Analysis

  • max time kernel
    146s
  • max time network
    11s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    14-01-2021 06:54

General

  • Target

    Request a quote Mitsubishi Japan XN501.exe

  • Size

    858KB

  • MD5

    d5079ba6252ba0df47a279c217f79abe

  • SHA1

    1088019f6828d3b01dbaa44a7f27cad6d00bbcd2

  • SHA256

    b6dc1192212d0ae4c5509491a96602f9c3da82694097372e9bf5ae03ca86adba

  • SHA512

    629fce6fa602b30e8d82b980de1a777e87840b2377757fbef18c5037b7d47a54c3c3eec5872da0eec1573807815d45192ccf9b8f8daf53b56dda41baf5ce9193

Malware Config

Extracted

Family

formbook

C2

http://www.9dgevjb.net/gtl/

Decoy

45687g.net

graveimport.com

bulldogsgear.com

service-support.email

uhzcflg.icu

zebradefensefund.com

make10xhappen.com

ecotegral.online

stillatwink.site

onwardatlanta.com

real-optionstheory.com

madbearcustomwoodworking.com

adelinekaczmarek.com

elia-lca.com

tinykreations.com

rawlinsrealty.info

ubcholdings.com

searko.com

lepinedoree.com

fundsrecoveryexperts.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook Payload 3 IoCs
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1272
    • C:\Users\Admin\AppData\Local\Temp\Request a quote Mitsubishi Japan XN501.exe
      "C:\Users\Admin\AppData\Local\Temp\Request a quote Mitsubishi Japan XN501.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1640
      • C:\Users\Admin\AppData\Local\Temp\Request a quote Mitsubishi Japan XN501.exe
        "{path}"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1664
        • C:\Windows\SysWOW64\msdt.exe
          "C:\Windows\SysWOW64\msdt.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:792
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Users\Admin\AppData\Local\Temp\Request a quote Mitsubishi Japan XN501.exe"
            5⤵
            • Deletes itself
            PID:1084

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/792-9-0x0000000000000000-mapping.dmp
  • memory/792-10-0x0000000000B40000-0x0000000000C34000-memory.dmp
    Filesize

    976KB

  • memory/792-12-0x0000000002040000-0x0000000002170000-memory.dmp
    Filesize

    1.2MB

  • memory/1084-11-0x0000000000000000-mapping.dmp
  • memory/1272-13-0x0000000006480000-0x00000000065CA000-memory.dmp
    Filesize

    1.3MB

  • memory/1640-2-0x00000000745C0000-0x0000000074CAE000-memory.dmp
    Filesize

    6.9MB

  • memory/1640-3-0x00000000000D0000-0x00000000000D1000-memory.dmp
    Filesize

    4KB

  • memory/1640-5-0x0000000000800000-0x000000000080E000-memory.dmp
    Filesize

    56KB

  • memory/1640-6-0x0000000005610000-0x000000000569F000-memory.dmp
    Filesize

    572KB

  • memory/1664-7-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

  • memory/1664-8-0x000000000041EAF0-mapping.dmp