Analysis

  • max time kernel
    146s
  • max time network
    131s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    13-01-2021 20:12

General

  • Target

    SKM_C36821010708320.exe

  • Size

    766KB

  • MD5

    15d8096422d137c7388908bb2be61ec4

  • SHA1

    e67d261ef38eb251fb97a466d83c95e75d286ebe

  • SHA256

    fae57c2f185899220dff608004ab571822fc14cc02aa7e30b1cd5db7be4beea8

  • SHA512

    83d38e2e5540d1a2790f834e62bd1cc6978eae92c6d70ca875b72e0d33852473b68b36b99c4fe05e3c100283dee6353e45f907eecbb9369d730c17c5c20bb1f5

Malware Config

Extracted

Family

formbook

C2

http://www.ameeraglow.com/6bu2/

Decoy

shuttergame.com

beyondregions.com

cuttingedgetinting.com

riveraspanishfoods.com

jfksn.com

rtplay2020.com

idahofallsobituaries.com

qf432.com

magandaconfections.com

suremlak.com

tuproductividadpersonal.com

ziswmyxaw.icu

howtolovemybody.com

signpartnerpro.com

conservative-forward.com

bhscsh.com

todowine.com

garrettthermaldetector.com

bunbook.com

ehealthla.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook Payload 3 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Users\Admin\AppData\Local\Temp\SKM_C36821010708320.exe
      "C:\Users\Admin\AppData\Local\Temp\SKM_C36821010708320.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3980
      • C:\Users\Admin\AppData\Local\Temp\SKM_C36821010708320.exe
        "C:\Users\Admin\AppData\Local\Temp\SKM_C36821010708320.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3164
    • C:\Windows\SysWOW64\cmmon32.exe
      "C:\Windows\SysWOW64\cmmon32.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2428
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\SKM_C36821010708320.exe"
        3⤵
          PID:4076

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2428-17-0x00000000055B0000-0x000000000565F000-memory.dmp
      Filesize

      700KB

    • memory/2428-15-0x00000000000A0000-0x00000000000AC000-memory.dmp
      Filesize

      48KB

    • memory/2428-14-0x00000000000A0000-0x00000000000AC000-memory.dmp
      Filesize

      48KB

    • memory/2428-13-0x0000000000000000-mapping.dmp
    • memory/3164-11-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

    • memory/3164-12-0x000000000041ED10-mapping.dmp
    • memory/3980-6-0x0000000005920000-0x0000000005921000-memory.dmp
      Filesize

      4KB

    • memory/3980-10-0x0000000006600000-0x000000000666A000-memory.dmp
      Filesize

      424KB

    • memory/3980-9-0x00000000058E0000-0x00000000058F2000-memory.dmp
      Filesize

      72KB

    • memory/3980-8-0x00000000058D0000-0x00000000058D1000-memory.dmp
      Filesize

      4KB

    • memory/3980-7-0x00000000059C0000-0x00000000059C1000-memory.dmp
      Filesize

      4KB

    • memory/3980-2-0x0000000073A20000-0x000000007410E000-memory.dmp
      Filesize

      6.9MB

    • memory/3980-5-0x0000000005D80000-0x0000000005D81000-memory.dmp
      Filesize

      4KB

    • memory/3980-3-0x0000000000FE0000-0x0000000000FE1000-memory.dmp
      Filesize

      4KB

    • memory/4076-16-0x0000000000000000-mapping.dmp