Analysis
-
max time kernel
148s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-01-2025 02:44
Static task
static1
Behavioral task
behavioral1
Sample
422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf.exe
Resource
win7-20240903-en
General
-
Target
422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf.exe
-
Size
678KB
-
MD5
9b6ddf7049adfbefacd1dbdfe4350061
-
SHA1
e9451cd4cae7a1d50ae0cdc17156dc685b5158f7
-
SHA256
422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf
-
SHA512
fcf96b148e9a5369a264f138621a67eb8d3c79b3a39587e5b225aad94dd103fa67b9020b7559d41212019b4c168e9dfd7b7633c6e82a8248261cb5d1cccfd5a8
-
SSDEEP
12288:G59aYwdc1sW7/sVfmPc/VZHkcAG8Vf+0Zhaewy8UQxTJDC38Sy:tYP1L70oc9ZEcA1L6I8UUr
Malware Config
Extracted
formbook
4.1
a02d
coplus.market
oofing-jobs-74429.bond
healchemists.xyz
oofcarpenternearme-jp.xyz
enewebsolutions.online
harepoint.legal
88977.club
omptables.xyz
eat-pumps-31610.bond
endown.graphics
amsexgirls.website
ovevibes.xyz
u-thiensu.online
yblinds.xyz
rumpchiefofstaff.store
erzog.fun
rrm.lat
agiclime.pro
agaviet59.shop
lbdoanhnhan.net
irvasenitpalvelut.online
strange.store
bsidiansurvival.shop
lown.bond
irrorbd.online
idzev.shop
tyleyourvibe.shop
qweemaildwqfewew.live
sychology-degree-92767.bond
orklift-jobs-76114.bond
nytymeoccassions.store
nfluencer-marketing-41832.bond
rh799295w.vip
066661a23.buzz
m235a.net
omestur.online
nalyzator.fun
itchen-remodeling-41686.bond
ontenbully.shop
oratrading.best
tiwebu.info
lueticks.shop
ocubox.xyz
q33.lat
earch-solar-installer-top.today
ceqne.vip
8betpragmatic.store
oftware-download-37623.bond
oofing-jobs-29700.bond
vorachem.xyz
ruck-driver-jobs-58337.bond
om-exchange-nft370213.sbs
jfghnxnvdfgh.icu
inhngoc.webcam
ruck-driver-jobs-86708.bond
oftware-engineering-27699.bond
nfoyl.xyz
estionprojetsccpm.online
reativesos.studio
ammamiaitalia.net
4cw.lat
oofighters.xyz
ukusindo4dpools.net
yhbvc.xyz
8435.pizza
Signatures
-
Formbook family
-
Formbook payload 3 IoCs
resource yara_rule behavioral1/memory/2656-25-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2656-28-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2004-31-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2228 powershell.exe 2924 powershell.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2460 set thread context of 2656 2460 422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf.exe 38 PID 2656 set thread context of 1204 2656 RegSvcs.exe 21 PID 2656 set thread context of 1204 2656 RegSvcs.exe 21 PID 2004 set thread context of 1204 2004 cmmon32.exe 21 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmmon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2816 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
pid Process 2460 422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf.exe 2228 powershell.exe 2924 powershell.exe 2460 422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf.exe 2460 422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf.exe 2460 422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf.exe 2656 RegSvcs.exe 2656 RegSvcs.exe 2656 RegSvcs.exe 2004 cmmon32.exe 2004 cmmon32.exe 2004 cmmon32.exe 2004 cmmon32.exe 2004 cmmon32.exe 2004 cmmon32.exe 2004 cmmon32.exe 2004 cmmon32.exe 2004 cmmon32.exe 2004 cmmon32.exe 2004 cmmon32.exe 2004 cmmon32.exe 2004 cmmon32.exe 2004 cmmon32.exe 2004 cmmon32.exe 2004 cmmon32.exe 2004 cmmon32.exe 2004 cmmon32.exe 2004 cmmon32.exe 2004 cmmon32.exe 2004 cmmon32.exe 2004 cmmon32.exe 2004 cmmon32.exe 2004 cmmon32.exe 2004 cmmon32.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 2656 RegSvcs.exe 2656 RegSvcs.exe 2656 RegSvcs.exe 2656 RegSvcs.exe 2004 cmmon32.exe 2004 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2460 422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf.exe Token: SeDebugPrivilege 2228 powershell.exe Token: SeDebugPrivilege 2924 powershell.exe Token: SeDebugPrivilege 2656 RegSvcs.exe Token: SeDebugPrivilege 2004 cmmon32.