Analysis

  • max time kernel
    146s
  • max time network
    138s
  • platform
    windows10_x64
  • resource
    win10-en
  • submitted
    16-09-2021 05:47

General

  • Target

    4f8799e5441c553ebbda342b6b06356a70dc432e5ac0434f4158146520b57ab7.exe

  • Size

    436KB

  • MD5

    9284392fd96b31b3de8d8f664de3f0e4

  • SHA1

    9b2e8d834a7e50ec7e674433d019dbd19996036c

  • SHA256

    4f8799e5441c553ebbda342b6b06356a70dc432e5ac0434f4158146520b57ab7

  • SHA512

    61efcc329ba8f50c32de43ba0bfc66e6591158c12fcb095dfa3652e54fc799255a49e44c62f2022b807d51b432050f85d94a172dc0e186af40a21e3848c7c922

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

o4ms

C2

http://www.nocodehost.com/o4ms/

Decoy

fishingboatpub.com

trebor72.com

qualitycleanaustralia.com

amphilykenyx.com

jayte90.net

alveegrace.com

le-fleursoleil.com

volumoffer.com

businessbookwriters.com

alpin-art.com

firsttastetogo.com

catofc.com

ref-290.com

sbo2008.com

fortlauderdaleelevators.com

shanghaiyalian.com

majestybags.com

afcerd.com

myceliated.com

ls0a.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook Payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4f8799e5441c553ebbda342b6b06356a70dc432e5ac0434f4158146520b57ab7.exe
    "C:\Users\Admin\AppData\Local\Temp\4f8799e5441c553ebbda342b6b06356a70dc432e5ac0434f4158146520b57ab7.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4724
    • C:\Users\Admin\AppData\Local\Temp\4f8799e5441c553ebbda342b6b06356a70dc432e5ac0434f4158146520b57ab7.exe
      "C:\Users\Admin\AppData\Local\Temp\4f8799e5441c553ebbda342b6b06356a70dc432e5ac0434f4158146520b57ab7.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:4824
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\browse\browse.exe'" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4332
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\browse\browse.exe'" /f
        3⤵
        • Creates scheduled task(s)
        PID:4352
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\4f8799e5441c553ebbda342b6b06356a70dc432e5ac0434f4158146520b57ab7.exe" "C:\Users\Admin\AppData\Roaming\browse\browse.exe"
      2⤵
        PID:4060
    • C:\Users\Admin\AppData\Roaming\browse\browse.exe
      C:\Users\Admin\AppData\Roaming\browse\browse.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2256

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Discovery

    System Information Discovery

    1
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\browse\browse.exe
      MD5

      9284392fd96b31b3de8d8f664de3f0e4

      SHA1

      9b2e8d834a7e50ec7e674433d019dbd19996036c

      SHA256

      4f8799e5441c553ebbda342b6b06356a70dc432e5ac0434f4158146520b57ab7

      SHA512

      61efcc329ba8f50c32de43ba0bfc66e6591158c12fcb095dfa3652e54fc799255a49e44c62f2022b807d51b432050f85d94a172dc0e186af40a21e3848c7c922

    • C:\Users\Admin\AppData\Roaming\browse\browse.exe
      MD5

      9284392fd96b31b3de8d8f664de3f0e4

      SHA1

      9b2e8d834a7e50ec7e674433d019dbd19996036c

      SHA256

      4f8799e5441c553ebbda342b6b06356a70dc432e5ac0434f4158146520b57ab7

      SHA512

      61efcc329ba8f50c32de43ba0bfc66e6591158c12fcb095dfa3652e54fc799255a49e44c62f2022b807d51b432050f85d94a172dc0e186af40a21e3848c7c922

    • memory/2256-136-0x0000000004B40000-0x0000000004B41000-memory.dmp
      Filesize

      4KB

    • memory/2256-130-0x0000000000260000-0x0000000000261000-memory.dmp
      Filesize

      4KB

    • memory/4060-126-0x0000000000000000-mapping.dmp
    • memory/4332-125-0x0000000000000000-mapping.dmp
    • memory/4352-127-0x0000000000000000-mapping.dmp
    • memory/4724-120-0x0000000005260000-0x0000000005261000-memory.dmp
      Filesize

      4KB

    • memory/4724-121-0x00000000055A0000-0x00000000055A1000-memory.dmp
      Filesize

      4KB

    • memory/4724-115-0x0000000000C70000-0x0000000000C71000-memory.dmp
      Filesize

      4KB

    • memory/4724-119-0x0000000005270000-0x0000000005271000-memory.dmp
      Filesize

      4KB

    • memory/4724-118-0x0000000005150000-0x0000000005151000-memory.dmp
      Filesize

      4KB

    • memory/4724-117-0x0000000005770000-0x0000000005771000-memory.dmp
      Filesize

      4KB

    • memory/4824-124-0x0000000001790000-0x0000000001AB0000-memory.dmp
      Filesize

      3.1MB

    • memory/4824-123-0x000000000041EAB0-mapping.dmp
    • memory/4824-122-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB