Analysis
-
max time kernel
115s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
04-05-2021 15:56
General
-
Target
106ada585df884b13cd6a8a71e404c78.exe
-
Size
706KB
-
MD5
106ada585df884b13cd6a8a71e404c78
-
SHA1
470e8dd108972fe65c027b9d4856aa365b69fd9e
-
SHA256
612d1888d98714893e69c4649a46a990c9c26367834d5be5afc05df15e913572
-
SHA512
aa354154c552b5ea442a980a00abd64691caf30c73bc5bfc97846c0ad394ce4e829308b99642d09ad9d2843feda689770614116092210541655b66aafc2defb2
Malware Config
Extracted
formbook
4.1
http://www.mvcsecrets.com/op9s/
uscoser.club
gustrad.com
sowftwer.com
psychicpatrol.com
lmouowgoaa.com
riandmoara.com
sushigardentogo.com
cannabimall.com
ecolodgesworld.com
mysandboxcsp.com
coxsmobility.com
sfs-distribution.info
tymict.com
u-bahn.online
chrisjohnsondrums.com
comfyscoffee.com
eastwoodlearningcenter.com
a-authenticate.com
greatroyalspices.com
legalparaprofessionalonline.com
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook Payload 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\106ada585df884b13cd6a8a71e404c78.exe"C:\Users\Admin\AppData\Local\Temp\106ada585df884b13cd6a8a71e404c78.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fendlKCsOIoiN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE986.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\106ada585df884b13cd6a8a71e404c78.exe"C:\Users\Admin\AppData\Local\Temp\106ada585df884b13cd6a8a71e404c78.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpE986.tmpMD5
3b9cba211e1424d53eeabb026c9e2a16
SHA1a9433f0bbbee0f01d1c42736031b9557a4b21bab
SHA256d34f6f4665000790c2b60bcaffacc05af36f95151d4f15191b902b34074f2a97
SHA5129030a49c082e798b818fe1d38b7f71c0daf6a580fde9fc946b2cb1fed0e6c047d0229fa6cabc33feb99fd37c7d565d0e23017bfa0992f6db34ca9f5bf7618bc2
-
memory/2128-132-0x0000000000EF0000-0x0000000001210000-memory.dmpFilesize
3.1MB
-
memory/2128-130-0x000000000041ED40-mapping.dmp
-
memory/2128-129-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/2660-127-0x0000000000000000-mapping.dmp
-
memory/4044-119-0x0000000005170000-0x0000000005171000-memory.dmpFilesize
4KB
-
memory/4044-120-0x00000000052F0000-0x00000000057EE000-memory.dmpFilesize
5.0MB
-
memory/4044-122-0x00000000052F0000-0x00000000057EE000-memory.dmpFilesize
5.0MB
-
memory/4044-123-0x00000000052F0000-0x00000000057EE000-memory.dmpFilesize
5.0MB
-
memory/4044-124-0x0000000008F30000-0x0000000008F3E000-memory.dmpFilesize
56KB
-
memory/4044-125-0x0000000001060000-0x00000000010DF000-memory.dmpFilesize
508KB
-
memory/4044-126-0x0000000007000000-0x0000000007035000-memory.dmpFilesize
212KB
-
memory/4044-121-0x0000000005390000-0x0000000005391000-memory.dmpFilesize
4KB
-
memory/4044-114-0x00000000008C0000-0x00000000008C1000-memory.dmpFilesize
4KB
-
memory/4044-118-0x00000000052F0000-0x00000000052F1000-memory.dmpFilesize
4KB
-
memory/4044-117-0x00000000057F0000-0x00000000057F1000-memory.dmpFilesize
4KB
-
memory/4044-116-0x0000000005190000-0x0000000005191000-memory.dmpFilesize
4KB