Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 20:06
Static task
static1
Behavioral task
behavioral1
Sample
efb19672e87fabd19381a971af5776394e593b13e3f065f20e4ef8bbfd923177.exe
Resource
win7-20240903-en
General
-
Target
efb19672e87fabd19381a971af5776394e593b13e3f065f20e4ef8bbfd923177.exe
-
Size
915KB
-
MD5
792353205b038d4109dc86fbfaf1836e
-
SHA1
788fd33360c15eaefe8074d0d67ec3198d028e7e
-
SHA256
efb19672e87fabd19381a971af5776394e593b13e3f065f20e4ef8bbfd923177
-
SHA512
5a91c9662e0ea4e9db2ea2046a0b696f0a85c99aa851cda9987ba81c4a0edc92d05862efea481fe50492f44352cb38bb5bd3bb16b2cda20e96a612da68c0c8ec
-
SSDEEP
12288:jqY3c8/y70cUbrU/4Rj8JIJTcbfdK1rZdnSWBopL/DCn6k6DNwIrqaewt1KgP:Wmx7g/0gJzbfdSDSWBopfC6BD
Malware Config
Extracted
formbook
oc5e
9gZPW9yJUzcMFJ6KSbk=
kWCy2lf52OGbUmtEHR9i3aOIb8c=
mKKp192P5FQ5p4cxJ8vQyqOIb8c=
5On+xX5s0VE5pruTMQ+5
xs0RFcesYRb5MAHGrTUPz6OIb8c=
m36XWeE+J455493HVQTJfCo=
QtLkoNvKqJ9eJrVmXC7PlSg=
0jiSSgO6GNN7N1jk5A==
aX7BtX5eyln88rZeJKWuY1Hy0g==
tQ9ZEtyxE6FfoLGTMQ+5
MZHXcyvfLOXMCeGPSfKrkCI=
qYzioZQLHKOtY7FH2tltaA==
mH5m/biP4UL5c6uTMQ+5
Qla8f3DYrQy2bocc
iRoQtvLlAFxDv3Me8w==
p+4A7eVNLpeQBPGon3NMCOZXFX9O
WfAzGFQF3jkZk7eTMQ+5
Z7oF0kuvBLNkXBvBgwcNEulXFX9O
KBFnE0PvwOuIlBPBm2OqYA==
alm1creOsHsx7g==
PpXknWFK0XNX1PPbTfqz
xydAIx9/SrRUFGcZ
PAxB3xMFnQi2bocc
nwItzXcedDkZVljxz7JkC+hXFX9O
p8AuteVQV9i7UatJ2tltaA==
EhYsEUTrgg==
ssvrbaKDsHsx7g==
+Jf9I7eSJ4lx
f4bCwntiR3ZZAEH85saFScMOXF9vVYn7
5eQD5mb9ZxD1PEz3tGdcxqJO
hCoqA0Ttzh0BtiLQrngN9Za9RIVqWJP/
+sre4YxFD2pd1OmILB7E0jU=
YSxkb/NU9GdHg2M=
pjNvaXHVyTUZlrSTMQ+5
Qq4V1ZVntVccFp6KSbk=
0mm/5/OSJ4lx
0Hl/p1tUfnDI0+WTULs=
YMABDAVpS5J7OLlwTgQ2/nyWpGfI+t/1
dQYZAPhiQWwVhLCTMQ+5
sbYCE4s2Cyo9P83DjhWu
iI3bfa9nfGg58w==
C6oECspzeQi2bocc
PuY7I9Rw3Zt/f7hcJbw=
1cPt7mvOXVkHzHISC/KrkCI=
7nWrM+TAKcS/OU/9uXmQCMVT
khxUToN/ELGeIkP1rVELsld9uR7gJ9M=
Y1LPfwBlubpxoGs=
7tTShTXjNhgRv3Me8w==
n4KWm1XvgamZR5Y43kjPkYAPJjV1rQ==
4LTHvy/s+Tu2bocc
EA1bBwxnv9F0bhrMqWwxJ8HqLs8=
vB5zmJv210AvZ9VyOL9cxqJO
I4CQaFv7kbh/N6NE2tltaA==
ooLFYqSXodiybM93SKe8wKOIb8c=
DBsBE001lg3sb6tH2tltaA==
qj6SopdStS7hDOWJQvKrkCI=
lxkX8++SJ4lx
efjBKnPGsHsx7g==
PZ7u/DMbgAkT0Ca5X+F0Yt/2hM+0pQ==
4Th5dXTJneLAdOKLKjV8MRC1zQ==
JQVVDwNsQYsygK2TMQ+5
/2aKE7l5ESoXFp6KSbk=
cAoOtb4fteS+eNuFcD/qr7L0xQ==
WsMt6H8tdtmrGCncpmtACu9XFX9O
lindwoodsellshomes.com
Signatures
-
Formbook family
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4212 set thread context of 3948 4212 efb19672e87fabd19381a971af5776394e593b13e3f065f20e4ef8bbfd923177.exe 99 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language efb19672e87fabd19381a971af5776394e593b13e3f065f20e4ef8bbfd923177.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3948 efb19672e87fabd19381a971af5776394e593b13e3f065f20e4ef8bbfd923177.exe 3948 efb19672e87fabd19381a971af5776394e593b13e3f065f20e4ef8bbfd923177.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4212 wrote to memory of 3948 4212 efb19672e87fabd19381a971af5776394e593b13e3f065f20e4ef8bbfd923177.exe 99 PID 4212 wrote to memory of 3948 4212 efb19672e87fabd19381a971af5776394e593b13e3f065f20e4ef8bbfd923177.exe 99 PID 4212 wrote to memory of 3948 4212 efb19672e87fabd19381a971af5776394e593b13e3f065f20e4ef8bbfd923177.exe 99 PID 4212 wrote to memory of 3948 4212 efb19672e87fabd19381a971af5776394e593b13e3f065f20e4ef8bbfd923177.exe 99 PID 4212 wrote to memory of 3948 4212 efb19672e87fabd19381a971af5776394e593b13e3f065f20e4ef8bbfd923177.exe 99 PID 4212 wrote to memory of 3948 4212 efb19672e87fabd19381a971af5776394e593b13e3f065f20e4ef8bbfd923177.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\efb19672e87fabd19381a971af5776394e593b13e3f065f20e4ef8bbfd923177.exe"C:\Users\Admin\AppData\Local\Temp\efb19672e87fabd19381a971af5776394e593b13e3f065f20e4ef8bbfd923177.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Users\Admin\AppData\Local\Temp\efb19672e87fabd19381a971af5776394e593b13e3f065f20e4ef8bbfd923177.exe"C:\Users\Admin\AppData\Local\Temp\efb19672e87fabd19381a971af5776394e593b13e3f065f20e4ef8bbfd923177.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3948
-