Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
11-12-2024 02:50
Static task
static1
Behavioral task
behavioral1
Sample
79381309c066a4ff2476a0ac2801964f5a82c4f886b590f56e4cfc5ceb307040.exe
Resource
win7-20240708-en
General
-
Target
79381309c066a4ff2476a0ac2801964f5a82c4f886b590f56e4cfc5ceb307040.exe
-
Size
851KB
-
MD5
95a22e4bce7bd0a47c94cb47cb7e2d3a
-
SHA1
6d4efe018df36424c66b4a7337b2045fe2c8c03e
-
SHA256
79381309c066a4ff2476a0ac2801964f5a82c4f886b590f56e4cfc5ceb307040
-
SHA512
9b6e5b3ccca79f9847a4ebf27eb5eebeec5ba9988704ce863a30733fb5b7fb953d4769cb411f70bde387d89e7f75e7a9a2ca31c576a634c8a9b374ddbb7313bb
-
SSDEEP
12288:rLkcoxg7v3qnC11ErwIhh0F4qwUgUny5QLJoEanOS/H0Rvg/oh8qv60n:ffmMv6Ckr7Mny5QLJoEYOS/URvg/oY6
Malware Config
Extracted
formbook
4.1
cl21
0001.shop
earch-parttimejobs.today
are888.top
akanhaunthipped.shop
othing-heyu.xyz
cadvirsor.net
nclanalae.shop
lectric-cars-mexico.today
oxj-question.xyz
ersonalloanoffers.today
ersonalloans-fo54-fo37.click
verybody-ewfx.xyz
ercuremontauban.media
azilimdunyam.net
airs-clinicato.today
wiftsscend.click
ertainly-jbws.xyz
8xeng.app
damekadmitageable.cfd
ollapsedec.shop
mpldo.app
g18q29a.top
etaddiction.tech
lbatasalboinamoco.shop
eyyzj-medical.xyz
ote-lmeg.xyz
cellelukacs.shop
evinedesignz11.net
n217.vip
eimy.top
ellisimaa.shop
hjk-west.xyz
nline-dating-be-10.today
wocykmw.top
ytsxv.xyz
iding-lawn-mower.today
olarpergolasolutions.today
ainco.net
r86yd.top
ndrvb-stock.xyz
ing88vn.today
vez3.xyz
fg-am.pro
ultplanlz.click
ecurebet.click
fjng-court.xyz
rsenalatamanaxweed.shop
iaoyingtao16.vip
rime-kvsff.xyz
ufdd-interesting.xyz
qbdl-base.xyz
ushihq.xyz
400108pptddbo685.top
tself-gqemlq.xyz
uyher.shop
ffprintshoplv.shop
ushyniceneobaza.cfd
dmrroa.net
ar-deals-ca-8966160.live
ramx-jorv.top
ifw-less.xyz
hwisdom.net
xrjgq-prepare.xyz
rchertravel.click
ingledatings46.xyz
Signatures
-
Formbook family
-
Formbook payload 3 IoCs
resource yara_rule behavioral1/memory/3068-6-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/3068-9-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1948-14-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2076 set thread context of 3068 2076 79381309c066a4ff2476a0ac2801964f5a82c4f886b590f56e4cfc5ceb307040.exe 30 PID 3068 set thread context of 1188 3068 svchost.exe 21 PID 1948 set thread context of 1188 1948 colorcpl.exe 21 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 79381309c066a4ff2476a0ac2801964f5a82c4f886b590f56e4cfc5ceb307040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language colorcpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 3068 svchost.exe 3068 svchost.exe 1948 colorcpl.exe 1948 colorcpl.exe 1948 colorcpl.exe 1948 colorcpl.exe 1948 colorcpl.exe 1948 colorcpl.exe 1948 colorcpl.exe 1948 colorcpl.exe 1948 colorcpl.exe 1948 colorcpl.exe 1948 colorcpl.exe 1948 colorcpl.exe 1948 colorcpl.exe 1948 colorcpl.exe 1948 colorcpl.exe 1948 colorcpl.exe 1948 colorcpl.exe 1948 colorcpl.exe 1948 colorcpl.exe 1948 colorcpl.exe 1948 colorcpl.exe 1948 colorcpl.exe 1948 colorcpl.exe 1948 colorcpl.exe 1948 colorcpl.exe 1948 colorcpl.exe 1948 colorcpl.exe 1948 colorcpl.exe 1948 colorcpl.