Analysis
-
max time kernel
148s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20250313-en -
resource tags
arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system -
submitted
26/03/2025, 12:10
Static task
static1
Behavioral task
behavioral1
Sample
Sigmanly_d8c0f4739b6a46ee8c46a6af4622158b9a866b6eabd1dd6a88228856520b714d.exe
Resource
win7-20250207-en
General
-
Target
Sigmanly_d8c0f4739b6a46ee8c46a6af4622158b9a866b6eabd1dd6a88228856520b714d.exe
-
Size
617KB
-
MD5
5d917b070d148e8c043a3df37d8d0d6f
-
SHA1
75cd40a178208432228ce736a5c4eb35b2d89b44
-
SHA256
d8c0f4739b6a46ee8c46a6af4622158b9a866b6eabd1dd6a88228856520b714d
-
SHA512
cff6b80d91e5577aaf3194256006042db1397b473a1fbdc98337ff98dd1a553bbb920c8c3c663e24949b49d545ef1c39c4024fcdf0b5e5d9d52717bf01b43081
-
SSDEEP
12288:qPFY/Bdue1pIemCBnH6h+/wfktcLkdseWQnYK7u4XFBbHovTY26:qPFG31XV0+/wfbkd37YK7u418TW
Malware Config
Extracted
formbook
4.1
my18
ladproductreviews.shop
ivor.online
odesfactory.xyz
shim.shop
elonyyoung.net
gac.online
zgtl.click
27652.locker
omelyrooms.online
ermanosu.online
offee-machine-19139.bond
91033.pro
ovedirectiveteam.info
tmsolcoinews.uno
lizz.finance
uyurbanaraava.shop
anufixo.xyz
ypercog.xyz
itblog.tech
reshdirectivesolutions.info
ebpazarim.net
kosor-ossorilmma.online
eagleinsurancepros.website
knowido.net
infix.today
5432pxnshot.pics
bzxnbzy.xyz
usk360.xyz
oiyter.xyz
hiefworthextendfirmbridge.xyz
16bet.website
ryptoosvita.website
lotheroes.casino
obilityscooterscooters.today
eatintell.net
rustless888.xyz
ousecure.online
120qa.xyz
ruck-driver-jobs-41162.bond
exas88me.pro
bplus.motorcycles
luebunkers.online
ummitpointconsulting.net
aiaearthworks.net
iartetuexperiencia.live
rnamiara.online
gendamos.online
utuelleretraite.bond
alleoncoin.net
adawol.click
xclusivedealsspots.sbs
nnotechg.net
esconseils.net
reatyarmouth-cruisetours.today
earntok.shop
itness-center-ph-8859635.zone
partamento-sao-paulo-610.click
hoenixlearningnetwork.net
strology-options-12038.bond
yset.info
excopilot.xyz
xpertisechat.xyz
oneyiq.xyz
emotepilottraining.online
hartplus.autos
Signatures
-
Formbook family
-
Formbook payload 2 IoCs
resource yara_rule behavioral2/memory/2064-32-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/5592-90-0x00000000005A0000-0x00000000005CF000-memory.dmp formbook -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4716 powershell.exe 4768 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation Sigmanly_d8c0f4739b6a46ee8c46a6af4622158b9a866b6eabd1dd6a88228856520b714d.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4196 set thread context of 2064 4196 Sigmanly_d8c0f4739b6a46ee8c46a6af4622158b9a866b6eabd1dd6a88228856520b714d.exe 102 PID 2064 set thread context of 3424 2064 RegSvcs.exe 56 PID 5592 set thread context of 3424 5592 svchost.exe 56 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Sigmanly_d8c0f4739b6a46ee8c46a6af4622158b9a866b6eabd1dd6a88228856520b714d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5000 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4196 Sigmanly_d8c0f4739b6a46ee8c46a6af4622158b9a866b6eabd1dd6a88228856520b714d.exe 4716 powershell.exe 4716 powershell.exe 4768 powershell.exe 4768 powershell.exe 4196 Sigmanly_d8c0f4739b6a46ee8c46a6af4622158b9a866b6eabd1dd6a88228856520b714d.exe 4196 Sigmanly_d8c0f4739b6a46ee8c46a6af4622158b9a866b6eabd1dd6a88228856520b714d.exe 2064 RegSvcs.exe 2064 RegSvcs.exe 2064 RegSvcs.exe 2064 RegSvcs.exe 2064 RegSvcs.exe 4716 powershell.exe 4768 powershell.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe 5592 svchost.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 2064 RegSvcs.exe 2064 RegSvcs.exe 2064 RegSvcs.exe 5592 svchost.exe 5592 svchost.