Resubmissions
01/07/2025, 06:41
250701-hf9akasp12 1001/07/2025, 06:22
250701-g43bgsdl5v 1010/06/2025, 16:01
250610-tgnk2azqw5 10Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-ltsc_2021_x64 -
resource
win10ltsc2021-20250610-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250610-enlocale:en-usos:windows10-ltsc_2021-x64system -
submitted
01/07/2025, 06:41
Static task
static1
Behavioral task
behavioral1
Sample
271JaJbQjMLGbcc.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral2
Sample
271JaJbQjMLGbcc.exe
Resource
win10ltsc2021-20250610-en
General
-
Target
271JaJbQjMLGbcc.exe
-
Size
667KB
-
MD5
17043ee76cd32800262fa06cfc3ac690
-
SHA1
0f11ac97736fb42fd30d6c4abf1da4549e8f0101
-
SHA256
6781be8abda50b0cc7d27b9466f7b39572f978cf16151092554e7b4557f0ac06
-
SHA512
0ec8c106a4d55deee49da8a9696f36cbcfb55872d0d2e982416be34ab7e81faa2b2c12f86575e195093d24b78978691c4c242fe7bdf1ab728a68bf92b57d31d7
-
SSDEEP
12288:disP8yffxahqfDGZW17k0+YHPEd8MwP0WAra3OjuBGy1kuOEXuVjCqfkR:n8yffxQqbuWZk9DNWAr6u+3OCq6
Malware Config
Extracted
formbook
4.1
hi26
ctopeaux.shop
isui.shop
huangyusij.top
tsgfa.lol
bcjpp.top
ccess1logsmexico.lat
6vhv7.vip
3i1mp.vip
isy.art
rterracaudill.today
377278d.app
izoc.xyz
guiwe.xyz
81rwp.vip
hi8t3b5a3.shop
omnerror.shop
hm6l1w9o5.shop
saondemandswag.net
sig.xyz
andbags-48525.bond
536a.top
dmiralx-oid.top
amefdsgs.click
leekhoodie.shop
atxjysrwm9.xyz
l6.top
hsbxt.top
377688d.app
om-etcdyl.vip
raaline.shop
fxgjb.vip
iobet5568.buzz
3148dhssr.cfd
c736.top
ao23.top
yupas.xyz
low-bloom.shop
9kwe.top
g86mb.cfd
hkwk0.vip
rn18m.vip
vpgwm.cfd
q0xmh.vip
4wdlhwuzw.xyz
b54f.top
lectric-cars-99334.bond
cac.team
6861.computer
aupure.shop
ealvizcaya.casa
jzyzx.top
lmaron.pro
388789.xyz
einticincotreintauno.net
756102928.cfd
implezzz.shop
73g48u.top
ccluskey.top
owellpublications.net
uto.top
5a2yq.vip
rkadastop.bond
mart-lex.net
ky5way.pro
aplayplinko.xyz
Signatures
-
Formbook family
-
Formbook payload 3 IoCs
resource yara_rule behavioral2/memory/3232-17-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/3232-76-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/4848-78-0x0000000000DA0000-0x0000000000DCE000-memory.dmp formbook -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4012 powershell.exe 3564 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1666585949-2086230170-2304269057-1000\Control Panel\International\Geo\Nation 271JaJbQjMLGbcc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2168 set thread context of 3232 2168 271JaJbQjMLGbcc.exe 94 PID 3232 set thread context of 3516 3232 vbc.exe 56 PID 4848 set thread context of 3516 4848 ipconfig.exe 56 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 271JaJbQjMLGbcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 4848 ipconfig.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1952 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 2168 271JaJbQjMLGbcc.exe 3564 powershell.exe 2168 271JaJbQjMLGbcc.exe 3232 vbc.exe 3232 vbc.exe 3232 vbc.exe 3232 vbc.exe 4012 powershell.exe 4012 powershell.exe 3564 powershell.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe 4848 ipconfig.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3516 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 3232 vbc.exe 3232 vbc.exe 3232 vbc.exe 4848 ipconfig.exe 4848 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
description pid Process Token: SeDebugPrivilege 2168 271JaJbQjMLGbcc.exe Token: SeDebugPrivilege 3564 powershell.exe Token: SeDebugPrivilege 4012 powershell.exe Token: SeDebugPrivilege 3232 vbc.exe Token: SeIncreaseQuotaPrivilege 4012 powershell.exe Token: SeSecurityPrivilege 4012 powershell.exe Token: SeTakeOwnershipPrivilege 4012 powershell.exe Token: SeLoadDriverPrivilege 4012 powershell.exe Token: SeSystemProfilePrivilege 4012 powershell.exe Token: SeSystemtimePrivilege 4012 powershell.exe Token: SeProfSingleProcessPrivilege 4012 powershell.exe Token: SeIncBasePriorityPrivilege 4012 powershell.exe Token: SeCreatePagefilePrivilege 4012 powershell.exe Token: SeBackupPrivilege 4012 powershell.exe Token: SeRestorePrivilege 4012 powershell.exe Token: SeShutdownPrivilege 4012 powershell.exe Token: SeDebugPrivilege 4012 powershell.exe Token: SeSystemEnvironmentPrivilege 4012 powershell.exe Token: SeRemoteShutdownPrivilege 4012 powershell.exe Token: SeUndockPrivilege 4012 powershell.exe Token: SeManageVolumePrivilege 4012 powershell.exe Token: 33 4012 powershell.exe Token: 34 4012 powershell.exe Token: 35 4012 powershell.exe Token: 36 4012 powershell.exe Token: SeIncreaseQuotaPrivilege 3564 powershell.exe Token: SeSecurityPrivilege 3564 powershell.exe Token: SeTakeOwnershipPrivilege 3564 powershell.exe Token: SeLoadDriverPrivilege 3564 powershell.exe Token: SeSystemProfilePrivilege 3564 powershell.exe Token: SeSystemtimePrivilege 3564 powershell.exe Token: SeProfSingleProcessPrivilege 3564 powershell.exe Token: SeIncBasePriorityPrivilege 3564 powershell.exe Token: SeCreatePagefilePrivilege 3564 powershell.exe Token: SeBackupPrivilege 3564 powershell.exe Token: SeRestorePrivilege 3564 powershell.exe Token: SeShutdownPrivilege 3564 powershell.exe Token: SeDebugPrivilege 3564 powershell.exe Token: SeSystemEnvironmentPrivilege 3564 powershell.exe Token: SeRemoteShutdownPrivilege 3564 powershell.exe Token: SeUndockPrivilege 3564 powershell.exe Token: SeManageVolumePrivilege 3564 powershell.exe Token: 33 3564 powershell.exe Token: 34 3564 powershell.exe Token: 35 3564 powershell.exe Token: 36 3564 powershell.exe Token: SeShutdownPrivilege 3516 Explorer.EXE Token: SeCreatePagefilePrivilege 3516 Explorer.EXE Token: SeShutdownPrivilege 3516 Explorer.EXE Token: SeCreatePagefilePrivilege 3516 Explorer.EXE Token: SeDebugPrivilege 4848 ipconfig.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2168 wrote to memory of 4012 2168 271JaJbQjMLGbcc.exe 88 PID 2168 wrote to memory of 4012 2168 271JaJbQjMLGbcc.exe 88 PID 2168 wrote to memory of 4012 2168 271JaJbQjMLGbcc.exe 88 PID 2168 wrote to memory of 3564 2168 271JaJbQjMLGbcc.exe 90 PID 2168 wrote to memory of 3564 2168 271JaJbQjMLGbcc.exe 90 PID 2168 wrote to memory of 3564 2168 271JaJbQjMLGbcc.exe 90 PID 2168 wrote to memory of 1952 2168 271JaJbQjMLGbcc.exe 92 PID 2168 wrote to memory of 1952 2168 271JaJbQjMLGbcc.exe 92 PID 2168 wrote to memory of 1952 2168 271JaJbQjMLGbcc.exe 92 PID 2168 wrote to memory of 3232 2168 271JaJbQjMLGbcc.exe 94 PID 2168 wrote to memory of 3232 2168 271JaJbQjMLGbcc.exe 94 PID 2168 wrote to memory of 3232 2168 271JaJbQjMLGbcc.exe 94 PID 2168 wrote to memory of 3232 2168 271JaJbQjMLGbcc.exe 94 PID 2168 wrote to memory of 3232 2168 271JaJbQjMLGbcc.exe 94 PID 2168 wrote to memory of 3232 2168 271JaJbQjMLGbcc.exe 94 PID 3516 wrote to memory of 4848 3516 Explorer.EXE 95 PID 3516 wrote to memory of 4848 3516 Explorer.EXE 95 PID 3516 wrote to memory of 4848 3516 Explorer.EXE 95 PID 4848 wrote to memory of 656 4848 ipconfig.exe 97 PID 4848 wrote to memory of 656 4848 ipconfig.exe 97 PID 4848 wrote to memory of 656 4848 ipconfig.exe 97
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe"C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4012
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xQKiRiS.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3564
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xQKiRiS" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA22B.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1952
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3232
-
-
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- System Location Discovery: System Language Discovery
PID:656
-
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5f9349064c7c8f8467cc12d78a462e5f9
SHA15e1d27fc64751cd8c0e9448ee47741da588b3484
SHA256883481fe331cb89fb6061e76b43acd4dd638c16f499b10088b261036c6d0547b
SHA5123229668491b5e4068e743b31f2896b30b1842faf96aff09fad01b08771c2f11eb8d8f02a3b76e31f0d6ad650c2894c5ac1822204e132c03d9c2b8df6ca4cd7cf
-
Filesize
21KB
MD57e75dde1d60e370aade884037e36e8fe
SHA1d319a029a9c25d46853d718dbcb396e9f1b635b1
SHA2563e2eeccff0686ac0793359c0caf74fdebe868c8dd5f211201e16e97b5d5b52b9
SHA5126fa0dbf67edeef04021f69c7b27c5567f380d010a7c451d25e7ac86becc9c1f2d4dc12f5ff09e48f4c4bcf76dff93749162f0e640025664d41add005009cacbc
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5e74ef35146fac1f7010fdd45f9f2b2ce
SHA1d3ddb70fd316827b156edde48054a0c982c75abd
SHA256567d7d0c91134ee7c6c482379d3c150e5d0dee887b24767aed5768f2ae035c9a
SHA512f1d0a7ae031ecddfa63c83818ed3a90e635e6423ddb3725928e5414dd478e1b6f2fdebf319a99b1830c6b6c6427f8c1726553caab58ec0112d044caae4f111a2