Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-06-2024 01:25
Static task
static1
Behavioral task
behavioral1
Sample
ARIVAL NOTICE.exe
Resource
win7-20240221-en
General
-
Target
ARIVAL NOTICE.exe
-
Size
1.0MB
-
MD5
ba4626698cabac08fd9d2440f730e80c
-
SHA1
577f8e973cb926b58dffa2ec5a0ae1f9e451f128
-
SHA256
d6f3187ea8a4c0cb9e263a665487060b5b14caf184a5343b2ed928b67d16a264
-
SHA512
a15b63b4d018276272dd4e2667b79a859df83df8c96ea60b1bf9471e0138b40f7f4ce6c5d63424225fd5fbe1e6c55a9afd75e084b813967db7f49c9558465eda
-
SSDEEP
24576:SAHnh+eWsN3skA4RV1Hom2KXMmHao75RAQkLXWB3ryAv5:Vh+ZkldoPK8YaoX6jQ3ryQ
Malware Config
Extracted
formbook
4.1
as02
qwin777.com
robinhoods.live
h3jh-dal.pics
braindeadcopywriting.com
kktcbet1000.com
mpo0463.cfd
raboteshoes.com
ab1718.com
lowcrusiers.com
gregcopelandmusic.com
dkfndch.store
firstclassuni.com
00ewu1ub.com
shunweichemical.com
sugarits.com
marqify.com
mistmajik.com
trezip.online
tinytables.xyz
suestergocoaching.com
dominoad.com
specials.website
thatpilatesgirl.com
vrexpressok.com
sdegtho.com
svhomesinspections.com
rumbol88.com
dzplricfpf.com
fastcoolify.com
bloominginwholeness.com
12ser3.com
curtsreno.com
defx.ventures
dev-patel.xyz
ltyidc.com
wheiunudweowuqiwuebfyewui3.com
039c5m2ciwt99.top
pmpm.xyz
akabuka.net
parkerslandscapingllc.com
hamcast.com
jiangcapable.site
sassysensoryclips.com
arsalan.shop
thecryptocaviar.com
ofbsconsulting.com
j8j3e.cfd
cinexgltd.com
justcallnadia.com
qcyiran.com
uniseekglobal.com
milieunightclub.com
sisasimoslot.com
svizzblem.net
20644.asia
shroomberparty.com
contractcrafters.net
selectstylehome.shop
blackhillspr.com
topsolutionquality.online
diywithbje.com
simplywellcoach.com
popothebear.site
entendiendomedicare.com
sopaindam.com
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1636-11-0x0000000000600000-0x000000000062F000-memory.dmp formbook behavioral2/memory/1636-16-0x0000000000600000-0x000000000062F000-memory.dmp formbook behavioral2/memory/4308-22-0x0000000000990000-0x00000000009BF000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
ARIVAL NOTICE.exesvchost.exeWWAHost.exedescription pid process target process PID 1772 set thread context of 1636 1772 ARIVAL NOTICE.exe svchost.exe PID 1636 set thread context of 3596 1636 svchost.exe Explorer.EXE PID 4308 set thread context of 3596 4308 WWAHost.exe Explorer.EXE -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2292 1772 WerFault.exe ARIVAL NOTICE.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
svchost.exeWWAHost.exepid process 1636 svchost.exe 1636 svchost.exe 1636 svchost.exe 1636 svchost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe 4308 WWAHost.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
ARIVAL NOTICE.exesvchost.exeWWAHost.exepid process 1772 ARIVAL NOTICE.exe 1772 ARIVAL NOTICE.exe 1636 svchost.exe 1636 svchost.exe 1636 svchost.exe 4308 WWAHost.exe 4308 WWAHost.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
svchost.exeExplorer.EXEWWAHost.exedescription pid process Token: SeDebugPrivilege 1636 svchost.exe Token: SeShutdownPrivilege 3596 Explorer.EXE Token: SeCreatePagefilePrivilege 3596 Explorer.EXE Token: SeShutdownPrivilege 3596 Explorer.EXE Token: SeCreatePagefilePrivilege 3596 Explorer.EXE Token: SeDebugPrivilege 4308 WWAHost.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
ARIVAL NOTICE.exeExplorer.EXEpid process 1772 ARIVAL NOTICE.exe 1772 ARIVAL NOTICE.exe 3596 Explorer.EXE 3596 Explorer.EXE 3596 Explorer.EXE -
Suspicious use of SendNotifyMessage 5 IoCs
Processes:
ARIVAL NOTICE.exeExplorer.EXEpid process 1772 ARIVAL NOTICE.exe 1772 ARIVAL NOTICE.exe 3596 Explorer.EXE 3596 Explorer.EXE 3596 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
ARIVAL NOTICE.exeExplorer.EXEWWAHost.exedescription pid process target process PID 1772 wrote to memory of 1636 1772 ARIVAL NOTICE.exe svchost.exe PID 1772 wrote to memory of 1636 1772 ARIVAL NOTICE.exe svchost.exe PID 1772 wrote to memory of 1636 1772 ARIVAL NOTICE.exe svchost.exe PID 1772 wrote to memory of 1636 1772 ARIVAL NOTICE.exe svchost.exe PID 3596 wrote to memory of 4308 3596 Explorer.EXE WWAHost.exe PID 3596 wrote to memory of 4308 3596 Explorer.EXE WWAHost.exe PID 3596 wrote to memory of 4308 3596 Explorer.EXE WWAHost.exe PID 4308 wrote to memory of 1372 4308 WWAHost.exe cmd.exe PID 4308 wrote to memory of 1372 4308 WWAHost.exe cmd.exe PID 4308 wrote to memory of 1372 4308 WWAHost.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ARIVAL NOTICE.exe"C:\Users\Admin\AppData\Local\Temp\ARIVAL NOTICE.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\ARIVAL NOTICE.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 6963⤵
- Program crash
-
C:\Windows\SysWOW64\WWAHost.exe"C:\Windows\SysWOW64\WWAHost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\svchost.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1772 -ip 17721⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1636-11-0x0000000000600000-0x000000000062F000-memory.dmpFilesize
188KB
-
memory/1636-16-0x0000000000600000-0x000000000062F000-memory.dmpFilesize
188KB
-
memory/1636-15-0x0000000000F20000-0x0000000000F35000-memory.dmpFilesize
84KB
-
memory/1636-14-0x0000000001200000-0x000000000154A000-memory.dmpFilesize
3.3MB
-
memory/1772-10-0x0000000000C70000-0x0000000000C74000-memory.dmpFilesize
16KB
-
memory/3596-24-0x00000000086C0000-0x000000000878C000-memory.dmpFilesize
816KB
-
memory/3596-17-0x00000000086C0000-0x000000000878C000-memory.dmpFilesize
816KB
-
memory/3596-27-0x0000000008E40000-0x0000000008F80000-memory.dmpFilesize
1.2MB
-
memory/3596-28-0x0000000008E40000-0x0000000008F80000-memory.dmpFilesize
1.2MB
-
memory/3596-31-0x0000000008E40000-0x0000000008F80000-memory.dmpFilesize
1.2MB
-
memory/4308-18-0x00000000001C0000-0x000000000029C000-memory.dmpFilesize
880KB
-
memory/4308-21-0x00000000001C0000-0x000000000029C000-memory.dmpFilesize
880KB
-
memory/4308-22-0x0000000000990000-0x00000000009BF000-memory.dmpFilesize
188KB