Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10_x64 -
resource
win10-en -
submitted
10-09-2021 08:20
Behavioral task
behavioral1
Sample
10000.exe
Resource
win7v20210408
General
-
Target
10000.exe
-
Size
184KB
-
MD5
c1a7af5210aa95abf7a60c9234edfef3
-
SHA1
775030fd15d38116673a8758ececd8e091a4dc86
-
SHA256
dd825f982712b6519ee45d665ca88adbabba747f45c645b8caeada2d8fe79b38
-
SHA512
85ee399b7a2fad74c69f55ecdd781407adce29fcdb585abaf32dc2123f7b29d0f048cfb0cdaf598139742ccec3c27d60dc89e2d52020dba9224d7ca883e86139
Malware Config
Extracted
formbook
4.1
3nop
http://www.jakesplacebarbers.com/3nop/
videohm.com
panache-rose.com
alnooncars-kw.com
trueblue2u.com
brussels-cafe.com
ip2c.net
influenzerr.com
rbcoq.com
zzful.com
drainthe.com
sumaholesson.com
cursosaprovados.com
genotecinc.com
dbrulhart.com
theapiarystudios.com
kensyu-kan.com
dkku88.com
tikhyper.com
aztecnort.com
homebrim.com
infinitilamp.com
leelegantflower.com
floor-space.investments
vidasustentavel.online
wholehearteddaughters.com
vipandeep.com
mdwovzrrm.icu
592215.com
academicplumbing.com
bestveganbook.com
theservantleader.com
nazarickdeveloper.xyz
delta-wing.com
girlfriendsgarb.com
sezyz11.com
ca3construction.com
smartswitchhomeloan.net
luckytwo.agency
ministry-of-barbers.com
babbageacademy.com
informationside.com
packapp.net
spacecoasthondaevent.com
thehealthyimmunereset.com
pjcavaliere.info
trebdurham.com
zhixintonghe.com
gon2580.com
dottproject.net
snakby.com
keeponsports.com
debbiewilsondesigns.com
stagingsolutionsgroup.com
forummondialdelamerbizerte.com
garnier.red
tempestchs.com
zpxinxi.com
jam-nins.com
inclusiocg.com
msmenders.com
whachupichu.com
pursemore.com
thebusinessfitclub.com
scootgotti.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3380-122-0x0000000003010000-0x000000000303E000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
10000.exeNETSTAT.EXEdescription pid process target process PID 3956 set thread context of 3012 3956 10000.exe Explorer.EXE PID 3956 set thread context of 3012 3956 10000.exe Explorer.EXE PID 3380 set thread context of 3012 3380 NETSTAT.EXE Explorer.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 3380 NETSTAT.EXE -
Modifies registry class 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
10000.exeNETSTAT.EXEpid process 3956 10000.exe 3956 10000.exe 3956 10000.exe 3956 10000.exe 3956 10000.exe 3956 10000.exe 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE 3380 NETSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3012 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
10000.exeNETSTAT.EXEpid process 3956 10000.exe 3956 10000.exe 3956 10000.exe 3956 10000.exe 3380 NETSTAT.EXE 3380 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
10000.exeExplorer.EXENETSTAT.EXEdescription pid process Token: SeDebugPrivilege 3956 10000.exe Token: SeShutdownPrivilege 3012 Explorer.EXE Token: SeCreatePagefilePrivilege 3012 Explorer.EXE Token: SeShutdownPrivilege 3012 Explorer.EXE Token: SeCreatePagefilePrivilege 3012 Explorer.EXE Token: SeDebugPrivilege 3380 NETSTAT.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3012 Explorer.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Explorer.EXENETSTAT.EXEdescription pid process target process PID 3012 wrote to memory of 3380 3012 Explorer.EXE NETSTAT.EXE PID 3012 wrote to memory of 3380 3012 Explorer.EXE NETSTAT.EXE PID 3012 wrote to memory of 3380 3012 Explorer.EXE NETSTAT.EXE PID 3380 wrote to memory of 1704 3380 NETSTAT.EXE cmd.exe PID 3380 wrote to memory of 1704 3380 NETSTAT.EXE cmd.exe PID 3380 wrote to memory of 1704 3380 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\10000.exe"C:\Users\Admin\AppData\Local\Temp\10000.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\10000.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1704-123-0x0000000000000000-mapping.dmp
-
memory/3012-117-0x0000000006010000-0x0000000006144000-memory.dmpFilesize
1.2MB
-
memory/3012-119-0x0000000006150000-0x000000000629C000-memory.dmpFilesize
1.3MB
-
memory/3012-126-0x00000000062A0000-0x00000000063DD000-memory.dmpFilesize
1.2MB
-
memory/3380-120-0x0000000000000000-mapping.dmp
-
memory/3380-121-0x0000000000AD0000-0x0000000000ADB000-memory.dmpFilesize
44KB
-
memory/3380-122-0x0000000003010000-0x000000000303E000-memory.dmpFilesize
184KB
-
memory/3380-124-0x00000000035E0000-0x0000000003900000-memory.dmpFilesize
3.1MB
-
memory/3380-125-0x0000000003440000-0x00000000034D3000-memory.dmpFilesize
588KB
-
memory/3956-115-0x00000000012A0000-0x00000000015C0000-memory.dmpFilesize
3.1MB
-
memory/3956-116-0x0000000000CF0000-0x0000000000D04000-memory.dmpFilesize
80KB
-
memory/3956-118-0x00000000011B0000-0x00000000011C4000-memory.dmpFilesize
80KB