Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15-01-2025 03:07
Static task
static1
Behavioral task
behavioral1
Sample
a3af3dcfd89b655982b6e044b681b140dcefbe0606d69b0b7839b8cda28ccc91.exe
Resource
win7-20240903-en
General
-
Target
a3af3dcfd89b655982b6e044b681b140dcefbe0606d69b0b7839b8cda28ccc91.exe
-
Size
650KB
-
MD5
1b507df9a13477b647da450a1b79b2e7
-
SHA1
b0de85855b3462fe0b37c79831b391eeb044e437
-
SHA256
a3af3dcfd89b655982b6e044b681b140dcefbe0606d69b0b7839b8cda28ccc91
-
SHA512
37dcc8dd92a84009f81ebf394001de49bcf75818227bdbe135578f8f1dc57f4119c4cb6efd91ec70fe12202854ca472ec7435d3c0f713bf770f09967d61fe6a7
-
SSDEEP
12288:kYRxA4Y5lyA/BxSPC3NMl2v/wXb5DDH6dcW6f8HtdJqT6B2zJxWVqHU:bRB2XM5UN60STUAJE
Malware Config
Extracted
formbook
4.1
a01d
eniorshousing05.shop
rywisevas.biz
4726.pizza
itchen-design-42093.bond
3456.tech
4825.plus
nlinecraps.xyz
itamins-52836.bond
nfluencer-marketing-40442.bond
nline-advertising-58573.bond
rautogroups.net
limbtrip.net
oftware-download-14501.bond
nline-advertising-66733.bond
erity.xyz
xknrksi.icu
x-ist.club
yber-security-26409.bond
oincatch.xyz
onitoring-devices-34077.bond
hbvc.xyz
xecadminadvo.vip
ookers.homes
irlypods.shop
nalyzator.fun
rinciple.press
ejigghq.company
nity-officiels.shop
chtm.info
ggrupdanismanlik.online
alterjaviersemolic.online
6zc.lat
ukce.fun
ikretgunay.online
d8ns7gu.skin
06ks7.club
icovideo.voyage
nlinetutoringcanada776681.icu
etzero.icu
228080a0.buzz
agoslotoke.art
ruaim.online
nline-mba-87219.bond
oldsaver.biz
agonel.online
ommbank.video
indlab.shop
hesweettray.store
bilebe.info
uxemasculine.store
arkbarron.xyz
ektor.fun
8255.pizza
ike-loans-53803.bond
ong-ya.info
costcomembers-wholesale.online
75396.vip
leaning-services-53131.bond
uickcabinet.net
alifstorch.online
ahtel.net
usinessoverpleasure.shop
duway.pro
usiness-software-47704.bond
ustonehuman.info
Signatures
-
Formbook family
-
Formbook payload 2 IoCs
resource yara_rule behavioral1/memory/2656-24-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2656-27-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2700 powershell.exe 2696 powershell.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1056 set thread context of 2656 1056 a3af3dcfd89b655982b6e044b681b140dcefbe0606d69b0b7839b8cda28ccc91.exe 37 PID 2656 set thread context of 1204 2656 MSBuild.exe 21 PID 2656 set thread context of 1204 2656 MSBuild.exe 21 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a3af3dcfd89b655982b6e044b681b140dcefbe0606d69b0b7839b8cda28ccc91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2676 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 1056 a3af3dcfd89b655982b6e044b681b140dcefbe0606d69b0b7839b8cda28ccc91.exe 1056 a3af3dcfd89b655982b6e044b681b140dcefbe0606d69b0b7839b8cda28ccc91.exe 2656 MSBuild.exe 2656 MSBuild.exe 2696 powershell.exe 2700 powershell.exe 2656 MSBuild.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2656 MSBuild.exe 2656 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1056 a3af3dcfd89b655982b6e044b681b140dcefbe0606d69b0b7839b8cda28ccc91.exe Token: SeDebugPrivilege 2656 MSBuild.exe Token: SeDebugPrivilege 2696 powershell.exe Token: SeDebugPrivilege 2700 powershell.