Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28-10-2024 13:55
Static task
static1
Behavioral task
behavioral1
Sample
Document.exe
Resource
win7-20240903-en
General
-
Target
Document.exe
-
Size
1.0MB
-
MD5
8128f92e759ef0399a73d001b78bf37e
-
SHA1
64d435e7ca1c98ea6e1b5818d6cc8d0dad22db7d
-
SHA256
2d1d21fefaccdde89b759234f18ed79ea0a8a631c15be4f93fe3106f7fe6abe6
-
SHA512
5de12e936fc0be70ed771cb911e3cacec64a1ddd6e84124bd59b9a56117fd5eae655c79442cc33f971fe686ec8826484c196f04c5c6b85fb6864ac7b24faee30
-
SSDEEP
24576:ffmMv6Ckr7Mny5QL2OTYtNaqimUy7RRtst35de:f3v+7/5QL2mTARReR5de
Malware Config
Extracted
formbook
4.1
n04s
imberstimedtinter.cfd
ttfr44solutionschesapeake.pro
kkas.xyz
sk-frby.xyz
ptowing.net
jzimq-community.xyz
ressoncrookencruller.cfd
amedana.click
ravamarketing.tech
udfa-speech.xyz
ose-bdbzsg.xyz
alsiuuarsiau.xyz
fgiopa.xyz
15501.pro
tart-ewlon.xyz
kjjf-company.xyz
araldschauer.shop
wet25.vip
armostfavorgaivn.cfd
ompa77.click
oldier-nkosi.xyz
ouchs.xyz
eovk-how.xyz
pirutznekg.top
oeda-ssa.xyz
airobi77.cfd
oldplay.click
tzai-space.xyz
ateslotular.xyz
okavuxentid.xyz
53924.pink
trrttfjftw.top
ofdkd-determine.xyz
tudy-hwcd.xyz
apavalley.directory
gnbft-top.xyz
rislyhallyhanced.cfd
ostcanadantyg.top
nowmass.top
ccspt.net
j4yt2.vip
2bmarketingwebinarshub.today
endkos.family
espond-yvctq.xyz
odnotaba.website
3526592.xyz
ist-sxyu.xyz
eat-tyfp.xyz
ndividual-liqkc.xyz
om-trackeg.top
fogatoshadufsshimkus.cfd
etinfin8y.click
reeremovebg.top
5388205.top
nterest-phvfi.xyz
rodutos-corporais.today
cteruvyyn.xyz
ember-kwmapz.xyz
xggc-others.xyz
fyigh-on.xyz
c578.top
adtv-wfj.xyz
afin10.shop
ecbsb.team
280.vip
Signatures
-
Formbook family
-
Formbook payload 3 IoCs
resource yara_rule behavioral1/memory/2844-3-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2844-6-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2712-12-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2688 set thread context of 2844 2688 Document.exe 31 PID 2844 set thread context of 1212 2844 svchost.exe 21 PID 2712 set thread context of 1212 2712 cmd.exe 21 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Document.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2844 svchost.exe 2844 svchost.exe 2712 cmd.exe 2712 cmd.exe 2712 cmd.exe 2712 cmd.exe 2712 cmd.exe 2712 cmd.exe 2712 cmd.exe 2712 cmd.exe 2712 cmd.exe 2712 cmd.exe 2712 cmd.exe 2712 cmd.exe 2712 cmd.exe 2712 cmd.exe 2712 cmd.exe 2712 cmd.exe 2712 cmd.exe 2712 cmd.exe 2712 cmd.exe 2712 cmd.exe 2712 cmd.exe 2712 cmd.exe 2712 cmd.exe 2712 cmd.exe 2712 cmd.exe 2712 cmd.exe 2712 cmd.exe 2712 cmd.exe 2712 cmd.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 2688 Document.exe 2844 svchost.exe 2844 svchost.exe 2844 svchost.exe 2712 cmd.exe 2712 cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2844 svchost.exe Token: SeDebugPrivilege 2712 cmd.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2688 Document.exe 2688 Document.exe 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2688 Document.exe 2688 Document.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2688 wrote to memory of 2844 2688 Document.exe 31 PID 2688 wrote to memory of 2844 2688 Document.exe 31 PID 2688 wrote to memory of 2844 2688 Document.exe 31 PID 2688 wrote to memory of 2844 2688 Document.exe 31 PID 2688 wrote to memory of 2844 2688 Document.exe 31 PID 1212 wrote to memory of 2712 1212 Explorer.EXE 32 PID 1212 wrote to memory of 2712 1212 Explorer.EXE 32 PID 1212 wrote to memory of 2712 1212 Explorer.EXE 32 PID 1212 wrote to memory of 2712 1212 Explorer.EXE 32 PID 2712 wrote to memory of 2856 2712 cmd.exe 33 PID 2712 wrote to memory of 2856 2712 cmd.exe 33 PID 2712 wrote to memory of 2856 2712 cmd.exe 33 PID 2712 wrote to memory of 2856 2712 cmd.exe 33
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\Document.exe"C:\Users\Admin\AppData\Local\Temp\Document.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\Document.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\svchost.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2856
-
-
Network
-
Remote address:8.8.8.8:53Requestwww.trrttfjftw.topIN AResponse
-
Remote address:8.8.8.8:53Requestwww.fyigh-on.xyzIN AResponse
-
Remote address:8.8.8.8:53Requestwww.tart-ewlon.xyzIN AResponse
-
Remote address:8.8.8.8:53Requestwww.15501.proIN AResponse
-
Remote address:8.8.8.8:53Requestwww.oldplay.clickIN AResponse
-
Remote address:8.8.8.8:53Requestwww.espond-yvctq.xyzIN AResponse
-
64 B 134 B 1 1
DNS Request
www.trrttfjftw.top
-
62 B 127 B 1 1
DNS Request
www.fyigh-on.xyz
-
64 B 129 B 1 1
DNS Request
www.tart-ewlon.xyz
-
59 B 141 B 1 1
DNS Request
www.15501.pro
-
63 B 128 B 1 1
DNS Request
www.oldplay.click
-
66 B 131 B 1 1
DNS Request
www.espond-yvctq.xyz