Analysis
-
max time kernel
147s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-12-2024 00:34
Static task
static1
Behavioral task
behavioral1
Sample
3cc61e3b10971812969457d5c2f23ddaffd81ba130c8b0a13614e81988891261.exe
Resource
win7-20240903-en
General
-
Target
3cc61e3b10971812969457d5c2f23ddaffd81ba130c8b0a13614e81988891261.exe
-
Size
919KB
-
MD5
fef7047ab5a223c930108b5b61e332bd
-
SHA1
25f25911db849bc152a097ecc3a5e46e5a4aa3d1
-
SHA256
3cc61e3b10971812969457d5c2f23ddaffd81ba130c8b0a13614e81988891261
-
SHA512
73ef3ff8bc916155b467de260dcd0f4484f1771dcfc2035bf5f80f855ce073b6e5b57c28810d7da0535c700579ce6bcc8cf3a22d983d7e22e7667dbd33b78f3b
-
SSDEEP
12288:fPDc9F3nC0Py3gAhmioPFg/Krib63eLojTLKvdgtaFs9Ab9h+tT1Oy3fRWCLWkbY:fQiQ1roS3XYdsYs9A63R7L4
Malware Config
Extracted
formbook
4.1
odse
braedlifestyle.com
morganjohnsondesign.online
surup-v48.club
diypoolpaint.sydney
v-b7026-ghhh.space
vetyvar.com
lollydaisy.com
campsitesurvival.com
autocalibre.com
fusiontech3d.com
xn--udkog0cvez259c82sa.xyz
eccentricartist.com
jc-zg.com
wacwin.com
livehealthychoice.com
visijuara.com
phigsa.com
sabayawork.com
afcerd.com
joeyshousesessions.com
fancycn.com
fem-iam.com
sinopocasles.com
skypalaceportal.com
wqajecjeias.com
selfscienceslabs.com
workingtitle.agency
asianartsawards.com
healtyhouse.com
iloveme.life
espacioleiva.com
dac71047.com
soldbygenajohnson.com
motherhenscoop.com
polkadotcoins.com
muslimmediation.com
grub-groove.com
albertaeatsfood.com
mixedplaylists.com
miamimotorcycleshop.com
unegublog.com
generalssoccer.com
manhattanlandscapedesign.com
cuongnguyen3r2j.com
stonelodgeseniorliving.com
swissinternationaltrustb.com
novemento.club
bladesmts.com
espiaruncelular.net
talasoglufinans.com
sargeworld.com
newlifenowblog.com
sugaringpalms.com
xaoikevesesede.com
mintyline.com
paleonade.com
saharsaghi.com
kentchimney.com
whipitgudd.com
gmopst.com
likekopi.com
spoonproductions-catering.com
annotake.com
stm32heaven.com
guncelekspres.com
Signatures
-
Formbook family
-
Formbook payload 3 IoCs
resource yara_rule behavioral2/memory/3392-17-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/3392-22-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/3392-26-0x0000000000400000-0x000000000042E000-memory.dmp formbook -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 3cc61e3b10971812969457d5c2f23ddaffd81ba130c8b0a13614e81988891261.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1544 set thread context of 3392 1544 3cc61e3b10971812969457d5c2f23ddaffd81ba130c8b0a13614e81988891261.exe 93 PID 3392 set thread context of 3428 3392 RegSvcs.exe 56 PID 3392 set thread context of 3428 3392 RegSvcs.exe 56 PID 2084 set thread context of 3428 2084 NETSTAT.EXE 56 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3cc61e3b10971812969457d5c2f23ddaffd81ba130c8b0a13614e81988891261.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NETSTAT.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 2084 NETSTAT.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3376 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 47 IoCs