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1056 wrote to memory of 2700 1056 a3af3dcfd89b655982b6e044b681b140dcefbe0606d69b0b7839b8cda28ccc91.exe 31 PID 1056 wrote to memory of 2700 1056 a3af3dcfd89b655982b6e044b681b140dcefbe0606d69b0b7839b8cda28ccc91.exe 31 PID 1056 wrote to memory of 2700 1056 a3af3dcfd89b655982b6e044b681b140dcefbe0606d69b0b7839b8cda28ccc91.exe 31 PID 1056 wrote to memory of 2700 1056 a3af3dcfd89b655982b6e044b681b140dcefbe0606d69b0b7839b8cda28ccc91.exe 31 PID 1056 wrote to memory of 2696 1056 a3af3dcfd89b655982b6e044b681b140dcefbe0606d69b0b7839b8cda28ccc91.exe 33 PID 1056 wrote to memory of 2696 1056 a3af3dcfd89b655982b6e044b681b140dcefbe0606d69b0b7839b8cda28ccc91.exe 33 PID 1056 wrote to memory of 2696 1056 a3af3dcfd89b655982b6e044b681b140dcefbe0606d69b0b7839b8cda28ccc91.exe 33 PID 1056 wrote to memory of 2696 1056 a3af3dcfd89b655982b6e044b681b140dcefbe0606d69b0b7839b8cda28ccc91.exe 33 PID 1056 wrote to memory of 2676 1056 a3af3dcfd89b655982b6e044b681b140dcefbe0606d69b0b7839b8cda28ccc91.exe 35 PID 1056 wrote to memory of 2676 1056 a3af3dcfd89b655982b6e044b681b140dcefbe0606d69b0b7839b8cda28ccc91.exe 35 PID 1056 wrote to memory of 2676 1056 a3af3dcfd89b655982b6e044b681b140dcefbe0606d69b0b7839b8cda28ccc91.exe 35 PID 1056 wrote to memory of 2676 1056 a3af3dcfd89b655982b6e044b681b140dcefbe0606d69b0b7839b8cda28ccc91.exe 35 PID 1056 wrote to memory of 2656 1056 a3af3dcfd89b655982b6e044b681b140dcefbe0606d69b0b7839b8cda28ccc91.exe 37 PID 1056 wrote to memory of 2656 1056 a3af3dcfd89b655982b6e044b681b140dcefbe0606d69b0b7839b8cda28ccc91.exe 37 PID 1056 wrote to memory of 2656 1056 a3af3dcfd89b655982b6e044b681b140dcefbe0606d69b0b7839b8cda28ccc91.exe 37 PID 1056 wrote to memory of 2656 1056 a3af3dcfd89b655982b6e044b681b140dcefbe0606d69b0b7839b8cda28ccc91.exe 37 PID 1056 wrote to memory of 2656 1056 a3af3dcfd89b655982b6e044b681b140dcefbe0606d69b0b7839b8cda28ccc91.exe 37 PID 1056 wrote to memory of 2656 1056 a3af3dcfd89b655982b6e044b681b140dcefbe0606d69b0b7839b8cda28ccc91.exe 37 PID 1056 wrote to memory of 2656 1056 a3af3dcfd89b655982b6e044b681b140dcefbe0606d69b0b7839b8cda28ccc91.exe 37
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\a3af3dcfd89b655982b6e044b681b140dcefbe0606d69b0b7839b8cda28ccc91.exe"C:\Users\Admin\AppData\Local\Temp\a3af3dcfd89b655982b6e044b681b140dcefbe0606d69b0b7839b8cda28ccc91.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a3af3dcfd89b655982b6e044b681b140dcefbe0606d69b0b7839b8cda28ccc91.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DjsaCPLWOz.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DjsaCPLWOz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp166E.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2676
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51f293de77ffdf6876715ed40519fd288
SHA1aa837544c6d8d38db4e387e4adcca03ee17fc12f
SHA256bea7334fbb21fabb3ea71877a093c7178ea114dbc9fad11990384cf5a8f46deb
SHA512c139382dec6b67bda421b1110656de23d15d2f67a719793b42407e12f34eed2bfef4b439cdebf5c96622f5b56c767f2e7e3ff1063c896de4bc22f5908726222d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD554517a1db839d1d82d2d8289c18d8998
SHA1857f5980ff0da5632e305002e45b02fbf475c8c0
SHA2562befac9a178b0c34bbcfa02f9fb32e419a695b977b4d5234d87857b6840fd7bb
SHA512054bb74aafe028fbc7dbc7bdaa1d1c4091a277513a890f60334eb33cec23cc626b9422eb43c5172f6b07d1f93d5eb065a592222a4f7b73ab08a09068d54e6033