Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7 -
submitted
10-08-2020 09:13
General
-
Target
Quotationv.exe
-
Size
669KB
-
MD5
52cfc15a97799e70a8b4a39b04bc8e2b
-
SHA1
2cfa4daab21dd8115167a3ccba0080f5fdad63ff
-
SHA256
f910b739d3d727fc1f5acde88b0740a575c603dc6c61246156c5debd6bd126bc
-
SHA512
95b7d0c4942703ebfec9d405bfe08efd1f11c2af3b9f65e05bef5afb3440fabcff5e5733de9bec824331d6b22c26e72419e25ca66a6948c07c0c4d4cc98fcdc3
Malware Config
Extracted
formbook
http://www.fex-tracks.com/pdup/
mycharlesschwab.com
casinocode.online
lesliemostellerart.com
cdtevergreen.com
jualpenirumasli.com
lvyouonline.com
moteaiai.com
coachmo13.com
lampungtimur.com
sellmycapecodhouse.com
wearschool.com
onlinekazancyollari.com
ubmotherhood.com
sqyxedu.com
sibate518.com
energygv.com
sathsathhain.com
paperghostsbook.com
investinbritain.net
tansuokeji.ink
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook Payload 4 IoCs
-
Deletes itself 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
-
Suspicious behavior: MapViewOfSection 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Suspicious use of SendNotifyMessage 4 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\Quotationv.exe"C:\Users\Admin\AppData\Local\Temp\Quotationv.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Quotationv.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Quotationv.exe"5⤵
- Deletes itself
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1096-4-0x0000000000000000-mapping.dmp
-
memory/1096-5-0x0000000000550000-0x000000000055D000-memory.dmpFilesize
52KB
-
memory/1096-7-0x0000000003000000-0x000000000309A000-memory.dmpFilesize
616KB
-
memory/1096-8-0x0000000074F30000-0x0000000074F38000-memory.dmpFilesize
32KB
-
memory/1124-0-0x00000000077F0000-0x00000000077F2000-memory.dmpFilesize
8KB
-
memory/1304-3-0x0000000005070000-0x0000000005130000-memory.dmpFilesize
768KB
-
memory/1468-1-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1468-2-0x000000000041EDC0-mapping.dmp
-
memory/1536-6-0x0000000000000000-mapping.dmp
-
memory/1680-9-0x000007FEF7E00000-0x000007FEF807A000-memory.dmpFilesize
2.5MB