pid Process 1544 3cc61e3b10971812969457d5c2f23ddaffd81ba130c8b0a13614e81988891261.exe 3392 RegSvcs.exe 3392 RegSvcs.exe 3392 RegSvcs.exe 3392 RegSvcs.exe 3392 RegSvcs.exe 3392 RegSvcs.exe 2084 NETSTAT.EXE 2084 NETSTAT.EXE 2084 NETSTAT.EXE 2084 NETSTAT.EXE 2084 NETSTAT.EXE 2084 NETSTAT.EXE 2084 NETSTAT.EXE 2084 NETSTAT.EXE 2084 NETSTAT.EXE 2084 NETSTAT.EXE 2084 NETSTAT.EXE 2084 NETSTAT.EXE 2084 NETSTAT.EXE 2084 NETSTAT.EXE 2084 NETSTAT.EXE 2084 NETSTAT.EXE 2084 NETSTAT.EXE 2084 NETSTAT.EXE 2084 NETSTAT.EXE 2084 NETSTAT.EXE 2084 NETSTAT.EXE 2084 NETSTAT.EXE 2084 NETSTAT.EXE 2084 NETSTAT.EXE 2084 NETSTAT.EXE 2084 NETSTAT.EXE 2084 NETSTAT.EXE 2084 NETSTAT.EXE 2084 NETSTAT.EXE 2084 NETSTAT.EXE 2084 NETSTAT.EXE 2084 NETSTAT.EXE 2084 NETSTAT.EXE 2084 NETSTAT.EXE 2084 NETSTAT.EXE 2084 NETSTAT.EXE 2084 NETSTAT.EXE 2084 NETSTAT.EXE 2084 NETSTAT.EXE 2084 NETSTAT.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 3392 RegSvcs.exe 3392 RegSvcs.exe 3392 RegSvcs.exe 3392 RegSvcs.exe 2084 NETSTAT.EXE 2084 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1544 3cc61e3b10971812969457d5c2f23ddaffd81ba130c8b0a13614e81988891261.exe Token: SeDebugPrivilege 3392 RegSvcs.exe Token: SeDebugPrivilege 2084 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1544 wrote to memory of 3376 1544 3cc61e3b10971812969457d5c2f23ddaffd81ba130c8b0a13614e81988891261.exe 91 PID 1544 wrote to memory of 3376 1544 3cc61e3b10971812969457d5c2f23ddaffd81ba130c8b0a13614e81988891261.exe 91 PID 1544 wrote to memory of 3376 1544 3cc61e3b10971812969457d5c2f23ddaffd81ba130c8b0a13614e81988891261.exe 91 PID 1544 wrote to memory of 3392 1544 3cc61e3b10971812969457d5c2f23ddaffd81ba130c8b0a13614e81988891261.exe 93 PID 1544 wrote to memory of 3392 1544 3cc61e3b10971812969457d5c2f23ddaffd81ba130c8b0a13614e81988891261.exe 93 PID 1544 wrote to memory of 3392 1544 3cc61e3b10971812969457d5c2f23ddaffd81ba130c8b0a13614e81988891261.exe 93 PID 1544 wrote to memory of 3392 1544 3cc61e3b10971812969457d5c2f23ddaffd81ba130c8b0a13614e81988891261.exe 93 PID 1544 wrote to memory of 3392 1544 3cc61e3b10971812969457d5c2f23ddaffd81ba130c8b0a13614e81988891261.exe 93 PID 1544 wrote to memory of 3392 1544 3cc61e3b10971812969457d5c2f23ddaffd81ba130c8b0a13614e81988891261.exe 93 PID 3428 wrote to memory of 2084 3428 Explorer.EXE 94 PID 3428 wrote to memory of 2084 3428 Explorer.EXE 94 PID 3428 wrote to memory of 2084 3428 Explorer.EXE 94 PID 2084 wrote to memory of 5008 2084 NETSTAT.EXE 95 PID 2084 wrote to memory of 5008 2084 NETSTAT.EXE 95 PID 2084 wrote to memory of 5008 2084 NETSTAT.EXE 95
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Users\Admin\AppData\Local\Temp\3cc61e3b10971812969457d5c2f23ddaffd81ba130c8b0a13614e81988891261.exe"C:\Users\Admin\AppData\Local\Temp\3cc61e3b10971812969457d5c2f23ddaffd81ba130c8b0a13614e81988891261.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ExIBogwV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp73A4.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3376
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3392
-
-
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- System Location Discovery: System Language Discovery
PID:5008
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5bd2755dd3be6ce1e1a922573b6d853e0
SHA1bf3a02d307b614d16696f3a2ae4ca1e806ca50df
SHA256ef1aa800a3231b3490f5b340a208cfd9b5323b75a29ed8fdb105db3c78bb144c
SHA5127a2096aea1af7a746324c63d9f3dd9af1babae1248834dfc2febac148127c252a184be69b8205f3f70e95152be2787d1d10f44cb699098c678335f242c88903a