Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    03-05-2021 08:48

General

  • Target

    aa6168d4e41ced2091baee9f5d59e11e.exe

  • Size

    228KB

  • MD5

    aa6168d4e41ced2091baee9f5d59e11e

  • SHA1

    de7f4a8270fe216e68076ce93243b60d6d6d5f51

  • SHA256

    7c6393b4e86ea5cec49c0f814b17e4bb85aa447c19896037252a94ff6416ce1b

  • SHA512

    37c5d51495c0b53bdcd522d3b4a0346202d6069002b8d35f913a96596eb1a51c4fa41e445673024fbb62b4f701355aabb2e1804075709693c6339d1c3dad95e2

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.shoprodeovegas.com/xcl/

Decoy

sewingtherose.com

thesmartshareholder.com

afasyah.com

marolamusic.com

lookupgeorgina.com

plataforyou.com

dijcan.com

pawtyparcels.com

interprediction.com

fairerfinancehackathon.net

thehmnshop.com

jocelynlopez.com

launcheffecthouston.com

joyeveryminute.com

spyforu.com

ronerasanjuan.com

gadgetsdesi.com

nmrconsultants.com

travellpod.com

ballparksportscards.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook Payload 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa6168d4e41ced2091baee9f5d59e11e.exe
    "C:\Users\Admin\AppData\Local\Temp\aa6168d4e41ced2091baee9f5d59e11e.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1748
    • C:\Users\Admin\AppData\Local\Temp\aa6168d4e41ced2091baee9f5d59e11e.exe
      "C:\Users\Admin\AppData\Local\Temp\aa6168d4e41ced2091baee9f5d59e11e.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1496

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsxE93.tmp\ghvea31n0uw.dll

    MD5

    7bee24f38e906d08f10c1b51be4be749

    SHA1

    588f2f0f8b859e15620fbec8e6381c6addf2a3fd

    SHA256

    974e158ea37951d137839d4189279330aa2e85f5bafa4f273f7007673cd4d3fc

    SHA512

    417032d0c0decacd4332d9379843ef358b553960a2c00caf470d129f6f797aed3eb180a3e2182eb5e443772d24b8e8c7fe4bd3b06909b2a555a8e7c063137e25

  • memory/1496-62-0x000000000041EB70-mapping.dmp

  • memory/1496-63-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/1496-64-0x00000000008D0000-0x0000000000BD3000-memory.dmp

    Filesize

    3.0MB

  • memory/1748-59-0x00000000757E1000-0x00000000757E3000-memory.dmp

    Filesize

    8KB

  • memory/1748-61-0x0000000000310000-0x0000000000312000-memory.dmp

    Filesize

    8KB