Analysis
-
max time kernel
298s -
max time network
294s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system -
submitted
17/04/2025, 09:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bin-crypted-crypted.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
12 signatures
300 seconds
General
-
Target
bin-crypted-crypted.exe
-
Size
2.4MB
-
MD5
ba011d330e84715b66989217075d100a
-
SHA1
9d56d3200232358ed6eeee2da3a19f829f9143be
-
SHA256
4465c322692f63b3ec6b5941be87017f1643e21e41df0b63afc618f5f8136208
-
SHA512
409acb2dc4a5d9aae7119d6882ebd851c925d0b8ae8dac941e371138804a31a08609d8013f08f249fff43750b78aa4d73118b2d23ba2d1e0dd390dc15865ce3e
-
SSDEEP
49152:5u5voq9yqVHncEylouiXCvkHDHewwtiw6ZA:5u5vPVHnfyNiXCvKDHe5tD6W
Malware Config
Extracted
Family
formbook
Version
4.1
Campaign
jc27
Decoy
uymygel.xyz
aregiver-services-test01.sbs
ouyin67gh.vip
lobalz.top
cl1ic4.pro
mconotc.top
hmm365.cfd
olonam.shop
ionnel.shop
ntroductorypage.info
einopumpify.net
hsnac.xyz
rameny.net
itness-apps1-s2025.sbs
nshulthakurdev.pro
iveawaywin.online
setobe.info
ostury.shop
5r03a.sbs
yota-blog.net
5381a6.app
acdzvx.top
raindeposits.info
gsp607.top
allbucdial.store
t615873tel.top
uckycasino88.net
oclywts.top
ol.autos
udm9p.cfd
arsonsales.online
0422.pet
94478.app
9ghaefscrnmu.shop
akery156mart.xyz
ogmuppets.top
-payret.shop
fcgroup.net
upcup.info
x3zig.sbs
port-eu.shop
sbjgu.cfd
01dt.top
4250017.xyz
yfreedom.lol
personegitim.xyz
acecarpg.vip
illavilavenue.xyz
2ap7moc06aou.xyz
rchi-architects.net
mretdoy.xyz
eucartaoflash.online
e-eaac.top
itfukt.net
agam77.net
4249874.xyz
85793.fit
ph63.info
oxupa.shop
arnaca.realestate
onarchglobalsecurityweb.info
gc6koahcyqn2y.xyz
1t2r1k8f.top
akalovwww.online
ingkersk8.store
Signatures
-
Formbook family
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4036 set thread context of 5176 4036 bin-crypted-crypted.exe 80 PID 5176 set thread context of 3232 5176 RegAsm.exe 52 PID 652 set thread context of 3232 652 explorer.exe 52 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bin-crypted-crypted.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5176 RegAsm.exe 5176 RegAsm.exe 5176 RegAsm.exe 5176 RegAsm.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3232 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 5176 RegAsm.exe 5176 RegAsm.exe 5176 RegAsm.exe 652 explorer.exe 652 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5176 RegAsm.exe Token: SeDebugPrivilege 652 explorer.exe Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4036 wrote to memory of 5176 4036 bin-crypted-crypted.exe 80 PID 4036 wrote to memory of 5176 4036 bin-crypted-crypted.exe 80 PID 4036 wrote to memory of 5176 4036 bin-crypted-crypted.exe 80 PID 4036 wrote to memory of 5176 4036 bin-crypted-crypted.exe 80 PID 4036 wrote to memory of 5176 4036 bin-crypted-crypted.exe 80 PID 4036 wrote to memory of 5176 4036 bin-crypted-crypted.exe 80 PID 3232 wrote to memory of 652 3232 Explorer.EXE 81 PID 3232 wrote to memory of 652 3232 Explorer.EXE 81 PID 3232 wrote to memory of 652 3232 Explorer.EXE 81 PID 652 wrote to memory of 5928 652 explorer.exe 82 PID 652 wrote to memory of 5928 652 explorer.exe 82 PID 652 wrote to memory of 5928 652 explorer.exe 82
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Users\Admin\AppData\Local\Temp\bin-crypted-crypted.exe"C:\Users\Admin\AppData\Local\Temp\bin-crypted-crypted.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5176
-
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- System Location Discovery: System Language Discovery
PID:5928
-
-