Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
08-08-2024 06:36
Static task
static1
Behavioral task
behavioral1
Sample
d4016be0cb5e22645898c576c8e078b2db3dabd8060f5920e710cce59fa81fe9.exe
Resource
win7-20240708-en
General
-
Target
d4016be0cb5e22645898c576c8e078b2db3dabd8060f5920e710cce59fa81fe9.exe
-
Size
768KB
-
MD5
05ef7ade99c5e2d204f44a83481f98df
-
SHA1
2a055a83e04b1918072c21dbc992caffce466b5e
-
SHA256
d4016be0cb5e22645898c576c8e078b2db3dabd8060f5920e710cce59fa81fe9
-
SHA512
34a6d2cc7ca2da3b30056ceb0541bd5382aede8627e9a1ecf42e0dcac38b12031bbf8a8ccf7532c7b33798f4270353db90ea78ae89acb959af85423d223c3d22
-
SSDEEP
12288:1IWiyHwQn+eSI+i1PV5gx/aJtWBQo4yK/7HV3aQCFBQR7MMUITRPoqyrAg2XgTPa:mzyHEeSIBb/WJ4dj13aUzUW2hV2wTPdy
Malware Config
Extracted
formbook
4.1
hy08
weazc.top
servoceimmpajhnuz.info
vqemkdhi.xyz
wergol.com
spa-mk.com
rtpsid88.life
tatetits.fun
raidsa.xyz
suojiansuode.net
jointhejunction.com
wudai.net
typeboot.shop
mksport-app.com
miocloud.ovh
taipan77pandan.com
wwwhg58a.com
khuahamiksai31.pro
carpedatumllc.net
safebinders.com
krx21.com
qyld9yp.icu
ischover.com
lineagegenetics.com
breakfreesoar.com
os9user.com
m1rmen.tech
cttlca.click
privacysift.com
gilggak.com
horxncnt.xyz
strategyguys.info
egyptflickcasino.online
5536canoga.com
ilpradio.com
shahgoldentravel.com
autismtour.com
alivioquantico.com
valo.games
manhuafeifei.xyz
bihungoreng22.click
btc158.com
500728.party
hemcksqa.net
agclcdstf460.xyz
flywatchsecurity.com
bedazzledbabe.com
btcrenaissance.net
mavincrm.com
65618.asia
axgventures.com
arelenegrace.com
cryptosmartguide.xyz
bodgion.xyz
21556934.com
cheaplaptops.biz
v2e5g.xyz
yc23w.top
24khome.com
cdncf.xyz
marabudigital.online
3sqre.lol
entgab679y.top
b10a.shop
mekanbahis104.com
avai66.xyz
Signatures
-
Formbook payload 1 IoCs
resource yara_rule behavioral1/memory/2788-18-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2180 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2316 set thread context of 2788 2316 d4016be0cb5e22645898c576c8e078b2db3dabd8060f5920e710cce59fa81fe9.exe 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d4016be0cb5e22645898c576c8e078b2db3dabd8060f5920e710cce59fa81fe9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2292 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2316 d4016be0cb5e22645898c576c8e078b2db3dabd8060f5920e710cce59fa81fe9.exe 2316 d4016be0cb5e22645898c576c8e078b2db3dabd8060f5920e710cce59fa81fe9.exe 2316 d4016be0cb5e22645898c576c8e078b2db3dabd8060f5920e710cce59fa81fe9.exe 2316 d4016be0cb5e22645898c576c8e078b2db3dabd8060f5920e710cce59fa81fe9.exe 2316 d4016be0cb5e22645898c576c8e078b2db3dabd8060f5920e710cce59fa81fe9.exe 2788 d4016be0cb5e22645898c576c8e078b2db3dabd8060f5920e710cce59fa81fe9.exe 2180 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2316 d4016be0cb5e22645898c576c8e078b2db3dabd8060f5920e710cce59fa81fe9.exe Token: SeDebugPrivilege 2180 powershell.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2316 wrote to memory of 2180 2316 d4016be0cb5e22645898c576c8e078b2db3dabd8060f5920e710cce59fa81fe9.exe 30 PID 2316 wrote to memory of 2180 2316 d4016be0cb5e22645898c576c8e078b2db3dabd8060f5920e710cce59fa81fe9.exe 30 PID 2316 wrote to memory of 2180 2316 d4016be0cb5e22645898c576c8e078b2db3dabd8060f5920e710cce59fa81fe9.exe 30 PID 2316 wrote to memory of 2180 2316 d4016be0cb5e22645898c576c8e078b2db3dabd8060f5920e710cce59fa81fe9.exe 30 PID 2316 wrote to memory of 2292 2316 d4016be0cb5e22645898c576c8e078b2db3dabd8060f5920e710cce59fa81fe9.exe 31 PID 2316 wrote to memory of 2292 2316 d4016be0cb5e22645898c576c8e078b2db3dabd8060f5920e710cce59fa81fe9.exe 31 PID 2316 wrote to memory of 2292 2316 d4016be0cb5e22645898c576c8e078b2db3dabd8060f5920e710cce59fa81fe9.exe 31 PID 2316 wrote to memory of 2292 2316 d4016be0cb5e22645898c576c8e078b2db3dabd8060f5920e710cce59fa81fe9.exe 31 PID 2316 wrote to memory of 2820 2316 d4016be0cb5e22645898c576c8e078b2db3dabd8060f5920e710cce59fa81fe9.exe 35 PID 2316 wrote to memory of 2820 2316 d4016be0cb5e22645898c576c8e078b2db3dabd8060f5920e710cce59fa81fe9.exe 35 PID 2316 wrote to memory of 2820 2316 d4016be0cb5e22645898c576c8e078b2db3dabd8060f5920e710cce59fa81fe9.exe 35 PID 2316 wrote to memory of 2820 2316 d4016be0cb5e22645898c576c8e078b2db3dabd8060f5920e710cce59fa81fe9.exe 35 PID 2316 wrote to memory of 2788 2316 d4016be0cb5e22645898c576c8e078b2db3dabd8060f5920e710cce59fa81fe9.exe 36 PID 2316 wrote to memory of 2788 2316 d4016be0cb5e22645898c576c8e078b2db3dabd8060f5920e710cce59fa81fe9.exe 36 PID 2316 wrote to memory of 2788 2316 d4016be0cb5e22645898c576c8e078b2db3dabd8060f5920e710cce59fa81fe9.exe 36 PID 2316 wrote to memory of 2788 2316 d4016be0cb5e22645898c576c8e078b2db3dabd8060f5920e710cce59fa81fe9.exe 36 PID 2316 wrote to memory of 2788 2316 d4016be0cb5e22645898c576c8e078b2db3dabd8060f5920e710cce59fa81fe9.exe 36 PID 2316 wrote to memory of 2788 2316 d4016be0cb5e22645898c576c8e078b2db3dabd8060f5920e710cce59fa81fe9.exe 36 PID 2316 wrote to memory of 2788 2316 d4016be0cb5e22645898c576c8e078b2db3dabd8060f5920e710cce59fa81fe9.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4016be0cb5e22645898c576c8e078b2db3dabd8060f5920e710cce59fa81fe9.exe"C:\Users\Admin\AppData\Local\Temp\d4016be0cb5e22645898c576c8e078b2db3dabd8060f5920e710cce59fa81fe9.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\glzojWKniaYcql.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2180
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\glzojWKniaYcql" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD394.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2292
-
-
C:\Users\Admin\AppData\Local\Temp\d4016be0cb5e22645898c576c8e078b2db3dabd8060f5920e710cce59fa81fe9.exe"C:\Users\Admin\AppData\Local\Temp\d4016be0cb5e22645898c576c8e078b2db3dabd8060f5920e710cce59fa81fe9.exe"2⤵PID:2820
-
-
C:\Users\Admin\AppData\Local\Temp\d4016be0cb5e22645898c576c8e078b2db3dabd8060f5920e710cce59fa81fe9.exe"C:\Users\Admin\AppData\Local\Temp\d4016be0cb5e22645898c576c8e078b2db3dabd8060f5920e710cce59fa81fe9.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2788
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f3f22530cf89c7b0cd71d453c5a4f790
SHA121ac0b0279b6d49eb910a5098feebae1580f96ab
SHA256db58411fe74366fa4df94442a3908a0aa4d1547cb04454bd878c5505f8ee3bbf
SHA512354d9bd683cd14680c30274f570aa67b8200850a7cacd52e95328719b772e46fcc88033a128f653df03569c40a134681399823048f4f6d39e29d2e8e6b4241cd