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 4196 Sigmanly_d8c0f4739b6a46ee8c46a6af4622158b9a866b6eabd1dd6a88228856520b714d.exe Token: SeDebugPrivilege 4716 powershell.exe Token: SeDebugPrivilege 4768 powershell.exe Token: SeDebugPrivilege 2064 RegSvcs.exe Token: SeShutdownPrivilege 3424 Explorer.EXE Token: SeCreatePagefilePrivilege 3424 Explorer.EXE Token: SeShutdownPrivilege 3424 Explorer.EXE Token: SeCreatePagefilePrivilege 3424 Explorer.EXE Token: SeDebugPrivilege 5592 svchost.exe Token: SeShutdownPrivilege 3424 Explorer.EXE Token: SeCreatePagefilePrivilege 3424 Explorer.EXE Token: SeShutdownPrivilege 3424 Explorer.EXE Token: SeCreatePagefilePrivilege 3424 Explorer.EXE Token: SeShutdownPrivilege 3424 Explorer.EXE Token: SeCreatePagefilePrivilege 3424 Explorer.EXE Token: SeShutdownPrivilege 3424 Explorer.EXE Token: SeCreatePagefilePrivilege 3424 Explorer.EXE Token: SeShutdownPrivilege 3424 Explorer.EXE Token: SeCreatePagefilePrivilege 3424 Explorer.EXE Token: SeShutdownPrivilege 3424 Explorer.EXE Token: SeCreatePagefilePrivilege 3424 Explorer.EXE Token: SeShutdownPrivilege 3424 Explorer.EXE Token: SeCreatePagefilePrivilege 3424 Explorer.EXE Token: SeShutdownPrivilege 3424 Explorer.EXE Token: SeCreatePagefilePrivilege 3424 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3424 Explorer.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4196 wrote to memory of 4716 4196 Sigmanly_d8c0f4739b6a46ee8c46a6af4622158b9a866b6eabd1dd6a88228856520b714d.exe 96 PID 4196 wrote to memory of 4716 4196 Sigmanly_d8c0f4739b6a46ee8c46a6af4622158b9a866b6eabd1dd6a88228856520b714d.exe 96 PID 4196 wrote to memory of 4716 4196 Sigmanly_d8c0f4739b6a46ee8c46a6af4622158b9a866b6eabd1dd6a88228856520b714d.exe 96 PID 4196 wrote to memory of 4768 4196 Sigmanly_d8c0f4739b6a46ee8c46a6af4622158b9a866b6eabd1dd6a88228856520b714d.exe 98 PID 4196 wrote to memory of 4768 4196 Sigmanly_d8c0f4739b6a46ee8c46a6af4622158b9a866b6eabd1dd6a88228856520b714d.exe 98 PID 4196 wrote to memory of 4768 4196 Sigmanly_d8c0f4739b6a46ee8c46a6af4622158b9a866b6eabd1dd6a88228856520b714d.exe 98 PID 4196 wrote to memory of 5000 4196 Sigmanly_d8c0f4739b6a46ee8c46a6af4622158b9a866b6eabd1dd6a88228856520b714d.exe 100 PID 4196 wrote to memory of 5000 4196 Sigmanly_d8c0f4739b6a46ee8c46a6af4622158b9a866b6eabd1dd6a88228856520b714d.exe 100 PID 4196 wrote to memory of 5000 4196 Sigmanly_d8c0f4739b6a46ee8c46a6af4622158b9a866b6eabd1dd6a88228856520b714d.exe 100 PID 4196 wrote to memory of 2064 4196 Sigmanly_d8c0f4739b6a46ee8c46a6af4622158b9a866b6eabd1dd6a88228856520b714d.exe 102 PID 4196 wrote to memory of 2064 4196 Sigmanly_d8c0f4739b6a46ee8c46a6af4622158b9a866b6eabd1dd6a88228856520b714d.exe 102 PID 4196 wrote to memory of 2064 4196 Sigmanly_d8c0f4739b6a46ee8c46a6af4622158b9a866b6eabd1dd6a88228856520b714d.exe 102 PID 4196 wrote to memory of 2064 4196 Sigmanly_d8c0f4739b6a46ee8c46a6af4622158b9a866b6eabd1dd6a88228856520b714d.exe 102 PID 4196 wrote to memory of 2064 4196 Sigmanly_d8c0f4739b6a46ee8c46a6af4622158b9a866b6eabd1dd6a88228856520b714d.exe 102 PID 4196 wrote to memory of 2064 4196 Sigmanly_d8c0f4739b6a46ee8c46a6af4622158b9a866b6eabd1dd6a88228856520b714d.exe 102 PID 3424 wrote to memory of 5592 3424 Explorer.EXE 103 PID 3424 wrote to memory of 5592 3424 Explorer.EXE 103 PID 3424 wrote to memory of 5592 3424 Explorer.EXE 103 PID 5592 wrote to memory of 4220 5592 svchost.exe 104 PID 5592 wrote to memory of 4220 5592 svchost.exe 104 PID 5592 wrote to memory of 4220 5592 svchost.exe 104
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Users\Admin\AppData\Local\Temp\Sigmanly_d8c0f4739b6a46ee8c46a6af4622158b9a866b6eabd1dd6a88228856520b714d.exe"C:\Users\Admin\AppData\Local\Temp\Sigmanly_d8c0f4739b6a46ee8c46a6af4622158b9a866b6eabd1dd6a88228856520b714d.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Sigmanly_d8c0f4739b6a46ee8c46a6af4622158b9a866b6eabd1dd6a88228856520b714d.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4716
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ljFvtsV.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4768
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ljFvtsV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC2E2.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5000
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2064
-
-
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5592 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- System Location Discovery: System Language Discovery
PID:4220
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD517504abbe4b0ee7cf14e67ef9a4a61da
SHA1b90d117f4f9b16c20986b7d651717af3095ae78f
SHA25633651ff23b92b26771f81d705ec475b644621214550d6196acb668f769f2f3d0
SHA512d944d4aee9723d6d2e9fe0e0dfae261613cecd3b86bb6b317534afee8638586935caa49f20be6f9a57ae78a5c1a2a9e79f0a05aa8a25a9f8e5c61314ff628538