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 2460 wrote to memory of 2228 2460 422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf.exe 31 PID 2460 wrote to memory of 2228 2460 422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf.exe 31 PID 2460 wrote to memory of 2228 2460 422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf.exe 31 PID 2460 wrote to memory of 2228 2460 422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf.exe 31 PID 2460 wrote to memory of 2924 2460 422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf.exe 33 PID 2460 wrote to memory of 2924 2460 422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf.exe 33 PID 2460 wrote to memory of 2924 2460 422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf.exe 33 PID 2460 wrote to memory of 2924 2460 422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf.exe 33 PID 2460 wrote to memory of 2816 2460 422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf.exe 35 PID 2460 wrote to memory of 2816 2460 422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf.exe 35 PID 2460 wrote to memory of 2816 2460 422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf.exe 35 PID 2460 wrote to memory of 2816 2460 422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf.exe 35 PID 2460 wrote to memory of 2592 2460 422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf.exe 37 PID 2460 wrote to memory of 2592 2460 422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf.exe 37 PID 2460 wrote to memory of 2592 2460 422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf.exe 37 PID 2460 wrote to memory of 2592 2460 422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf.exe 37 PID 2460 wrote to memory of 2592 2460 422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf.exe 37 PID 2460 wrote to memory of 2592 2460 422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf.exe 37 PID 2460 wrote to memory of 2592 2460 422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf.exe 37 PID 2460 wrote to memory of 2656 2460 422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf.exe 38 PID 2460 wrote to memory of 2656 2460 422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf.exe 38 PID 2460 wrote to memory of 2656 2460 422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf.exe 38 PID 2460 wrote to memory of 2656 2460 422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf.exe 38 PID 2460 wrote to memory of 2656 2460 422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf.exe 38 PID 2460 wrote to memory of 2656 2460 422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf.exe 38 PID 2460 wrote to memory of 2656 2460 422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf.exe 38 PID 2460 wrote to memory of 2656 2460 422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf.exe 38 PID 2460 wrote to memory of 2656 2460 422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf.exe 38 PID 2460 wrote to memory of 2656 2460 422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf.exe 38 PID 1204 wrote to memory of 2004 1204 Explorer.EXE 39 PID 1204 wrote to memory of 2004 1204 Explorer.EXE 39 PID 1204 wrote to memory of 2004 1204 Explorer.EXE 39 PID 1204 wrote to memory of 2004 1204 Explorer.EXE 39 PID 2004 wrote to memory of 2524 2004 cmmon32.exe 40 PID 2004 wrote to memory of 2524 2004 cmmon32.exe 40 PID 2004 wrote to memory of 2524 2004 cmmon32.exe 40 PID 2004 wrote to memory of 2524 2004 cmmon32.exe 40
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf.exe"C:\Users\Admin\AppData\Local\Temp\422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rVjdis.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rVjdis" /XML "C:\Users\Admin\AppData\Local\Temp\tmp15C2.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2816
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:2592
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2524
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5652fa31b8760caf890b613bbf6c6eb90
SHA17b685fa3fa14d0ff85ec86f4809074b74a8d9326
SHA25693e0f619a28773ed0c1724f7392458c34f6ea93793f18ff7f0f936e0a001bead
SHA5123b69f10b5422918b692e7104260d161c60117fdaa608721e8b304912b905f99fb4708d4f088aee6f2b7fbd7f6940ad3fd89958d971e51343ddfe2902e3f78585
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5845a37df25c379a9b5feeaace7a53544
SHA1fc3b2f53e66296fb7cbd3f1a677d2a5ba370bce7
SHA256be5a3ffb021b5570a623138a34ed2e5dda3a9b447c5d3b0f2f7b1305f2b56eac
SHA51231cf08886f8bb5e62a890584253f52e5b30582c013f747ba9645314f9be60beeaf4a6b80e168baa92ba51d85755390343de5bd353ea01af5641eac426e4a1902