Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25-06-2024 17:13
Static task
static1
Behavioral task
behavioral1
Sample
wise_deposit_note__1114218690__3287491072__en.cmd
Resource
win7-20240508-en
General
-
Target
wise_deposit_note__1114218690__3287491072__en.cmd
-
Size
2.4MB
-
MD5
42323f7609e2e5c56add77d01e27432f
-
SHA1
e5262c46781a8c58aaee00a529ed7597dbb2b698
-
SHA256
4cb31951ae2b4f8b86b532c25762252f28525f55061d8d09a356a9c8f12029b2
-
SHA512
0814feee3013a4409c3171f30dc9d9d4ffe5626e6ba28a257163fa8f26380751fbd5ba7077e47e9bcd59d8b852b50822fb3383c9a6366b8619db7627d9ded44d
-
SSDEEP
24576:IPHN8ur54cKt8AdV30Z3ZRYwVxrhWHmmV/MBm54hRCKxBJxsv:IPHSur5M8Ar30JnrQLMEBv
Malware Config
Extracted
formbook
4.1
ca63
themaxrichth.online
lhzshb.com
isacarrceramics.online
duhochanquoc.website
apexmedia.pro
33311.pro
x2mjbu8gg.shop
dashcreative.online
nifle.shop
hora.lol
rclrwa.asia
aviation-training-sqj.top
a9659a62.vip
uspgh.work
hhol5.top
jinkaida-cn.cn
watchwedding.com
728ym.lat
gillieron.swiss
bingsne.online
professionaljournalism.com
senior-living-15150.bond
chatsio.com
dr-jordan.site
sador.xyz
nagaways.online
552357.pro
domainupdate.site
3v5u21668.shop
dh76044.vip
cineflickapp.online
ht31a.vip
workingcat.online
9h6db.shop
evallc.net
sun20win.digital
683ym.lat
retrosystem.fun
bgkamil.xyz
androidmobiledk.today
gsptx.online
onlineit.sbs
violetnuit.shop
kyusgwh2.top
vdqgj.asia
helpmepeas.net
4399game.asia
tent-homes-10133.bond
moki.dev
raildriver.net
lkjuy.xyz
presentdadsmatter.shop
amp-kopi77i2.xyz
cyber-security-onli.bond
rtpcmbet27.xyz
80lrlaenant8.life
urostatingr.shop
xn--fiq73f39fx0y2hq.work
zc041.xyz
34-health.shop
yunhaicm.asia
domain-2.buzz
money1lifecoachingservice.net
5301ulovp.website
siasstudios.com
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3348-46-0x0000000004E90000-0x0000000005E90000-memory.dmp formbook behavioral2/memory/3348-50-0x0000000004E90000-0x0000000005E90000-memory.dmp formbook behavioral2/memory/3188-52-0x0000000000700000-0x000000000072F000-memory.dmp formbook -
Executes dropped EXE 9 IoCs
Processes:
alpha.exealpha.exekn.exealpha.exekn.exeAudio.pifalpha.exealpha.exeyrblzjxP.pifpid process 648 alpha.exe 1480 alpha.exe 1856 kn.exe 3780 alpha.exe 1684 kn.exe 1544 Audio.pif 4760 alpha.exe 1764 alpha.exe 4032 yrblzjxP.pif -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Audio.pifdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pxjzlbry = "C:\\Users\\Public\\Pxjzlbry.url" Audio.pif -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Audio.pifcolorcpl.exeNETSTAT.EXEdescription pid process target process PID 1544 set thread context of 4032 1544 Audio.pif yrblzjxP.pif PID 3348 set thread context of 3364 3348 colorcpl.exe Explorer.EXE PID 3188 set thread context of 3364 3188 NETSTAT.EXE Explorer.EXE -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4284 4032 WerFault.exe yrblzjxP.pif -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 3188 NETSTAT.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 33 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 57 IoCs
Processes:
Audio.pifcolorcpl.exeNETSTAT.EXEpid process 1544 Audio.pif 1544 Audio.pif 3348 colorcpl.exe 3348 colorcpl.exe 3348 colorcpl.exe 3348 colorcpl.exe 3348 colorcpl.exe 3348 colorcpl.exe 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE 3188 NETSTAT.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
colorcpl.exeNETSTAT.EXEpid process 3348 colorcpl.exe 3348 colorcpl.exe 3348 colorcpl.exe 3188 NETSTAT.EXE 3188 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
colorcpl.exeExplorer.EXENETSTAT.EXEdescription pid process Token: SeDebugPrivilege 3348 colorcpl.exe Token: SeShutdownPrivilege 3364 Explorer.EXE Token: SeCreatePagefilePrivilege 3364 Explorer.EXE Token: SeShutdownPrivilege 3364 Explorer.EXE Token: SeCreatePagefilePrivilege 3364 Explorer.EXE Token: SeShutdownPrivilege 3364 Explorer.EXE Token: SeCreatePagefilePrivilege 3364 Explorer.EXE Token: SeDebugPrivilege 3188 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
cmd.exealpha.exealpha.exealpha.exeAudio.pifExplorer.EXENETSTAT.EXEdescription pid process target process PID 2104 wrote to memory of 3904 2104 cmd.exe extrac32.exe PID 2104 wrote to memory of 3904 2104 cmd.exe extrac32.exe PID 2104 wrote to memory of 648 2104 cmd.exe alpha.exe PID 2104 wrote to memory of 648 2104 cmd.exe alpha.exe PID 648 wrote to memory of 800 648 alpha.exe extrac32.exe PID 648 wrote to memory of 800 648 alpha.exe extrac32.exe PID 2104 wrote to memory of 1480 2104 cmd.exe alpha.exe PID 2104 wrote to memory of 1480 2104 cmd.exe alpha.exe PID 1480 wrote to memory of 1856 1480 alpha.exe kn.exe PID 1480 wrote to memory of 1856 1480 alpha.exe kn.exe PID 2104 wrote to memory of 3780 2104 cmd.exe alpha.exe PID 2104 wrote to memory of 3780 2104 cmd.exe alpha.exe PID 3780 wrote to memory of 1684 3780 alpha.exe kn.exe PID 3780 wrote to memory of 1684 3780 alpha.exe kn.exe PID 2104 wrote to memory of 1544 2104 cmd.exe Audio.pif PID 2104 wrote to memory of 1544 2104 cmd.exe Audio.pif PID 2104 wrote to memory of 1544 2104 cmd.exe Audio.pif PID 2104 wrote to memory of 4760 2104 cmd.exe alpha.exe PID 2104 wrote to memory of 4760 2104 cmd.exe alpha.exe PID 2104 wrote to memory of 1764 2104 cmd.exe alpha.exe PID 2104 wrote to memory of 1764 2104 cmd.exe alpha.exe PID 1544 wrote to memory of 4032 1544 Audio.pif yrblzjxP.pif PID 1544 wrote to memory of 4032 1544 Audio.pif yrblzjxP.pif PID 1544 wrote to memory of 4032 1544 Audio.pif yrblzjxP.pif PID 1544 wrote to memory of 4032 1544 Audio.pif yrblzjxP.pif PID 1544 wrote to memory of 4032 1544 Audio.pif yrblzjxP.pif PID 1544 wrote to memory of 2132 1544 Audio.pif extrac32.exe PID 1544 wrote to memory of 2132 1544 Audio.pif extrac32.exe PID 1544 wrote to memory of 2132 1544 Audio.pif extrac32.exe PID 1544 wrote to memory of 3348 1544 Audio.pif colorcpl.exe PID 1544 wrote to memory of 3348 1544 Audio.pif colorcpl.exe PID 1544 wrote to memory of 3348 1544 Audio.pif colorcpl.exe PID 1544 wrote to memory of 3348 1544 Audio.pif colorcpl.exe PID 3364 wrote to memory of 3188 3364 Explorer.EXE NETSTAT.EXE PID 3364 wrote to memory of 3188 3364 Explorer.EXE NETSTAT.EXE PID 3364 wrote to memory of 3188 3364 Explorer.EXE NETSTAT.EXE PID 3188 wrote to memory of 1012 3188 NETSTAT.EXE cmd.exe PID 3188 wrote to memory of 1012 3188 NETSTAT.EXE cmd.exe PID 3188 wrote to memory of 1012 3188 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\wise_deposit_note__1114218690__3287491072__en.cmd"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\extrac32.exeC:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"3⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe4⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\wise_deposit_note__1114218690__3287491072__en.cmd" "C:\\Users\\Public\\Audio.mp4" 93⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\wise_deposit_note__1114218690__3287491072__en.cmd" "C:\\Users\\Public\\Audio.mp4" 94⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 123⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 124⤵
