Analysis
-
max time kernel
146s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
27-12-2024 00:17
Static task
static1
Behavioral task
behavioral1
Sample
5e642e91516b72121ba30456c103234eaad7895a69929a3b35f0f540a6b8c6c5.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
5e642e91516b72121ba30456c103234eaad7895a69929a3b35f0f540a6b8c6c5.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
lsyvak.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
lsyvak.exe
Resource
win10v2004-20241007-en
General
-
Target
5e642e91516b72121ba30456c103234eaad7895a69929a3b35f0f540a6b8c6c5.exe
-
Size
241KB
-
MD5
671f622caaaad9137a2eb0663ca0ec70
-
SHA1
f93256448a08355dccb1f3348e435f997a8a2319
-
SHA256
5e642e91516b72121ba30456c103234eaad7895a69929a3b35f0f540a6b8c6c5
-
SHA512
46d9dcd869d919e03c032ea152900f8463298a90cbf598b31c6eb2e6a60c006fd03a2e5114402e69abba84da1dda724226b207a86380746403f315302f394977
-
SSDEEP
6144:rGix6Ah4a/KCdg5GfMF5PPTw1hTbqWDgCKz+/cIGdwxWa:N6S4a/5dxww1hCWDjCyG+n
Malware Config
Extracted
formbook
4.1
se29
aquabio.xyz
igocargotx.com
eddirasa-dzair.com
seguramenteseguros.com
chimitles.com
coinconnext.com
bjrndaehli.com
hbzxksw.com
blacksoilcompany.net
marcheluma.com
getsmartcars.com
optempoinnovation.com
r3412d7.cfd
mhamiltondesign.com
peak-competition.com
lashenji.com
rebfpsh.cfd
ugjbbop.cfd
binalongbaybeachhouse.com
lyndseypf.com
afaal.net
bonomen.com
lovewaleslovetaste.com
ccbpros.com
newqh.xyz
x9w30cp.cfd
community-maskio.xyz
midmomavs.com
deephase.com
ddnan.com
chainslayer.net
kienthucviet.info
wandarosa.xyz
sexlikeralhd.com
tacksack.com
cms699.xyz
grac3clothing.com
pb1kyb0.cfd
0xwrld.net
facedbyeari.com
thumuaphelieuandong.com
a0y2bhc.cfd
hebeihuarun.com
southbymideast.com
unlockingnfts.com
suvrely.online
perukdigital.com
ibancs360.com
pzingenieros.com
cy8jiee.cfd
annzengutu.com
nyankotree.com
heavens-armies.com
fam1239.com
web3weka.com
60414.xyz
coinbasechain.net
2565.win
citipro.xyz
sasha-store.online
bymihammedfouda.com
seocontentwriting.online
accomplishedsuccess.com
northeastmusiccons.com
myosmanabad.com
Signatures
-
Formbook family
-
Formbook payload 3 IoCs
resource yara_rule behavioral1/memory/2464-12-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2464-16-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2948-21-0x00000000000C0000-0x00000000000EF000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
pid Process 2904 lsyvak.exe 2464 lsyvak.exe -
Loads dropped DLL 2 IoCs
pid Process 2604 5e642e91516b72121ba30456c103234eaad7895a69929a3b35f0f540a6b8c6c5.exe 2904 lsyvak.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2904 set thread context of 2464 2904 lsyvak.exe 31 PID 2464 set thread context of 1204 2464 lsyvak.exe 21 PID 2948 set thread context of 1204 2948 wlanext.exe 21 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5e642e91516b72121ba30456c103234eaad7895a69929a3b35f0f540a6b8c6c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsyvak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wlanext.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2464 lsyvak.exe 2464 lsyvak.exe 2948 wlanext.exe 2948 wlanext.exe 2948 wlanext.exe 2948 wlanext.exe 2948 wlanext.exe 2948 wlanext.exe 2948 wlanext.exe 2948 wlanext.exe 2948 wlanext.exe 2948 wlanext.exe 2948 wlanext.exe 2948 wlanext.exe 2948 wlanext.exe 2948 wlanext.exe 2948 wlanext.exe 2948 wlanext.exe 2948 wlanext.exe 2948 wlanext.exe 2948 wlanext.exe 2948 wlanext.exe 2948 wlanext.exe 2948 wlanext.exe 2948 wlanext.exe 2948 wlanext.exe 2948 wlanext.exe 2948 wlanext.exe 2948 wlanext.exe 2948 wlanext.exe 2948 wlanext.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 2464 lsyvak.exe 2464 lsyvak.exe 2464 lsyvak.exe 2948 wlanext.exe 2948 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2464 lsyvak.exe Token: SeDebugPrivilege 2948 wlanext.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2604 wrote to memory of 2904 2604 5e642e91516b72121ba30456c103234eaad7895a69929a3b35f0f540a6b8c6c5.exe 30 PID 2604 wrote to memory of 2904 2604 5e642e91516b72121ba30456c103234eaad7895a69929a3b35f0f540a6b8c6c5.exe 30 PID 2604 wrote to memory of 2904 2604 5e642e91516b72121ba30456c103234eaad7895a69929a3b35f0f540a6b8c6c5.exe 30 PID 2604 wrote to memory of 2904 2604 5e642e91516b72121ba30456c103234eaad7895a69929a3b35f0f540a6b8c6c5.exe 30 PID 2904 wrote to memory of 2464 2904 lsyvak.exe 31 PID 2904 wrote to memory of 2464 2904 lsyvak.exe 31 PID 2904 wrote to memory of 2464 2904 lsyvak.exe 31 PID 2904 wrote to memory of 2464 2904 lsyvak.exe 31 PID 2904 wrote to memory of 2464 2904 lsyvak.exe 31 PID 2904 wrote to memory of 2464 2904 lsyvak.exe 31 PID 2904 wrote to memory of 2464 2904 lsyvak.exe 31 PID 1204 wrote to memory of 2948 1204 Explorer.EXE 32 PID 1204 wrote to memory of 2948 1204 Explorer.EXE 32 PID 1204 wrote to memory of 2948 1204 Explorer.EXE 32 PID 1204 wrote to memory of 2948 1204 Explorer.EXE 32 PID 2948 wrote to memory of 3064 2948 wlanext.exe 33 PID 2948 wrote to memory of 3064 2948 wlanext.exe 33 PID 2948 wrote to memory of 3064 2948 wlanext.exe 33 PID 2948 wrote to memory of 3064 2948 wlanext.exe 33
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\5e642e91516b72121ba30456c103234eaad7895a69929a3b35f0f540a6b8c6c5.exe"C:\Users\Admin\AppData\Local\Temp\5e642e91516b72121ba30456c103234eaad7895a69929a3b35f0f540a6b8c6c5.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Users\Admin\AppData\Local\Temp\lsyvak.exeC:\Users\Admin\AppData\Local\Temp\lsyvak.exe C:\Users\Admin\AppData\Local\Temp\viwmpw3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Users\Admin\AppData\Local\Temp\lsyvak.exeC:\Users\Admin\AppData\Local\Temp\lsyvak.exe C:\Users\Admin\AppData\Local\Temp\viwmpw4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2464
-
-
-
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\lsyvak.exe"3⤵
- System Location Discovery: System Language Discovery
PID:3064
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
210KB
MD5256a6b52e7a5738716832f1a293648fc
SHA159a8727f230e9f68b296651726fe5befd30dbf85
SHA256a2b67befb327e3bc10a202d73bbbb4d03187d880e2877b6d4f8869284f6e18e3
SHA5120304b68fe55b5ec9fbb0d60f028e9b6c18f06e4a971437736a88dbb48a530363a85a4d2ad1d35b5e50662feec3861a0485bdb352f5b1d8f375c21c71cb15dc4f
-
Filesize
4KB
MD5ca134a4293baf2ed6147bd575ad0639b
SHA1a3c93e966d2ab881d5f4e31da82f606b15225bc1
SHA2561b92753015bae55b024807dff0657bcb41c4831ab44d1bd10972310ca181bd14
SHA512958aa23b8ef63131390e9eb5f55244168aa49704f6f9d52554b9d898a80d88cebc2115df85ffea0752cd01232a6976332fc72ae5ffd1a0970d851b692ae5dc26
-
Filesize
5KB
MD5665da445aa2fbecbaa1750cac3a263a4
SHA148b6e12c571d12c18f44516f74e0548f8289ade2
SHA2561a41e1aec75c713684245dc5235fd61e70d221d01b44a1dd9dc065578bd21670
SHA512722e11f030555c065124034f52d2ce1cf078996b8493d870caa67ff99d9a723fa4a7c9d0bdc6dbd026a38522fb4aefbcf6ec35ffc9bcd013ab357454eefc2169