Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2024 02:49
Static task
static1
Behavioral task
behavioral1
Sample
7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe
Resource
win7-20240708-en
General
-
Target
7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe
-
Size
28KB
-
MD5
5ad176cf9482ccedc206fca269089b25
-
SHA1
0b917af3c99023327127aa034d3904888029e2d3
-
SHA256
7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021
-
SHA512
9e9c68cd8467f5b08f514b2315025f9e863f66a2d5746f54b5d7d5df89e8b6e9c232bca3fbfedfd6450b2d1ccb37bbd630ea95c0c1bdd5150acd73fb0841d580
-
SSDEEP
192:+YHwHj0yVgOOVinHuCN0Tv2m5g7EDum0KypCkCgS43IhS/rUO50biUU9H+v5mIAf:4AyrgCNkun7EZ3uBIhErX6mPeJACsxh
Malware Config
Extracted
formbook
4.1
o62s
lectrobay.shop
enisehirarnavutkoy.xyz
itoolz.net
otorcycle-loans-40378.bond
opjobsinusa.today
uara228j.shop
ukulbagus10.click
enhealth07.shop
cpoker.pro
ome-remodeling-16949.bond
andu.shop
hubbychicocharmqs.shop
onghi292.top
ussines-web-creators.net
alenspencer.online
ryptogigt.top
epiyiisigorta.online
ental-implants-77717.bond
juta.click
enisehirevleriarnavutkoy.xyz
pertforces.store
kdse.boutique
uccessfulproduct.shop
newrist.online
2045.pictures
epid.dev
oxo.net
utivme.info
arehouse-inventory-65114.bond
axiquynhongiare.asia
etooclaim.store
heterraceongregory.store
orldwise-admission.online
outenbox.shop
kipoxz.xyz
iperliteratura.online
hoccyboxy.dev
iicf72105.vip
regnancy-10606.bond
dambelardino.net
oans-credits-55622.bond
zprintbox.store
3sejzs3.sbs
fi-group.world
iveworks.xyz
gtg.store
4mn.info
aliente.kaufen
ottostar.motorcycles
oker99-ms.christmas
p595.top
artmartuqsa.shop
infundcadastro.site
merp.link
irclemedia.shop
ind.expert
mitrywedkam.online
opcharlottesydimby.shop
mmamartin.info
uikstudy.sbs
estpro.group
card.yachts
mazoui.fun
ooktonook.online
hronika.fun
Signatures
-
Formbook family
-
Formbook payload 1 IoCs
resource yara_rule behavioral2/memory/3628-13-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral2/memory/2624-7-0x0000000005EB0000-0x0000000005F42000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021 = "C:\\Users\\Admin\\Documents\\7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.pif" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2624 set thread context of 3628 2624 7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe 90 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 2624 7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe 2624 7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe 2624 7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe 2624 7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe 2624 7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe 2624 7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe 2624 7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe 2624 7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe 2624 7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe 2624 7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe 2624 7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe 2624 7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe 2624 7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe 2624 7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe 2624 7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe 2624 7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe 2624 7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe 2624 7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe 2624 7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe 2624 7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe 2624 7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe 2624 7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe 2624 7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe 2624 7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe 2624 7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe 3628 7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe 3628 7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2624 7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2624 wrote to memory of 4776 2624 7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe 84 PID 2624 wrote to memory of 4776 2624 7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe 84 PID 2624 wrote to memory of 4776 2624 7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe 84 PID 4776 wrote to memory of 4084 4776 cmd.exe 86 PID 4776 wrote to memory of 4084 4776 cmd.exe 86 PID 4776 wrote to memory of 4084 4776 cmd.exe 86 PID 2624 wrote to memory of 900 2624 7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe 87 PID 2624 wrote to memory of 900 2624 7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe 87 PID 2624 wrote to memory of 900 2624 7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe 87 PID 2624 wrote to memory of 5020 2624 7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe 89 PID 2624 wrote to memory of 5020 2624 7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe 89 PID 2624 wrote to memory of 5020 2624 7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe 89 PID 2624 wrote to memory of 3628 2624 7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe 90 PID 2624 wrote to memory of 3628 2624 7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe 90 PID 2624 wrote to memory of 3628 2624 7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe 90 PID 2624 wrote to memory of 3628 2624 7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe 90 PID 2624 wrote to memory of 3628 2624 7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe 90 PID 2624 wrote to memory of 3628 2624 7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe"C:\Users\Admin\AppData\Local\Temp\7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021" /t REG_SZ /F /D "C:\Users\Admin\Documents\7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.pif"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021" /t REG_SZ /F /D "C:\Users\Admin\Documents\7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.pif"3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4084
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c Copy "C:\Users\Admin\AppData\Local\Temp\7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe" "C:\Users\Admin\Documents\7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.pif"2⤵
- System Location Discovery: System Language Discovery
PID:900
-
-
C:\Users\Admin\AppData\Local\Temp\7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe"C:\Users\Admin\AppData\Local\Temp\7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe"2⤵PID:5020
-
-
C:\Users\Admin\AppData\Local\Temp\7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe"C:\Users\Admin\AppData\Local\Temp\7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3628
-
Network
-
Remote address:8.8.8.8:53Requestrn3-sa.comIN AResponsern3-sa.comIN A66.29.153.238
-
Remote address:66.29.153.238:443RequestGET /1949 HTTP/1.1
Host: rn3-sa.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
last-modified: Fri, 29 Nov 2024 04:26:46 GMT
accept-ranges: bytes
content-length: 570368
date: Sat, 07 Dec 2024 02:49:52 GMT
server: LiteSpeed
x-turbo-charged-by: LiteSpeed
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request58.55.71.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request238.153.29.66.in-addr.arpaIN PTRResponse238.153.29.66.in-addr.arpaIN PTRpremium247-3web-hostingcom
-
Remote address:8.8.8.8:53Request25.125.209.23.in-addr.arpaIN PTRResponse25.125.209.23.in-addr.arpaIN PTRa23-209-125-25deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request73.31.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.150.49.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request53.210.109.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request181.129.81.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request43.229.111.52.in-addr.arpaIN PTRResponse
-
66.29.153.238:443https://rn3-sa.com/1949tls, http7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe14.1kB 593.9kB 283 429
HTTP Request
GET https://rn3-sa.com/1949HTTP Response
200
-
56 B 72 B 1 1
DNS Request
rn3-sa.com
DNS Response
66.29.153.238
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
58.55.71.13.in-addr.arpa
-
72 B 114 B 1 1
DNS Request
238.153.29.66.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
25.125.209.23.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
73.31.126.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
241.150.49.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
53.210.109.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
198.187.3.20.in-addr.arpa
-
72 B 147 B 1 1
DNS Request
181.129.81.91.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
43.229.111.52.in-addr.arpa