Analysis
-
max time kernel
150s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-09-2024 01:26
Static task
static1
Behavioral task
behavioral1
Sample
DRAWING SINCOAUTOMATIOM86757786Ref6777POSINCOAUTOMATIOM86757786Ref6777.exe
Resource
win7-20240903-en
General
-
Target
DRAWING SINCOAUTOMATIOM86757786Ref6777POSINCOAUTOMATIOM86757786Ref6777.exe
-
Size
1.2MB
-
MD5
1876c101ef20d1d02f23014425ac06e1
-
SHA1
28abc61712aa81fe8f0838f1588cbd556d923e89
-
SHA256
1f4b2861d0fcd9241dfd17b5ae99741e712f0297ca5fb4f3858340ce3cbb91d0
-
SHA512
87e7838b5ef65a0c84c40e6d881f44a8af2a43354a1b7a9d301a3180ac2df77cfc4aac04aa4042e187959373b2c95d9ae62570a6c6e29bc982bfd5a5cb67398b
-
SSDEEP
24576:GqDEvCTbMWu7rQYlBQcBiT6rprG8an98M8HQXeYeun1033:GTvC/MTQYxsWR7an98M8wXi6
Malware Config
Extracted
formbook
4.1
ot96
yclingbear.studio
sxuio.xyz
eon-official-bk-o57v.buzz
teel.management
rusjitu.sbs
ighwald-holdings.info
ummitfinancal.vip
layvalleyconstruction.online
pp-games-efficsecuspon.xyz
ouh.shop
mgltd.services
gshsjwhgsg.fun
eidotijolo.online
yifg.sbs
nline-gaming-ox-mx.xyz
ux-money.info
inergiputraborneo.dev
panish-classes-67016.bond
reightrading.info
23bet.xyz
lg158.cfd
ecas-para-usted.xyz
rinklefree.xyz
deptkajsa.cfd
dqrw.info
watio-staging-internal.app
audyluxevintageboutique.shop
ruise-jobs-90138.bond
amuel-paaae.buzz
vf-treatment-near-me-my.today
olarsystemssa.today
aniel-saaae.buzz
25ks-ls72510.cyou
onstruction-services-98555.bond
saauiiqew.bond
antsell.xyz
v43ni4t.xyz
eight-loss-0725.today
ridgenextdigital.online
ver.exchange
mazoncarbon.shop
ugbin.xyz
ousecleaning-vort-p1-bob-3.shop
onnenkollektor-de.today
c369kj.buzz
pfrt-22-mb.click
opcornrobot.online
hecashflowcatalog.net
j-slot88gacor.bond
rhtf.buzz
otitemmarket.net
ercedesemrotomotiv.shop
yantech.online
entalslab.net
gowelcomeflingofswish.homes
martdata.sbs
martbedin02.today
nnovativeind.xyz
99577-sj.top
umanoid.exchange
omputercourses123.live
oncreterepairjob-4fb.click
piiice.net
ersinakilliev.online
etirementconundrum.live
Signatures
-
Formbook payload 4 IoCs
resource yara_rule behavioral1/memory/2336-6-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2336-10-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2336-14-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2484-20-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/1976-5-0x0000000001300000-0x0000000001433000-memory.dmp autoit_exe behavioral1/memory/1976-7-0x0000000001300000-0x0000000001433000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1976 set thread context of 2336 1976 DRAWING SINCOAUTOMATIOM86757786Ref6777POSINCOAUTOMATIOM86757786Ref6777.exe 30 PID 2336 set thread context of 1212 2336 svchost.exe 21 PID 2336 set thread context of 1212 2336 svchost.exe 21 PID 2484 set thread context of 1212 2484 chkdsk.exe 21 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DRAWING SINCOAUTOMATIOM86757786Ref6777POSINCOAUTOMATIOM86757786Ref6777.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chkdsk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2336 svchost.exe 2336 svchost.exe 2336 svchost.exe 2484 chkdsk.exe 2484 chkdsk.exe 2484 chkdsk.exe 2484 chkdsk.exe 2484 chkdsk.exe 2484 chkdsk.exe 2484 chkdsk.exe 2484 chkdsk.exe 2484 chkdsk.exe 2484 chkdsk.exe 2484 chkdsk.exe 2484 chkdsk.exe 2484 chkdsk.exe 2484 chkdsk.exe 2484 chkdsk.exe 2484 chkdsk.exe 2484 chkdsk.exe 2484 chkdsk.exe 2484 chkdsk.exe 2484 chkdsk.exe 2484 chkdsk.exe 2484 chkdsk.exe 2484 chkdsk.exe 2484 chkdsk.exe 2484 chkdsk.exe 2484 chkdsk.exe 2484 chkdsk.exe 2484 chkdsk.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 1976 DRAWING SINCOAUTOMATIOM86757786Ref6777POSINCOAUTOMATIOM86757786Ref6777.exe 2336 svchost.exe 2336 svchost.exe 2336 svchost.exe 2336 svchost.exe 2484 chkdsk.exe 2484 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2336 svchost.exe Token: SeDebugPrivilege 2484 chkdsk.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1976 DRAWING SINCOAUTOMATIOM86757786Ref6777POSINCOAUTOMATIOM86757786Ref6777.exe 1976 DRAWING SINCOAUTOMATIOM86757786Ref6777POSINCOAUTOMATIOM86757786Ref6777.exe 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1976 DRAWING SINCOAUTOMATIOM86757786Ref6777POSINCOAUTOMATIOM86757786Ref6777.exe 1976 DRAWING SINCOAUTOMATIOM86757786Ref6777POSINCOAUTOMATIOM86757786Ref6777.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1976 wrote to memory of 2336 1976 DRAWING SINCOAUTOMATIOM86757786Ref6777POSINCOAUTOMATIOM86757786Ref6777.exe 30 PID 1976 wrote to memory of 2336 1976 DRAWING SINCOAUTOMATIOM86757786Ref6777POSINCOAUTOMATIOM86757786Ref6777.exe 30 PID 1976 wrote to memory of 2336 1976 DRAWING SINCOAUTOMATIOM86757786Ref6777POSINCOAUTOMATIOM86757786Ref6777.exe 30 PID 1976 wrote to memory of 2336 1976 DRAWING SINCOAUTOMATIOM86757786Ref6777POSINCOAUTOMATIOM86757786Ref6777.exe 30 PID 1976 wrote to memory of 2336 1976 DRAWING SINCOAUTOMATIOM86757786Ref6777POSINCOAUTOMATIOM86757786Ref6777.exe 30 PID 1212 wrote to memory of 2484 1212 Explorer.EXE 31 PID 1212 wrote to memory of 2484 1212 Explorer.EXE 31 PID 1212 wrote to memory of 2484 1212 Explorer.EXE 31 PID 1212 wrote to memory of 2484 1212 Explorer.EXE 31 PID 2484 wrote to memory of 2284 2484 chkdsk.exe 33 PID 2484 wrote to memory of 2284 2484 chkdsk.exe 33 PID 2484 wrote to memory of 2284 2484 chkdsk.exe 33 PID 2484 wrote to memory of 2284 2484 chkdsk.exe 33
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\DRAWING SINCOAUTOMATIOM86757786Ref6777POSINCOAUTOMATIOM86757786Ref6777.exe"C:\Users\Admin\AppData\Local\Temp\DRAWING SINCOAUTOMATIOM86757786Ref6777POSINCOAUTOMATIOM86757786Ref6777.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\DRAWING SINCOAUTOMATIOM86757786Ref6777POSINCOAUTOMATIOM86757786Ref6777.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2336
-
-
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\svchost.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2284
-
-
Network
-
Remote address:8.8.8.8:53Requestwww.etirementconundrum.liveIN AResponse
-
Remote address:8.8.8.8:53Requestwww.ercedesemrotomotiv.shopIN AResponse
-
Remote address:8.8.8.8:53Requestwww.ercedesemrotomotiv.shopIN AResponse
-
Remote address:8.8.8.8:53Requestwww.mazoncarbon.shopIN AResponse
-
Remote address:8.8.8.8:53Requestwww.99577-sj.topIN AResponse
-
Remote address:8.8.8.8:53Requestwww.99577-sj.topIN AResponse
-
Remote address:8.8.8.8:53Requestwww.99577-sj.topIN A
-
Remote address:8.8.8.8:53Requestwww.inergiputraborneo.devIN AResponse
-
73 B 141 B 1 1
DNS Request
www.etirementconundrum.live
-
146 B 260 B 2 2
DNS Request
www.ercedesemrotomotiv.shop
DNS Request
www.ercedesemrotomotiv.shop
-
66 B 123 B 1 1
DNS Request
www.mazoncarbon.shop
-
186 B 264 B 3 2
DNS Request
www.99577-sj.top
DNS Request
www.99577-sj.top
DNS Request
www.99577-sj.top
-
71 B 169 B 1 1
DNS Request
www.inergiputraborneo.dev