Analysis
-
max time kernel
149s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-12-2024 07:55
Static task
static1
Behavioral task
behavioral1
Sample
roominglist.exe
Resource
win7-20240729-en
General
-
Target
roominglist.exe
-
Size
355KB
-
MD5
0a13ecd06bd1e3f0eab2f9978decb649
-
SHA1
62a914a933c5f25d23ff72c8d1cc937d0f19c0d9
-
SHA256
9f22499224e80938917ef48a3e490372372395cc95a66c9c6df16b64fa384b46
-
SHA512
953309685fc31399d1e746033b519b6ef5ab736465043c79e390b0cef65af95c56891eb81496ca1170ba08ae30a883739cf359a2ed35e5979111f2fbf66ec414
-
SSDEEP
6144:zlag31vYxBBcW7stlZ5WVplicKX1w5zBy2pp7qBR4bXOaEBej/jxzQWVwueoqziD:zlaglvYxBBZ7iZkVpwX1w59BpKR46aEW
Malware Config
Extracted
formbook
4.1
mn9v
whitepqags.com
jyps95.com
lkportoes.com
discotwinks.com
samgyupontheway.info
fourtimeseight.com
fossahosting.net
siakadvm.com
mywebpromotion.com
vysocky.coffee
folkloren.com
underwier.agency
moneymatric.com
romaditalialr.com
unfilteredessence.com
viktorlevi.com
curbo.info
sacrilege.church
charlenemee.com
magatv.net
yoonye.com
adriandd.com
ssampark.com
theholisticskincarecompany.com
lolnails.com
urbancare.site
thespaceraft.com
faslikeyf.com
radiate2020.com
glendevon.services
gsplao.com
power-realestate.com
side.run
ramseysmattresses.com
saltandsandhairco.com
labarradejuan.com
cejngj.com
ctkweb.com
testnewsecshhat.com
soveggiesogood.com
effortlesswarranty.com
ruintrumprally.com
modeconsultingllc.com
heathen6.com
mirail-inc.com
boatrentalcenter.com
shopseandco.com
valengz.com
citestbiz1597753661.com
getthereaviation.com
steelvalleyburners.com
trungtamxuongkhop.asia
tahmu.com
huhulook.com
wusatai.space
berlin-ferien.com
mentor-onlinemu.com
misspamper.life
condition1group.net
tgyybg.com
hypnofitlife.com
allamericanboots.com
rockerzee.com
cremeriakarol.com
lt1699.com
Signatures
-
Formbook family
-
Formbook payload 2 IoCs
resource yara_rule behavioral2/memory/3176-3-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/3176-6-0x0000000000400000-0x000000000042E000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3384 set thread context of 3176 3384 roominglist.exe 84 PID 3176 set thread context of 3512 3176 roominglist.exe 56 PID 648 set thread context of 3512 648 wscript.exe 56 -
Program crash 1 IoCs
pid pid_target Process procid_target 3096 3384 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language roominglist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wscript.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 3176 roominglist.exe 3176 roominglist.exe 3176 roominglist.exe 3176 roominglist.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe 648 wscript.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 3384 roominglist.exe 3176 roominglist.exe 3176 roominglist.exe 3176 roominglist.exe 648 wscript.exe 648 wscript.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 3176 roominglist.exe Token: SeShutdownPrivilege 3512 Explorer.EXE Token: SeCreatePagefilePrivilege 3512 Explorer.EXE Token: SeShutdownPrivilege 3512 Explorer.EXE Token: SeCreatePagefilePrivilege 3512 Explorer.EXE Token: SeShutdownPrivilege 3512 Explorer.EXE Token: SeCreatePagefilePrivilege 3512 Explorer.EXE Token: SeDebugPrivilege 648 wscript.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 3384 wrote to memory of 3176 3384 roominglist.exe 84 PID 3384 wrote to memory of 3176 3384 roominglist.exe 84 PID 3384 wrote to memory of 3176 3384 roominglist.exe 84 PID 3384 wrote to memory of 3176 3384 roominglist.exe 84 PID 3512 wrote to memory of 648 3512 Explorer.EXE 88 PID 3512 wrote to memory of 648 3512 Explorer.EXE 88 PID 3512 wrote to memory of 648 3512 Explorer.EXE 88 PID 648 wrote to memory of 744 648 wscript.exe 90 PID 648 wrote to memory of 744 648 wscript.exe 90 PID 648 wrote to memory of 744 648 wscript.exe 90
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Users\Admin\AppData\Local\Temp\roominglist.exe"C:\Users\Admin\AppData\Local\Temp\roominglist.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Users\Admin\AppData\Local\Temp\roominglist.exe"C:\Users\Admin\AppData\Local\Temp\roominglist.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3176
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 3483⤵
- Program crash
PID:3096
-
-
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\roominglist.exe"3⤵
- System Location Discovery: System Language Discovery
PID:744
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3384 -ip 33841⤵PID:4544