Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 18:42
Static task
static1
Behavioral task
behavioral1
Sample
Copia de transferencia bancaria.exe
Resource
win7-20240729-en
General
-
Target
Copia de transferencia bancaria.exe
-
Size
971KB
-
MD5
8ee464229bdaac78e1354a7ff334af85
-
SHA1
a566511090198f92b82e07c1675b256f6c91e923
-
SHA256
8095979c4153bbcced38a6ee12589fbb67f356535a91cf22e26413ee3f1c4e34
-
SHA512
836274df2b83188718400c22b71becbf445d2f128cdfbc342cb62cb3655cc70441a638705911c449f500748e7be13082a11ac4d261a03e9c805cdf10e3e1ab87
-
SSDEEP
12288:Ntcg0r9tDZddpnLnv2hVSKRytHxnrceHMcrIaPy1FTAUI4kSxv1/:Nt893hSh0K0pxVIaPy1FW41
Malware Config
Extracted
formbook
4.1
de19
predictivemedicine.life
coloringforthepeople.com
project154.com
usmmexchange.com
bootzxon.com
chaoge730.com
thenaci.com
moviestarplent.com
musicallyengaged.com
sneakerspark.net
yudist.com
apqrcx.xyz
traceless.tel
guardlanavionics.com
usadogrights.com
openei.club
aventusluxury.com
telewebin.com
godrej-threeparks.net
solbysol.com
tarahomesolutions.com
riaairlines.com
berrygooddesigns.com
assistance-bouygues-telecom.com
s4hbgroupds.com
lago-vista-ata-martial-arts.com
icishopping.com
itkonsult.online
knightsbridgecdd.com
wrightstowntigers.com
gzxsb.com
teenanxiety.co
shanepisko.com
fftblogs.com
br-cleaning.plus
miami1688.cool
necomw.com
americanfreightsystemsinc.com
veirdmusic.com
brandnicer.com
ones77motiving.com
stephensthebakers.com
thaicomfortfood.com
mooreandsonsak.net
19838888.com
hay-yusspd-osaka-japan.life
junaidsubhani.tech
cadengineer.co.uk
camaratechsevilla.com
scholarsinfoguide.com
listcord.net
bossyoushu.com
robertkslaughter.xyz
locallywhitstable.co.uk
rsbtileinc.com
eviexo.com
lung-cancer-treatment-43816.com
lizandpeter.com
iberiahomes.institute
buyeber.net
hanarsedivy.com
fielsp.online
kuav7.com
1classlawncare.com
lanyuelou.com
Signatures
-
Formbook family
-
Formbook payload 2 IoCs
resource yara_rule behavioral1/memory/2612-21-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2656-25-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2776 powershell.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1916 set thread context of 2612 1916 Copia de transferencia bancaria.exe 35 PID 2612 set thread context of 1208 2612 RegSvcs.exe 21 PID 2656 set thread context of 1208 2656 NETSTAT.EXE 21 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Copia de transferencia bancaria.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NETSTAT.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 2656 NETSTAT.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2636 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 2612 RegSvcs.exe 2612 RegSvcs.exe 2776 powershell.exe 2656 NETSTAT.EXE 2656 NETSTAT.EXE 2656 NETSTAT.EXE 2656 NETSTAT.EXE 2656 NETSTAT.EXE 2656 NETSTAT.EXE 2656 NETSTAT.EXE 2656 NETSTAT.EXE 2656 NETSTAT.EXE 2656 NETSTAT.EXE 2656 NETSTAT.EXE 2656 NETSTAT.EXE 2656 NETSTAT.EXE 2656 NETSTAT.EXE 2656 NETSTAT.EXE 2656 NETSTAT.EXE 2656 NETSTAT.EXE 2656 NETSTAT.EXE 2656 NETSTAT.EXE 2656 NETSTAT.EXE 2656 NETSTAT.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 2612 RegSvcs.exe 2612 RegSvcs.exe 2612 RegSvcs.exe 2656 NETSTAT.EXE 2656 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2612 RegSvcs.exe Token: SeDebugPrivilege 2776 powershell.exe Token: SeDebugPrivilege 2656 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 1916 wrote to memory of 2776 1916 Copia de transferencia bancaria.exe 31 PID 1916 wrote to memory of 2776 1916 Copia de transferencia bancaria.exe 31 PID 1916 wrote to memory of 2776 1916 Copia de transferencia bancaria.exe 31 PID 1916 wrote to memory of 2776 1916 Copia de transferencia bancaria.exe 31 PID 1916 wrote to memory of 2636 1916 Copia de transferencia bancaria.exe 33 PID 1916 wrote to memory of 2636 1916 Copia de transferencia bancaria.exe 33 PID 1916 wrote to memory of 2636 1916 Copia de transferencia bancaria.exe 33 PID 1916 wrote to memory of 2636 1916 Copia de transferencia bancaria.exe 33 PID 1916 wrote to memory of 2612 1916 Copia de transferencia bancaria.exe 35 PID 1916 wrote to memory of 2612 1916 Copia de transferencia bancaria.exe 35 PID 1916 wrote to memory of 2612 1916 Copia de transferencia bancaria.exe 35 PID 1916 wrote to memory of 2612 1916 Copia de transferencia bancaria.exe 35 PID 1916 wrote to memory of 2612 1916 Copia de transferencia bancaria.exe 35 PID 1916 wrote to memory of 2612 1916 Copia de transferencia bancaria.exe 35 PID 1916 wrote to memory of 2612 1916 Copia de transferencia bancaria.exe 35 PID 1916 wrote to memory of 2612 1916 Copia de transferencia bancaria.exe 35 PID 1916 wrote to memory of 2612 1916 Copia de transferencia bancaria.exe 35 PID 1916 wrote to memory of 2612 1916 Copia de transferencia bancaria.exe 35 PID 1208 wrote to memory of 2656 1208 Explorer.EXE 36 PID 1208 wrote to memory of 2656 1208 Explorer.EXE 36 PID 1208 wrote to memory of 2656 1208 Explorer.EXE 36 PID 1208 wrote to memory of 2656 1208 Explorer.EXE 36 PID 2656 wrote to memory of 1724 2656 NETSTAT.EXE 37 PID 2656 wrote to memory of 1724 2656 NETSTAT.EXE 37 PID 2656 wrote to memory of 1724 2656 NETSTAT.EXE 37 PID 2656 wrote to memory of 1724 2656 NETSTAT.EXE 37
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Users\Admin\AppData\Local\Temp\Copia de transferencia bancaria.exe"C:\Users\Admin\AppData\Local\Temp\Copia de transferencia bancaria.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\inKcSqSKZsI.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\inKcSqSKZsI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5763.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2636
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2612
-
-
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- System Location Discovery: System Language Discovery
PID:1724
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD510dba6203c11a7296467a156891e17ea
SHA1e03e340da1663fba516c93a3bf776bf199623f56
SHA2566892043d868a3f1b47b757eb8f41d1c2302e2e64305659d7096855008edaed55
SHA51233e0353ced85b8bb0263164f05a5e5a3bbca67828b51daa73e3d76bb6c142d639034b991df949c0e111e7986e3b8eaf214064e5f2e3bf5d7a02920d2f8d641e9