Resubmissions
01/07/2025, 06:41
250701-hf9akasp12 1001/07/2025, 06:22
250701-g43bgsdl5v 1010/06/2025, 16:01
250610-tgnk2azqw5 10Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows11-21h2_x64 -
resource
win11-20250619-en -
resource tags
arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system -
submitted
01/07/2025, 06:41
Static task
static1
Behavioral task
behavioral1
Sample
271JaJbQjMLGbcc.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral2
Sample
271JaJbQjMLGbcc.exe
Resource
win10ltsc2021-20250610-en
General
-
Target
271JaJbQjMLGbcc.exe
-
Size
667KB
-
MD5
17043ee76cd32800262fa06cfc3ac690
-
SHA1
0f11ac97736fb42fd30d6c4abf1da4549e8f0101
-
SHA256
6781be8abda50b0cc7d27b9466f7b39572f978cf16151092554e7b4557f0ac06
-
SHA512
0ec8c106a4d55deee49da8a9696f36cbcfb55872d0d2e982416be34ab7e81faa2b2c12f86575e195093d24b78978691c4c242fe7bdf1ab728a68bf92b57d31d7
-
SSDEEP
12288:disP8yffxahqfDGZW17k0+YHPEd8MwP0WAra3OjuBGy1kuOEXuVjCqfkR:n8yffxQqbuWZk9DNWAr6u+3OCq6
Malware Config
Extracted
formbook
4.1
hi26
ctopeaux.shop
isui.shop
huangyusij.top
tsgfa.lol
bcjpp.top
ccess1logsmexico.lat
6vhv7.vip
3i1mp.vip
isy.art
rterracaudill.today
377278d.app
izoc.xyz
guiwe.xyz
81rwp.vip
hi8t3b5a3.shop
omnerror.shop
hm6l1w9o5.shop
saondemandswag.net
sig.xyz
andbags-48525.bond
536a.top
dmiralx-oid.top
amefdsgs.click
leekhoodie.shop
atxjysrwm9.xyz
l6.top
hsbxt.top
377688d.app
om-etcdyl.vip
raaline.shop
fxgjb.vip
iobet5568.buzz
3148dhssr.cfd
c736.top
ao23.top
yupas.xyz
low-bloom.shop
9kwe.top
g86mb.cfd
hkwk0.vip
rn18m.vip
vpgwm.cfd
q0xmh.vip
4wdlhwuzw.xyz
b54f.top
lectric-cars-99334.bond
cac.team
6861.computer
aupure.shop
ealvizcaya.casa
jzyzx.top
lmaron.pro
388789.xyz
einticincotreintauno.net
756102928.cfd
implezzz.shop
73g48u.top
ccluskey.top
owellpublications.net
uto.top
5a2yq.vip
rkadastop.bond
mart-lex.net
ky5way.pro
aplayplinko.xyz
Signatures
-
Formbook family
-
Formbook payload 2 IoCs
resource yara_rule behavioral3/memory/2128-40-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral3/memory/3140-81-0x0000000000D70000-0x0000000000D9E000-memory.dmp formbook -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 5012 powershell.exe 1012 powershell.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 5260 set thread context of 2128 5260 271JaJbQjMLGbcc.exe 85 PID 2128 set thread context of 3308 2128 vbc.exe 53 PID 3140 set thread context of 3308 3140 cmmon32.exe 53 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmmon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 271JaJbQjMLGbcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3944 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 5260 271JaJbQjMLGbcc.exe 5012 powershell.exe 1012 powershell.exe 5260 271JaJbQjMLGbcc.exe 5012 powershell.exe 2128 vbc.exe 2128 vbc.exe 2128 vbc.exe 2128 vbc.exe 1012 powershell.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe 3140 cmmon32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3308 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 2128 vbc.exe 2128 vbc.exe 2128 vbc.exe 3140 cmmon32.exe 3140 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 61 IoCs
description pid Process Token: SeDebugPrivilege 5260 271JaJbQjMLGbcc.exe Token: SeDebugPrivilege 5012 powershell.exe Token: SeDebugPrivilege 1012 powershell.exe Token: SeDebugPrivilege 2128 vbc.exe Token: SeShutdownPrivilege 3308 Explorer.EXE Token: SeCreatePagefilePrivilege 3308 Explorer.EXE Token: SeShutdownPrivilege 3308 Explorer.EXE Token: SeCreatePagefilePrivilege 3308 Explorer.EXE Token: SeDebugPrivilege 3140 cmmon32.exe Token: SeShutdownPrivilege 3308 Explorer.EXE Token: SeCreatePagefilePrivilege 3308 Explorer.EXE Token: SeShutdownPrivilege 3308 Explorer.EXE Token: SeCreatePagefilePrivilege 3308 Explorer.EXE Token: SeShutdownPrivilege 3308 Explorer.EXE Token: SeCreatePagefilePrivilege 3308 Explorer.EXE Token: SeShutdownPrivilege 3308 Explorer.EXE Token: SeCreatePagefilePrivilege 3308 Explorer.EXE Token: SeShutdownPrivilege 3308 Explorer.EXE Token: SeCreatePagefilePrivilege 3308 Explorer.EXE Token: SeShutdownPrivilege 3308 Explorer.EXE Token: SeCreatePagefilePrivilege 3308 Explorer.EXE Token: SeShutdownPrivilege 3308 Explorer.EXE Token: SeCreatePagefilePrivilege 3308 Explorer.EXE Token: SeShutdownPrivilege 3308 Explorer.EXE Token: SeCreatePagefilePrivilege 3308 Explorer.EXE Token: SeShutdownPrivilege 3308 Explorer.EXE Token: SeCreatePagefilePrivilege 3308 Explorer.EXE Token: SeShutdownPrivilege 3308 Explorer.EXE Token: SeCreatePagefilePrivilege 3308 Explorer.EXE Token: SeShutdownPrivilege 3308 Explorer.EXE Token: SeCreatePagefilePrivilege 3308 Explorer.EXE Token: SeShutdownPrivilege 3308 Explorer.EXE Token: SeCreatePagefilePrivilege 3308 Explorer.EXE Token: SeShutdownPrivilege 3308 Explorer.EXE Token: SeCreatePagefilePrivilege 3308 Explorer.EXE Token: SeShutdownPrivilege 3308 Explorer.EXE Token: SeCreatePagefilePrivilege 3308 Explorer.EXE Token: SeShutdownPrivilege 3308 Explorer.EXE Token: SeCreatePagefilePrivilege 3308 Explorer.EXE Token: SeShutdownPrivilege 3308 Explorer.EXE Token: SeCreatePagefilePrivilege 3308 Explorer.EXE Token: SeShutdownPrivilege 3308 Explorer.EXE Token: SeCreatePagefilePrivilege 3308 Explorer.EXE Token: SeShutdownPrivilege 3308 Explorer.EXE Token: SeCreatePagefilePrivilege 3308 Explorer.EXE Token: SeShutdownPrivilege 3308 Explorer.EXE Token: SeCreatePagefilePrivilege 3308 Explorer.EXE Token: SeShutdownPrivilege 3308 Explorer.EXE Token: SeCreatePagefilePrivilege 3308 Explorer.EXE Token: SeShutdownPrivilege 3308 Explorer.EXE Token: SeCreatePagefilePrivilege 3308 Explorer.EXE Token: SeShutdownPrivilege 3308 Explorer.EXE Token: SeCreatePagefilePrivilege 3308 Explorer.EXE Token: SeShutdownPrivilege 3308 Explorer.EXE Token: SeCreatePagefilePrivilege 3308 Explorer.EXE Token: SeShutdownPrivilege 3308 Explorer.EXE Token: SeCreatePagefilePrivilege 3308 Explorer.EXE Token: SeShutdownPrivilege 3308 Explorer.EXE Token: SeCreatePagefilePrivilege 3308 Explorer.EXE Token: SeShutdownPrivilege 3308 Explorer.EXE Token: SeCreatePagefilePrivilege 3308 Explorer.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 5260 wrote to memory of 1012 5260 271JaJbQjMLGbcc.exe 79 PID 5260 wrote to memory of 1012 5260 271JaJbQjMLGbcc.exe 79 PID 5260 wrote to memory of 1012 5260 271JaJbQjMLGbcc.exe 79 PID 5260 wrote to memory of 5012 5260 271JaJbQjMLGbcc.exe 81 PID 5260 wrote to memory of 5012 5260 271JaJbQjMLGbcc.exe 81 PID 5260 wrote to memory of 5012 5260 271JaJbQjMLGbcc.exe 81 PID 5260 wrote to memory of 3944 5260 271JaJbQjMLGbcc.exe 83 PID 5260 wrote to memory of 3944 5260 271JaJbQjMLGbcc.exe 83 PID 5260 wrote to memory of 3944 5260 271JaJbQjMLGbcc.exe 83 PID 5260 wrote to memory of 2128 5260 271JaJbQjMLGbcc.exe 85 PID 5260 wrote to memory of 2128 5260 271JaJbQjMLGbcc.exe 85 PID 5260 wrote to memory of 2128 5260 271JaJbQjMLGbcc.exe 85 PID 5260 wrote to memory of 2128 5260 271JaJbQjMLGbcc.exe 85 PID 5260 wrote to memory of 2128 5260 271JaJbQjMLGbcc.exe 85 PID 5260 wrote to memory of 2128 5260 271JaJbQjMLGbcc.exe 85 PID 3308 wrote to memory of 3140 3308 Explorer.EXE 86 PID 3308 wrote to memory of 3140 3308 Explorer.EXE 86 PID 3308 wrote to memory of 3140 3308 Explorer.EXE 86 PID 3140 wrote to memory of 2188 3140 cmmon32.exe 87 PID 3140 wrote to memory of 2188 3140 cmmon32.exe 87 PID 3140 wrote to memory of 2188 3140 cmmon32.exe 87
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe"C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5260 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1012
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xQKiRiS.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5012
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xQKiRiS" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8D1D.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3944
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2128
-
-
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2188
-
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d0c46cad6c0778401e21910bd6b56b70
SHA17be418951ea96326aca445b8dfe449b2bfa0dca6
SHA2569600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949
-
Filesize
18KB
MD55153b5e4354b9ecd435ac7e8c94a4f4b
SHA1cc3bc40bb084a80e8dfbacb4d77dc470d0e8cf34
SHA256d22a350d12e961f438cd57d1084646e7349921789f01251e0de5a1d786159f5d
SHA512a985b8fc6041d8f3dac59405c2f24e66132c29c206067ef6e6719e9b725ebc6dc1ab05bc686a8d5f13bfd020818027c17f3c69f65b4766f94de0d019a8f29156
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5965c6297e30b91a9a300c7e7c5c49267
SHA1dd11f956de931ce179f6be125b65434bc7f05e59
SHA2563230714493351b7cc2b12453f4ca9a2c945997fcdb0b8deda970a91662cacf9d
SHA5128989c5002e96bec5bb5bd0d414681280cbb0603bb0882576b056bd2d318f72a6a78db5a3d5d7b4533f22f87d0d51396d3b82103b4681455812e271eb5bc4254f