Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 14:06
Static task
static1
Behavioral task
behavioral1
Sample
win67.exe
Resource
win7-20240903-en
General
-
Target
win67.exe
-
Size
633KB
-
MD5
c004bd5347a132521537d834be0b923f
-
SHA1
c84b199a3d70ac370000e7fd6d31009fba721493
-
SHA256
01e0b09f23635c1fe73b80cec3323677fe5bc6ce9ce58da9a12aa3e14936018a
-
SHA512
391c504d9c9509aa0eeb241d22cda071b226e9dba9107c481e345aae8c64dca3a6c6afc5620f7e960442e34ff96b8aa5ffdea65fae218f7f1858fe7f406e8f54
-
SSDEEP
12288:+g8tD+p1h79i/DdVedE5fJD7uwk6vP+ZWXwcAanrMXlXmZNXNSOO5:+gwVDdcE5fJV+ZuwFanYXlh/
Malware Config
Extracted
formbook
4.1
p6ai
ocfoundation.info
fullhouse01.com
a-great-lexus-rx.fyi
googlepayperclick.com
coachmyragolden.com
luxclothing.club
medicationbuddy.com
miraclepawsfoundation.com
datingforcez.online
wasteharvester.com
solslides.com
hotel-ritterhof.com
tianjinsf.com
receiveyourcashnow.com
the-vma.com
godrejroyalewoodsbangalore.com
erickrokanphotography.com
vasinvestments.com
janlago.com
2nocent.com
grasipy.com
generic5menviav.com
siokan.com
trump-single.com
betweentheadvents.com
huellitasdecleo.com
callaido.com
jfl-info.net
associationuniversity.com
fashionclogstops.com
tlscert.watch
maxenvio4.online
rugpat.com
aerialconsult.com
rwtcjd.com
thevirtualeventz.com
kuyili.net
tiendapatina.com
samcartt.com
tacotourtexas.com
kindermap.com
kofc2458.com
learnavstandards.com
independentthirdparty.com
vanessabruno.club
urbanaffirmation-active.com
uniquelykay.com
micondolencias.com
thehaircandi.com
dfshelf.com
beautifullivesmatter.info
tea.coffee
pickleballpainmanagement.com
kci-sh.com
vzhizuo.com
edubox24.store
emridoc.com
fashpark.com
irishebikes.com
natalyashelk.online
kpassan.com
eranratzon.com
femueweczedre.com
bastianbrown.com
bookkeeping32.com
Signatures
-
Formbook family
-
Formbook payload 1 IoCs
resource yara_rule behavioral1/memory/1700-2-0x00000000000E0000-0x000000000010E000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2960 set thread context of 1700 2960 win67.exe 31 -
Program crash 1 IoCs
pid pid_target Process procid_target 2136 1700 WerFault.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win67.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win67.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2960 win67.exe 2960 win67.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2960 wrote to memory of 1700 2960 win67.exe 31 PID 2960 wrote to memory of 1700 2960 win67.exe 31 PID 2960 wrote to memory of 1700 2960 win67.exe 31 PID 2960 wrote to memory of 1700 2960 win67.exe 31 PID 2960 wrote to memory of 1700 2960 win67.exe 31 PID 1700 wrote to memory of 2136 1700 win67.exe 32 PID 1700 wrote to memory of 2136 1700 win67.exe 32 PID 1700 wrote to memory of 2136 1700 win67.exe 32 PID 1700 wrote to memory of 2136 1700 win67.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\win67.exe"C:\Users\Admin\AppData\Local\Temp\win67.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Users\Admin\AppData\Local\Temp\win67.exe"C:\Users\Admin\AppData\Local\Temp\win67.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 363⤵
- Program crash
PID:2136
-
-