Analysis
-
max time kernel
146s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-12-2024 20:56
Static task
static1
Behavioral task
behavioral1
Sample
quotation sheet 1 sheet 2.exe
Resource
win7-20240903-en
General
-
Target
quotation sheet 1 sheet 2.exe
-
Size
1.0MB
-
MD5
58923ab5edc1d65d3f0fb3c71ee2af64
-
SHA1
5de29822b230043708b6725b3fe0e9f2eb1ad21a
-
SHA256
1ddd6b7f64ff57668ca9087e77362e4d11fda7c3c07aebe6c1f48b560aea038e
-
SHA512
d8c28559e79783cccbb9b2fac8c3a2b29471b87035c326be203ab486c62df8a6b7a59c4ecffe87cea6e201fc825274faa6b3befe7a3a735f154d567abbb09b32
-
SSDEEP
24576:mu6J33O0c+JY5UZ+XC0kGso6FatnXQN8TyT1soHDWY:ou0c++OCvkGs9FatgaTusoiY
Malware Config
Extracted
formbook
4.1
at22
etween-us.online
sphaleia.net
ental-implants-78350.bond
q4a.lat
commerce-97292.bond
linds-curtains-38811.bond
gyptevoyages.net
landofigueroa-abogados.net
cuitis.xyz
hantom.city
yzk.online
afikabmedan.store
ome-remodeling-67289.bond
ebpage-klzdxrhnazi.shop
eject.lol
rismart.xyz
nfluencer-marketing-72407.bond
ksolotl.xyz
ebsbayrntilrmizin93.xyz
pps-75399.bond
larecompany.sbs
b-apps.net
onitoring-devices-50256.bond
asusuos.shop
87zy448d.shop
irportandart.net
15y.lat
fujo3jsj8.cyou
uyhaa.website
uihangditrungquoc.online
sphalt-jobs-32044.bond
hlexpress-add.cyou
essecurity.xyz
assysirens.store
hhomestore.online
arehouse-inventory-86457.bond
ezup.store
ymgjyj.info
cez.lat
ubconcern.shop
ct1portfolio.xyz
fficecleaning216.shop
arbontrust.xyz
simg.xyz
oya.fun
irwickstore.store
s-yatch-rentals-9n.today
1854.loan
ontent-marketing-31220.bond
atreal.kitchen
lucorecover.net
nline-mba-85097.bond
heusefulshopun.shop
etvigosurge.shop
otwire.store
ysportsbook.xyz
teelsections.net
zgrfi.info
xosoft.xyz
epression-test-67062.bond
soiuy.xyz
fx8l3vz2c.icu
exer.xyz
95zt370d.shop
olajosbetku.store
Signatures
-
Formbook family
-
Formbook payload 3 IoCs
resource yara_rule behavioral2/memory/4540-7-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4540-10-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4540-14-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1120 set thread context of 4540 1120 quotation sheet 1 sheet 2.exe 82 PID 4540 set thread context of 3524 4540 svchost.exe 56 PID 4540 set thread context of 3524 4540 svchost.exe 56 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language quotation sheet 1 sheet 2.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4540 svchost.exe 4540 svchost.exe 4540 svchost.exe 4540 svchost.exe 4540 svchost.exe 4540 svchost.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 1120 quotation sheet 1 sheet 2.exe 4540 svchost.exe 4540 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4540 svchost.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1120 quotation sheet 1 sheet 2.exe 1120 quotation sheet 1 sheet 2.exe 1120 quotation sheet 1 sheet 2.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1120 quotation sheet 1 sheet 2.exe 1120 quotation sheet 1 sheet 2.exe 1120 quotation sheet 1 sheet 2.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1120 wrote to memory of 4540 1120 quotation sheet 1 sheet 2.exe 82 PID 1120 wrote to memory of 4540 1120 quotation sheet 1 sheet 2.exe 82 PID 1120 wrote to memory of 4540 1120 quotation sheet 1 sheet 2.exe 82 PID 1120 wrote to memory of 4540 1120 quotation sheet 1 sheet 2.exe 82
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3524
-
C:\Users\Admin\AppData\Local\Temp\quotation sheet 1 sheet 2.exe"C:\Users\Admin\AppData\Local\Temp\quotation sheet 1 sheet 2.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\quotation sheet 1 sheet 2.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4540
-
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:1996
-