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 2076 79381309c066a4ff2476a0ac2801964f5a82c4f886b590f56e4cfc5ceb307040.exe 3068 svchost.exe 3068 svchost.exe 3068 svchost.exe 1948 colorcpl.exe 1948 colorcpl.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3068 svchost.exe Token: SeDebugPrivilege 1948 colorcpl.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 2076 79381309c066a4ff2476a0ac2801964f5a82c4f886b590f56e4cfc5ceb307040.exe 2076 79381309c066a4ff2476a0ac2801964f5a82c4f886b590f56e4cfc5ceb307040.exe 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 2076 79381309c066a4ff2476a0ac2801964f5a82c4f886b590f56e4cfc5ceb307040.exe 2076 79381309c066a4ff2476a0ac2801964f5a82c4f886b590f56e4cfc5ceb307040.exe 1188 Explorer.EXE 1188 Explorer.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2076 wrote to memory of 3068 2076 79381309c066a4ff2476a0ac2801964f5a82c4f886b590f56e4cfc5ceb307040.exe 30 PID 2076 wrote to memory of 3068 2076 79381309c066a4ff2476a0ac2801964f5a82c4f886b590f56e4cfc5ceb307040.exe 30 PID 2076 wrote to memory of 3068 2076 79381309c066a4ff2476a0ac2801964f5a82c4f886b590f56e4cfc5ceb307040.exe 30 PID 2076 wrote to memory of 3068 2076 79381309c066a4ff2476a0ac2801964f5a82c4f886b590f56e4cfc5ceb307040.exe 30 PID 2076 wrote to memory of 3068 2076 79381309c066a4ff2476a0ac2801964f5a82c4f886b590f56e4cfc5ceb307040.exe 30 PID 1188 wrote to memory of 1948 1188 Explorer.EXE 31 PID 1188 wrote to memory of 1948 1188 Explorer.EXE 31 PID 1188 wrote to memory of 1948 1188 Explorer.EXE 31 PID 1188 wrote to memory of 1948 1188 Explorer.EXE 31 PID 1948 wrote to memory of 2508 1948 colorcpl.exe 33 PID 1948 wrote to memory of 2508 1948 colorcpl.exe 33 PID 1948 wrote to memory of 2508 1948 colorcpl.exe 33 PID 1948 wrote to memory of 2508 1948 colorcpl.exe 33
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Users\Admin\AppData\Local\Temp\79381309c066a4ff2476a0ac2801964f5a82c4f886b590f56e4cfc5ceb307040.exe"C:\Users\Admin\AppData\Local\Temp\79381309c066a4ff2476a0ac2801964f5a82c4f886b590f56e4cfc5ceb307040.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\79381309c066a4ff2476a0ac2801964f5a82c4f886b590f56e4cfc5ceb307040.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3068
-
-
-
C:\Windows\SysWOW64\colorcpl.exe"C:\Windows\SysWOW64\colorcpl.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\svchost.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2508
-
-
Network
-
Remote address:8.8.8.8:53Requestwww.nline-dating-be-10.todayIN AResponse
-
Remote address:8.8.8.8:53Requestwww.ushyniceneobaza.cfdIN AResponse
-
Remote address:8.8.8.8:53Requestwww.ufdd-interesting.xyzIN AResponse
-
Remote address:8.8.8.8:53Requestwww.earch-parttimejobs.todayIN AResponse
-
Remote address:8.8.8.8:53Requestwww.ingledatings46.xyzIN AResponse
-
Remote address:8.8.8.8:53Requestwww.evinedesignz11.netIN AResponse
-
74 B 142 B 1 1
DNS Request
www.nline-dating-be-10.today
-
69 B 134 B 1 1
DNS Request
www.ushyniceneobaza.cfd
-
70 B 135 B 1 1
DNS Request
www.ufdd-interesting.xyz
-
74 B 142 B 1 1
DNS Request
www.earch-parttimejobs.today
-
68 B 133 B 1 1
DNS Request
www.ingledatings46.xyz
-
68 B 141 B 1 1
DNS Request
www.evinedesignz11.net