- Executes dropped EXE
-
C:\Users\Public\Libraries\Audio.pifC:\Users\Public\Libraries\Audio.pif3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Libraries\yrblzjxP.pifC:\Users\Public\Libraries\yrblzjxP.pif4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 2245⤵
- Program crash
-
C:\Windows\SysWOW64\extrac32.exeC:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\Audio.pif C:\\Users\\Public\\Libraries\\Pxjzlbry.PIF4⤵
-
C:\Windows\SysWOW64\colorcpl.exeC:\Windows\System32\colorcpl.exe4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S3⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Audio.mp4" / A / F / Q / S3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\colorcpl.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4032 -ip 40321⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4324 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Audio.mp4Filesize
1.7MB
MD519c1e12dd929495409539244b0ed93c7
SHA14cfa1823732b5b7357ddb1932d3b1547c7227619
SHA25626de6e62d11c5b463d2077c56f11c4bfddaa8e83200ab1facc29e478e15f11ff
SHA5126b09493e2a26f8aa43e2cf34ab5973b7ab28b6ab95ad014d767bb7b4f9bb541c12f013a53c42b9f8931a304105f7da486b51749c453021d234303336fd82a2b4
-
C:\Users\Public\Libraries\Audio.pifFilesize
890KB
MD5a0af268716f0954964b48a4ac5c44b08
SHA1f80f8c5083002d8e9484a45d21221e5c7f0160dc
SHA2568d49b42445b075555360a8809710d34bc35d8658ced4ed1a062b6d4c2e7be2e6
SHA5123f6588e1b76450cd72711b505ff81072f7055de76abcd5dab5bcc03d7a91b214422152f470ff8ffce73cbe8501e75dff6dd60371ebf7da7a6927741c09279692
-
C:\Users\Public\Libraries\yrblzjxP.pifFilesize
66KB
MD5c116d3604ceafe7057d77ff27552c215
SHA1452b14432fb5758b46f2897aeccd89f7c82a727d
SHA2567bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
SHA5129202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6
-
C:\Users\Public\alpha.exeFilesize
283KB
MD58a2122e8162dbef04694b9c3e0b6cdee
SHA1f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA51299e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397
-
C:\Users\Public\kn.exeFilesize
1.6MB
MD5bd8d9943a9b1def98eb83e0fa48796c2
SHA170e89852f023ab7cde0173eda1208dbb580f1e4f
SHA2568de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2
SHA51295630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b
-
memory/1544-28-0x0000000000400000-0x00000000004E7000-memory.dmpFilesize
924KB
-
memory/3188-51-0x00000000000A0000-0x00000000000AB000-memory.dmpFilesize
44KB
-
memory/3188-52-0x0000000000700000-0x000000000072F000-memory.dmpFilesize
188KB
-
memory/3348-46-0x0000000004E90000-0x0000000005E90000-memory.dmpFilesize
16.0MB
-
memory/3348-50-0x0000000004E90000-0x0000000005E90000-memory.dmpFilesize
16.0MB
-
memory/3364-56-0x00000000085C0000-0x00000000086BD000-memory.dmpFilesize
1012KB
-
memory/4032-32-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/4032-36-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB