Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
27-07-2021 17:00
Static task
static1
Behavioral task
behavioral1
Sample
bobb4567.exe
Resource
win7v20210410
General
-
Target
bobb4567.exe
-
Size
245KB
-
MD5
90825728992d0ef937e2523370e34b31
-
SHA1
7b9a3d06e10d3ccb32a8be5a98ec253bbc0bdebf
-
SHA256
9598f7ebeef58e063e6e5de7da5ea2775991628d11c4fae3e3e2854fa22065eb
-
SHA512
dc180827a8ba8f24dbf20f38091e1bee6c96776399733bf6519e567c0072ae5907abeaeea5873630a4a9057ec34370bbee47042c7b7e5d4e143ac6cac105f370
Malware Config
Extracted
formbook
4.1
http://www.bulverderoofing.com/lt0h/
originalindigofurniture.co.uk
fl6588.com
acecademy.com
yaerofinerindalnalising.com
mendilovic.online
rishenght.com
famlees.com
myhomeofficemarket.com
bouquetarabia.com
chrisbani.com
freebandslegally.com
hernandezinsurancegroup.net
slicedandfresh.com
apnathikanas.com
chadhatesyou.com
ansilsas.com
in3development.com
nitiren.net
peespn.com
valengz.com
theseakelpcompany.com
tlcrentny.com
sancakcraft.com
kamenb.com
samanthajobenson.com
alphagearz.com
sprins.net
adestramentos.com
civoconstruction.com
masrmasr.com
jagrit.codes
zusammenurlaub.com
mssjqs.com
ic695niu001.com
anelimplus.com
mutlob.com
beyondmickey.net
sliever.club
perfumefashion.icu
massimilianogiannocco.com
dentoncountyattorneys.media
filigreefilly.com
mooremgmtandcompany.com
smpdj.com
stainlesspropmgmt.com
creativecollectivecommunity.com
dmdrogist.com
spokenandheardpodcast.com
garenbid.com
bestcomandcalls.space
tairunshihua.com
nemski-projekt.com
6mum.com
portlandhemorrhoidcenter.com
platinumforsale.net
driven.plus
ontheedgeoutdoorshunting.com
manatapmasalalu.com
idscustomprinting.com
safepassagereform.com
fairop.xyz
natetacticz.com
etoys-sucks.com
rhinolabs.net
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1464-116-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/2700-125-0x00000000008A0000-0x00000000008CE000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
bobb4567.exebobb4567.exemsiexec.exedescription pid process target process PID 512 set thread context of 1464 512 bobb4567.exe bobb4567.exe PID 1464 set thread context of 388 1464 bobb4567.exe Explorer.EXE PID 2700 set thread context of 388 2700 msiexec.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
bobb4567.exemsiexec.exepid process 1464 bobb4567.exe 1464 bobb4567.exe 1464 bobb4567.exe 1464 bobb4567.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe 2700 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 388 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
bobb4567.exebobb4567.exemsiexec.exepid process 512 bobb4567.exe 1464 bobb4567.exe 1464 bobb4567.exe 1464 bobb4567.exe 2700 msiexec.exe 2700 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
bobb4567.exeExplorer.EXEmsiexec.exedescription pid process Token: SeDebugPrivilege 1464 bobb4567.exe Token: SeShutdownPrivilege 388 Explorer.EXE Token: SeCreatePagefilePrivilege 388 Explorer.EXE Token: SeShutdownPrivilege 388 Explorer.EXE Token: SeCreatePagefilePrivilege 388 Explorer.EXE Token: SeShutdownPrivilege 388 Explorer.EXE Token: SeCreatePagefilePrivilege 388 Explorer.EXE Token: SeShutdownPrivilege 388 Explorer.EXE Token: SeCreatePagefilePrivilege 388 Explorer.EXE Token: SeShutdownPrivilege 388 Explorer.EXE Token: SeCreatePagefilePrivilege 388 Explorer.EXE Token: SeShutdownPrivilege 388 Explorer.EXE Token: SeCreatePagefilePrivilege 388 Explorer.EXE Token: SeDebugPrivilege 2700 msiexec.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 388 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
bobb4567.exeExplorer.EXEmsiexec.exedescription pid process target process PID 512 wrote to memory of 1464 512 bobb4567.exe bobb4567.exe PID 512 wrote to memory of 1464 512 bobb4567.exe bobb4567.exe PID 512 wrote to memory of 1464 512 bobb4567.exe bobb4567.exe PID 512 wrote to memory of 1464 512 bobb4567.exe bobb4567.exe PID 388 wrote to memory of 2700 388 Explorer.EXE msiexec.exe PID 388 wrote to memory of 2700 388 Explorer.EXE msiexec.exe PID 388 wrote to memory of 2700 388 Explorer.EXE msiexec.exe PID 2700 wrote to memory of 1476 2700 msiexec.exe cmd.exe PID 2700 wrote to memory of 1476 2700 msiexec.exe cmd.exe PID 2700 wrote to memory of 1476 2700 msiexec.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bobb4567.exe"C:\Users\Admin\AppData\Local\Temp\bobb4567.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bobb4567.exe"C:\Users\Admin\AppData\Local\Temp\bobb4567.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\bobb4567.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/388-128-0x00000000058B0000-0x00000000059AC000-memory.dmpFilesize
1008KB
-
memory/388-119-0x0000000005C50000-0x0000000005D67000-memory.dmpFilesize
1.1MB
-
memory/512-115-0x00000000003D0000-0x00000000003D2000-memory.dmpFilesize
8KB
-
memory/1464-116-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1464-117-0x0000000001710000-0x0000000001A30000-memory.dmpFilesize
3.1MB
-
memory/1464-118-0x0000000001670000-0x0000000001684000-memory.dmpFilesize
80KB
-
memory/1464-114-0x000000000041EB60-mapping.dmp
-
memory/1476-123-0x0000000000000000-mapping.dmp
-
memory/2700-120-0x0000000000000000-mapping.dmp
-
memory/2700-126-0x00000000047C0000-0x0000000004AE0000-memory.dmpFilesize
3.1MB
-
memory/2700-124-0x0000000000E50000-0x0000000000E62000-memory.dmpFilesize
72KB
-
memory/2700-125-0x00000000008A0000-0x00000000008CE000-memory.dmpFilesize
184KB
-
memory/2700-127-0x0000000004550000-0x00000000045E3000-memory.dmpFilesize
588KB