Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30-12-2024 20:43
Static task
static1
Behavioral task
behavioral1
Sample
textview66547.exe
Resource
win7-20240708-en
General
-
Target
textview66547.exe
-
Size
1.3MB
-
MD5
734282c3d93555760ee7347318299aa1
-
SHA1
d17be364c71e18e647ad260f4d4f747996b7a753
-
SHA256
38b573288a18231b62b0fe72ca5ea36f6d20303ce7658d82487523488399955b
-
SHA512
e02b026077d13c57f4dfc6c74a06cd5f0d59213c37113e57b44915c97d20f767350feda8780d9138cde953430b88f9c20ec601cdeb3c4984483c9c4f446f9249
-
SSDEEP
24576:iAOcZXp0bR4ZPmjscttv8MnhoUkjPV99npuezy71oporahyR6:ofR4MQcttv8MhoUkj9fZe6GRU
Malware Config
Extracted
formbook
4.1
t01w
yeluzishiyanshi.com
thehardtech.xyz
arrowheadk8.site
zaulkunutila.xyz
lookastro.net
congregorecruitment.co.uk
darcyboo.uk
collettesbet.net
ltgpd.com
hiddenapphq.net
haxtrl.online
esenbook.com
jxzyyx.com
ulvabuyout.xyz
instashop.life
vazra.top
ewdvatcuce4.top
zhishi68.com
fabricsandfashion.com
hootcaster.com
chadwelchart.com
zamoracollection.com
eoliq.com
fbo.app
551by.com
cbbtraffic.site
prepasigma.com
cinq.design
maxsonrealty.com
xzxzk.com
mein-digitales-testament.online
beachloungespa.com
atninja.xyz
secure-internetbanking-help.com
beautyinfluencers.club
kcssteakandribsohio.com
local-dress.store
zhuilang.net
youngdongent.com
bobijnvidit.xyz
buyicx.com
zipular.com
unverify.us
tudoristan.com
texasonmission.com
premintbot.xyz
tricon.info
dinazorpizza.com
minhlam.store
sustainabledentists.com
cocolmanual.xyz
illegalz.agency
homecrowds.net
polyfake.com
omgsweepsship.com
asteliaceramika.com
retro235.space
35kclub.com
lemex.co.uk
bebigshop.com
customrenovatl.com
palccoyotour.com
adanarinoplasti.xyz
calnovi.com
techreshendo.com
Signatures
-
Formbook family
-
Formbook payload 3 IoCs
resource yara_rule behavioral2/memory/1256-59-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/1256-62-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4764-68-0x00000000011C0000-0x00000000011EF000-memory.dmp formbook -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation textview66547.exe -
Executes dropped EXE 1 IoCs
pid Process 3188 sogmqlr.pif -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3188 set thread context of 1256 3188 sogmqlr.pif 86 PID 1256 set thread context of 3444 1256 RegSvcs.exe 56 PID 4764 set thread context of 3444 4764 cmd.exe 56 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language textview66547.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sogmqlr.pif -
Suspicious behavior: EnumeratesProcesses 60 IoCs
pid Process 1256 RegSvcs.exe 1256 RegSvcs.exe 1256 RegSvcs.exe 1256 RegSvcs.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe 4764 cmd.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 1256 RegSvcs.exe 1256 RegSvcs.exe 1256 RegSvcs.exe 4764 cmd.exe 4764 cmd.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 1256 RegSvcs.exe Token: SeShutdownPrivilege 3444 Explorer.EXE Token: SeCreatePagefilePrivilege 3444 Explorer.EXE Token: SeShutdownPrivilege 3444 Explorer.EXE Token: SeCreatePagefilePrivilege 3444 Explorer.EXE Token: SeDebugPrivilege 4764 cmd.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2372 wrote to memory of 3188 2372 textview66547.exe 83 PID 2372 wrote to memory of 3188 2372 textview66547.exe 83 PID 2372 wrote to memory of 3188 2372 textview66547.exe 83 PID 3188 wrote to memory of 2516 3188 sogmqlr.pif 85 PID 3188 wrote to memory of 2516 3188 sogmqlr.pif 85 PID 3188 wrote to memory of 2516 3188 sogmqlr.pif 85 PID 3188 wrote to memory of 1256 3188 sogmqlr.pif 86 PID 3188 wrote to memory of 1256 3188 sogmqlr.pif 86 PID 3188 wrote to memory of 1256 3188 sogmqlr.pif 86 PID 3188 wrote to memory of 1256 3188 sogmqlr.pif 86 PID 3188 wrote to memory of 1256 3188 sogmqlr.pif 86 PID 3188 wrote to memory of 1256 3188 sogmqlr.pif 86 PID 3444 wrote to memory of 4764 3444 Explorer.EXE 87 PID 3444 wrote to memory of 4764 3444 Explorer.EXE 87 PID 3444 wrote to memory of 4764 3444 Explorer.EXE 87 PID 4764 wrote to memory of 2884 4764 cmd.exe 88 PID 4764 wrote to memory of 2884 4764 cmd.exe 88 PID 4764 wrote to memory of 2884 4764 cmd.exe 88
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Users\Admin\AppData\Local\Temp\textview66547.exe"C:\Users\Admin\AppData\Local\Temp\textview66547.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Users\Admin\5_86\sogmqlr.pif"C:\Users\Admin\5_86\sogmqlr.pif" eiifenbgm.fmk3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵PID:2516
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1256
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2884
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD5a85785f3dd5d27c21cdcf9deffb85b4f
SHA1dc4615334c2f6a2dbdbd376de6e5b9fb4c400a66
SHA2567a089d4a4c799ce9e9f5e75f89815f065af3f83a8a9ed73566844a8ea910f30d
SHA512a9a4e3b41121f5a2412dcf05d4fd8162036590152838221dc8811e18fc47888a4d09a83894cfb00f593cb7cd9eed6f901b6fa523fd222bca170fbfd966e130ae
-
Filesize
370KB
MD5f5e2ba30a45201d12f28c47cc71919cc
SHA11dd97af07f03e87f26bc6012cde97855e7ae40da
SHA256d3f446c8cd06efa9b89bdcfe33d8b84831ab1e04353837d4de1348076ab3fd15
SHA5123c81ab2c7c598c7f468bac9a0a8c0b64f6e66b67f1d5786ffa9b3f0926b1704c841850dde0bf68da58a429503bca5cb0b03a981287de68a845638f6399ece513
-
Filesize
1.7MB
MD5dd3466f64841cf21fc31f63f03dbfd29
SHA13878c8e52203d792c6f672595f7c78ab27ce3f04
SHA2564fe3004208ed574521992dd1ba3d900b75a0f02f1d63ba1e531d309e85ffa06b
SHA512adf3fe8378f7da5ba278db9a1df4cc7b5cff12398ec39ee7037382ebf57897de8bec72be64b5e7332bdb7ed865788dcb6ef4ceda6654e1153d39fe84b011b057