory of 968 4612 HHhHh.exe calc.exe PID 4612 wrote to memory of 4536 4612 HHhHh.exe csc.exe PID 4612 wrote to memory of 4536 4612 HHhHh.exe csc.exe PID 4612 wrote to memory of 4536 4612 HHhHh.exe csc.exe PID 4612 wrote to memory of 4536 4612 HHhHh.exe csc.exe PID 4612 wrote to memory of 4536 4612 HHhHh.exe csc.exe PID 4612 wrote to memory of 4536 4612 HHhHh.exe csc.exe PID 3528 wrote to memory of 4928 3528 Explorer.EXE msiexec.exe PID 3528 wrote to memory of 4928 3528 Explorer.EXE msiexec.exe PID 3528 wrote to memory of 4928 3528 Explorer.EXE msiexec.exe PID 4928 wrote to memory of 1464 4928 msiexec.exe cmd.exe PID 4928 wrote to memory of 1464 4928 msiexec.exe cmd.exe PID 4928 wrote to memory of 1464 4928 msiexec.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ESW2091H52Y6.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Users\Admin\AppData\Local\Temp\HHhHh.exe"C:\Users\Admin\AppData\Local\Temp\HHhHh.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"4⤵PID:3948
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"4⤵PID:2284
-
C:\Windows\regedit.exe"C:\Windows\regedit.exe"4⤵
- Runs regedit.exe
PID:864 -
C:\Windows\System32\svchost.exe"C:\Windows\System32\svchost.exe"4⤵PID:2156
-
C:\Windows\System32\calc.exe"C:\Windows\System32\calc.exe"4⤵PID:968
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4536 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"3⤵PID:1464
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.3MB
MD52e2001da412256e70357a85c584a5b61
SHA16d35c2d73b30d6fe0c428687210d591856243006
SHA256bad6f8d92ae8b460fa4cba747f45ca96d2292579375a5973a709b03a2e192aa3
SHA5121eef20ee569e98bd5d4f797489745713ab4b8b7c8a97f4367dd13d892afce0e1a5f72c51c6fa82f1fa3a30a1e95b1be03162a9f1ea3ba025356a18619e450d41