Analysis

  • max time kernel
    105s
  • max time network
    111s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    05-05-2021 14:04

General

  • Target

    dd1b4545786b29ca6a8f193e48055d06.exe

  • Size

    228KB

  • MD5

    dd1b4545786b29ca6a8f193e48055d06

  • SHA1

    292b3f6cdf438ff33667c4160be9016e32187af2

  • SHA256

    f88dc07bd8d9ecaabaaad76a092029221077b4eba8d67714dc750b15a59d74f3

  • SHA512

    74d06fe3bef055508c4a4233093989c573fc24f1761fc425a530678c78ba1988f38270190037479a396737e6f87461214f9a33c8b4cdd6bdc19de92a11e6e80c

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.shoprodeovegas.com/xcl/

Decoy

sewingtherose.com

thesmartshareholder.com

afasyah.com

marolamusic.com

lookupgeorgina.com

plataforyou.com

dijcan.com

pawtyparcels.com

interprediction.com

fairerfinancehackathon.net

thehmnshop.com

jocelynlopez.com

launcheffecthouston.com

joyeveryminute.com

spyforu.com

ronerasanjuan.com

gadgetsdesi.com

nmrconsultants.com

travellpod.com

ballparksportscards.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook Payload 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dd1b4545786b29ca6a8f193e48055d06.exe
    "C:\Users\Admin\AppData\Local\Temp\dd1b4545786b29ca6a8f193e48055d06.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3016
    • C:\Users\Admin\AppData\Local\Temp\dd1b4545786b29ca6a8f193e48055d06.exe
      "C:\Users\Admin\AppData\Local\Temp\dd1b4545786b29ca6a8f193e48055d06.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2352

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsw2504.tmp\e8y8qnxvyff.dll

    MD5

    6496d9ed92ba627e38ed23b4bceedf45

    SHA1

    64dbc80a0ad75af5eda9136c6e7ccaeba22eb8c2

    SHA256

    e59cfc7619e0f202c0bd6f132ca988f2f7f6dc302d885d1ab2d66b04e356ff0a

    SHA512

    b0079f519883f02c9b5e0389e5c48864a913f0f5f0171fa681d305a24414f08ac7d5023026c432b96312e41f7481260eeba6952bfb5d63d3fdd40bef6613948d

  • memory/2352-115-0x000000000041EB70-mapping.dmp

  • memory/2352-117-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2352-118-0x00000000009F0000-0x0000000000D10000-memory.dmp

    Filesize

    3.1MB

  • memory/3016-116-0x0000000000970000-0x0000000000993000-memory.dmp

    Filesize

    140KB