formbook | 7aec5714f249052bfb6d9195ee09affa5817bb20fb1096bb49bbc2fb10048e75

General

Target

STdCUUIWc6ThD1c.exe
Size

429KB
MD5

372f3141f5bbca51025428b7d5544b2d
SHA1

b26c353e3dfdc4f8423e8df6ec7134f34cd2cee1
SHA256

7aec5714f249052bfb6d9195ee09affa5817bb20fb1096bb49bbc2fb10048e75
SHA512

c2ab6efae09366813608151a3252cf729a70ed117a053ffb9ea3df9f30e256d447dbdd4fc99409d4919ef5d33b5ee38782a148fad89a75c18fa5e85cbe4fdb17

Score

10^/10

persistence spyware evasion trojan stealer formbook

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Explorer.EXE

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Deletes itself 1 IoCs

pid	Process
1936	cmd.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	msdt.exe

Adds Run entry to policy start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msdt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\YLZXPLEHI = "C:\\Program Files (x86)\\D_ng4p2eh\\Cookiesadipz.exe"	msdt.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	msdt.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1840	schtasks.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1516 set thread context of 1896	1516	STdCUUIWc6ThD1c.exe	27
PID 1896 set thread context of 1212	1896	STdCUUIWc6ThD1c.exe	20
PID 1916 set thread context of 1212	1916	msdt.exe	20

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\D_ng4p2eh\Cookiesadipz.exe	msdt.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 1840	1516	STdCUUIWc6ThD1c.exe	24
PID 1516 wrote to memory of 1840	1516	STdCUUIWc6ThD1c.exe	24
PID 1516 wrote to memory of 1840	1516	STdCUUIWc6ThD1c.exe	24
PID 1516 wrote to memory of 1840	1516	STdCUUIWc6ThD1c.exe	24
PID 1516 wrote to memory of 1880	1516	STdCUUIWc6ThD1c.exe	26
PID 1516 wrote to memory of 1880	1516	STdCUUIWc6ThD1c.exe	26
PID 1516 wrote to memory of 1880	1516	STdCUUIWc6ThD1c.exe	26
PID 1516 wrote to memory of 1880	1516	STdCUUIWc6ThD1c.exe	26
PID 1516 wrote to memory of 1896	1516	STdCUUIWc6ThD1c.exe	27
PID 1516 wrote to memory of 1896	1516	STdCUUIWc6ThD1c.exe	27
PID 1516 wrote to memory of 1896	1516	STdCUUIWc6ThD1c.exe	27
PID 1516 wrote to memory of 1896	1516	STdCUUIWc6ThD1c.exe	27
PID 1516 wrote to memory of 1896	1516	STdCUUIWc6ThD1c.exe	27
PID 1516 wrote to memory of 1896	1516	STdCUUIWc6ThD1c.exe	27
PID 1516 wrote to memory of 1896	1516	STdCUUIWc6ThD1c.exe	27
PID 1212 wrote to memory of 1916	1212	Explorer.EXE	28
PID 1212 wrote to memory of 1916	1212	Explorer.EXE	28
PID 1212 wrote to memory of 1916	1212	Explorer.EXE	28
PID 1212 wrote to memory of 1916	1212	Explorer.EXE	28
PID 1916 wrote to memory of 1936	1916	msdt.exe	29
PID 1916 wrote to memory of 1936	1916	msdt.exe	29
PID 1916 wrote to memory of 1936	1916	msdt.exe	29
PID 1916 wrote to memory of 1936	1916	msdt.exe	29

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1516	STdCUUIWc6ThD1c.exe
1896	STdCUUIWc6ThD1c.exe
1896	STdCUUIWc6ThD1c.exe
1916	msdt.exe
1916	msdt.exe
1916	msdt.exe
1916	msdt.exe
1916	msdt.exe
1916	msdt.exe
1916	msdt.exe
1916	msdt.exe
1916	msdt.exe
1916	msdt.exe
1916	msdt.exe
1916	msdt.exe
1916	msdt.exe
1916	msdt.exe
1916	msdt.exe
1916	msdt.exe
1916	msdt.exe
1916	msdt.exe
1916	msdt.exe
1916	msdt.exe
1916	msdt.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1516	STdCUUIWc6ThD1c.exe
Token: SeDebugPrivilege	1896	STdCUUIWc6ThD1c.exe
Token: SeDebugPrivilege	1916	msdt.exe
Token: SeShutdownPrivilege	1212	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1896	STdCUUIWc6ThD1c.exe
1896	STdCUUIWc6ThD1c.exe
1896	STdCUUIWc6ThD1c.exe
1916	msdt.exe
1916	msdt.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Checks whether UAC is enabled
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:1212
- C:\Users\Admin\AppData\Local\Temp\STdCUUIWc6ThD1c.exe
  "C:\Users\Admin\AppData\Local\Temp\STdCUUIWc6ThD1c.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1516
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FtKjUcBbBRmkY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp863F.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:1840
- - C:\Users\Admin\AppData\Local\Temp\STdCUUIWc6ThD1c.exe
    "{path}"
    3⤵
    PID:1880
- - C:\Users\Admin\AppData\Local\Temp\STdCUUIWc6ThD1c.exe
    "{path}"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious behavior: MapViewOfSection
    PID:1896
- C:\Windows\SysWOW64\msdt.exe
  "C:\Windows\SysWOW64\msdt.exe"
  2⤵
  - System policy modification
  - Adds Run entry to policy start application
  - Modifies Internet Explorer settings
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: MapViewOfSection
  PID:1916
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\STdCUUIWc6ThD1c.exe"
    3⤵
    - Deletes itself
    PID:1936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1896-2-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1916-5-0x00000000008F0000-0x00000000009E4000-memory.dmp

Filesize
976KB

Download
memory/1916-7-0x0000000003230000-0x000000000334D000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads