Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 12:50
Static task
static1
Behavioral task
behavioral1
Sample
2024 Lusail Fence-WITH STICKER-2-003.exe
Resource
win7-20240611-en
General
-
Target
2024 Lusail Fence-WITH STICKER-2-003.exe
-
Size
1.1MB
-
MD5
e03cefcd99feaf7ca8fd37a4bec8280c
-
SHA1
1ef21abddff685aeb42767f9288d67bf22a9422d
-
SHA256
f86b5c769c4ae7db9a13fa32b90030bf8b700d8d0f5c30584044942602d2af30
-
SHA512
af81a05f31cc3cd87872f95d448ce65936c6cd9ee8296c2ee46fd9af7b1cc7f76104c4272c4ce03d206086cb676e034e8a40670ec98494de8c28e551f2776277
-
SSDEEP
24576:2AHnh+eWsN3skA4RV1Hom2KXMmHaFUjMJc+pSA1TZHrhb5:Rh+ZkldoPK8YaFXJnrT
Malware Config
Extracted
formbook
4.1
ts59
hgptgz684w.top
gas39.pro
totalcow.com
76466.club
ssweatstudio.com
nr35.top
hmstr-drop.site
kjsdhklssk13.xyz
lostaino.com
athenamotel.info
9332946.com
ec-delivery-jobs-8j.bond
complaix.com
824go.com
checkout4xgrow.shop
modleavedepts.online
shoedio54.com
topallinoneaccounting.com
texhio.online
cn-brand.com
spotlights-instagram.com
kgstrengthandperformance.com
illumonos.com
asmauardotreschicshoes.com
732456.app
uorder.xyz
scarytube.world
ujgddhhfeffsfgg2.group
slumbergrip.com
anugerahcorp.biz
genevieveeventrental.com
wizardatm.com
pipelin.xyz
zangbreaker.com
782akd.top
theurbangarden.xyz
relatablemedia.net
robottts.com
femininequantumflowcoach.com
thebeckettfamily.com
yys1.rest
f-kd.net
ycmg5352.com
babyscan.xyz
superprinterworld.com
decorland.online
anatomiasiedzenia.com
digitalanju.life
zu89.top
dropfile.xyz
00050516.xyz
kris1.com
riedmw.sbs
osofamilycoffee.com
redseadivingadventure.com
momura.xyz
bvlazaedi.xyz
vifjzpdi.xyz
digitalimageryde.shop
anjay4d.green
qjjkxi260l.top
granadaiighting.com
agenciademarketingtorreon.com
casinomaxnodepositbonus.icu
gb-electric-wheelchairs-8j.bond
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/3060-11-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/3060-14-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2752-19-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
2024 Lusail Fence-WITH STICKER-2-003.exesvchost.exeexplorer.exedescription pid process target process PID 1168 set thread context of 3060 1168 2024 Lusail Fence-WITH STICKER-2-003.exe svchost.exe PID 3060 set thread context of 1252 3060 svchost.exe Explorer.EXE PID 2752 set thread context of 1252 2752 explorer.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
svchost.exeexplorer.exepid process 3060 svchost.exe 3060 svchost.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
2024 Lusail Fence-WITH STICKER-2-003.exesvchost.exeexplorer.exepid process 1168 2024 Lusail Fence-WITH STICKER-2-003.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 2752 explorer.exe 2752 explorer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
svchost.exeexplorer.exedescription pid process Token: SeDebugPrivilege 3060 svchost.exe Token: SeDebugPrivilege 2752 explorer.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
2024 Lusail Fence-WITH STICKER-2-003.exeExplorer.EXEpid process 1168 2024 Lusail Fence-WITH STICKER-2-003.exe 1168 2024 Lusail Fence-WITH STICKER-2-003.exe 1252 Explorer.EXE 1252 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
2024 Lusail Fence-WITH STICKER-2-003.exepid process 1168 2024 Lusail Fence-WITH STICKER-2-003.exe 1168 2024 Lusail Fence-WITH STICKER-2-003.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
2024 Lusail Fence-WITH STICKER-2-003.exeExplorer.EXEexplorer.exedescription pid process target process PID 1168 wrote to memory of 3060 1168 2024 Lusail Fence-WITH STICKER-2-003.exe svchost.exe PID 1168 wrote to memory of 3060 1168 2024 Lusail Fence-WITH STICKER-2-003.exe svchost.exe PID 1168 wrote to memory of 3060 1168 2024 Lusail Fence-WITH STICKER-2-003.exe svchost.exe PID 1168 wrote to memory of 3060 1168 2024 Lusail Fence-WITH STICKER-2-003.exe svchost.exe PID 1168 wrote to memory of 3060 1168 2024 Lusail Fence-WITH STICKER-2-003.exe svchost.exe PID 1252 wrote to memory of 2752 1252 Explorer.EXE explorer.exe PID 1252 wrote to memory of 2752 1252 Explorer.EXE explorer.exe PID 1252 wrote to memory of 2752 1252 Explorer.EXE explorer.exe PID 1252 wrote to memory of 2752 1252 Explorer.EXE explorer.exe PID 2752 wrote to memory of 2620 2752 explorer.exe cmd.exe PID 2752 wrote to memory of 2620 2752 explorer.exe cmd.exe PID 2752 wrote to memory of 2620 2752 explorer.exe cmd.exe PID 2752 wrote to memory of 2620 2752 explorer.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2024 Lusail Fence-WITH STICKER-2-003.exe"C:\Users\Admin\AppData\Local\Temp\2024 Lusail Fence-WITH STICKER-2-003.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\2024 Lusail Fence-WITH STICKER-2-003.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\svchost.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1168-10-0x0000000000120000-0x0000000000124000-memory.dmpFilesize
16KB
-
memory/1252-30-0x0000000006AE0000-0x0000000006C0A000-memory.dmpFilesize
1.2MB
-
memory/1252-27-0x0000000006AE0000-0x0000000006C0A000-memory.dmpFilesize
1.2MB
-
memory/1252-26-0x0000000006AE0000-0x0000000006C0A000-memory.dmpFilesize
1.2MB
-
memory/1252-22-0x0000000006510000-0x0000000006654000-memory.dmpFilesize
1.3MB
-
memory/1252-16-0x0000000006510000-0x0000000006654000-memory.dmpFilesize
1.3MB
-
memory/2752-17-0x0000000000760000-0x00000000009E1000-memory.dmpFilesize
2.5MB
-
memory/2752-18-0x0000000000760000-0x00000000009E1000-memory.dmpFilesize
2.5MB
-
memory/2752-19-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/3060-14-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3060-15-0x0000000000180000-0x0000000000194000-memory.dmpFilesize
80KB
-
memory/3060-12-0x00000000009F0000-0x0000000000CF3000-memory.dmpFilesize
3.0MB
-
memory/3060-11-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB