Analysis
-
max time kernel
148s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
24-11-2021 15:56
Behavioral task
behavioral1
Sample
9.exe
Resource
win7-en-20211104
General
-
Target
9.exe
-
Size
188KB
-
MD5
dac650b23c4aba94eaf5caaeead3319c
-
SHA1
229458c66c9555a3d61ae980708357f093c5e6b8
-
SHA256
bc8cabab3ec65da43b8c3e708ed9f9745757523041ef62e450b6fea48fae50e1
-
SHA512
a6cdb8b8944686f87afb3763d37774d98b4f05ad7ee694490d67c4e00f007ffab33b02f006b0e782ee67be085b97183d0020181621d879c80463669efd407bb5
Malware Config
Extracted
formbook
4.1
w6ya
http://www.truth-capturemachine.com/w6ya/
auden-audio.com
zombieodyssey.com
hdpthg.com
toddtechnical.com
njsdgz.com
yieldfarm.world
guardsveirfynews.net
atmamandir.info
eskisehirtostcusu.online
arrozz.net
v99king.win
jaxonboxing.com
morganevans.net
syandeg.com
valleyofplants.com
corsosportorico.com
tak.support
blacktgpc.com
herdpetshop.com
iifkvhns.xyz
notredameapartmentsnh.com
sourcefogrge.net
fattails.net
hybridleadershiptheory.com
lyymbeautysalon.com
pnia8889789.com
hagklp.com
unmaskingyourheart.com
xcyweb.com
brokerdeck.com
firstmediainternet.biz.id
charlottelawrencecoaching.com
metyon.xyz
aceshiprecycling.net
site4education.com
lmecgpllc.com
glutenfreebud.com
fxy-9cc6.biz
smoothingcapacitors.com
acrylicblanktoppers.com
onetzrot.com
globalfibreimpact.com
idahod3marchingfestival.com
expediom.com
soupyz.com
baremetal.tools
malagacatalogo.com
fuzitavn.com
tnotchconsulting.com
rocfilings.online
belozza.com
razn.xyz
creatormike.com
mehmetatalay.xyz
nh-netsol23.com
muland.website
baishshop.com
newday-newbeginning.com
evautoscam.com
larasgifts.com
jalilcc.com
spiraentertainment.com
mirasms.online
clippingup.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1116-60-0x0000000000070000-0x000000000009F000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1664 cmd.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
9.execscript.exedescription pid process target process PID 1048 set thread context of 1220 1048 9.exe Explorer.EXE PID 1116 set thread context of 1220 1116 cscript.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
9.execscript.exepid process 1048 9.exe 1048 9.exe 1116 cscript.exe 1116 cscript.exe 1116 cscript.exe 1116 cscript.exe 1116 cscript.exe 1116 cscript.exe 1116 cscript.exe 1116 cscript.exe 1116 cscript.exe 1116 cscript.exe 1116 cscript.exe 1116 cscript.exe 1116 cscript.exe 1116 cscript.exe 1116 cscript.exe 1116 cscript.exe 1116 cscript.exe 1116 cscript.exe 1116 cscript.exe 1116 cscript.exe 1116 cscript.exe 1116 cscript.exe 1116 cscript.exe 1116 cscript.exe 1116 cscript.exe 1116 cscript.exe 1116 cscript.exe 1116 cscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1220 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
9.execscript.exepid process 1048 9.exe 1048 9.exe 1048 9.exe 1116 cscript.exe 1116 cscript.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
9.execscript.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1048 9.exe Token: SeDebugPrivilege 1116 cscript.exe Token: SeShutdownPrivilege 1220 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1220 Explorer.EXE 1220 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1220 Explorer.EXE 1220 Explorer.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Explorer.EXEcscript.exedescription pid process target process PID 1220 wrote to memory of 1116 1220 Explorer.EXE cscript.exe PID 1220 wrote to memory of 1116 1220 Explorer.EXE cscript.exe PID 1220 wrote to memory of 1116 1220 Explorer.EXE cscript.exe PID 1220 wrote to memory of 1116 1220 Explorer.EXE cscript.exe PID 1116 wrote to memory of 1664 1116 cscript.exe cmd.exe PID 1116 wrote to memory of 1664 1116 cscript.exe cmd.exe PID 1116 wrote to memory of 1664 1116 cscript.exe cmd.exe PID 1116 wrote to memory of 1664 1116 cscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9.exe"C:\Users\Admin\AppData\Local\Temp\9.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\9.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1048-56-0x0000000000130000-0x0000000000144000-memory.dmpFilesize
80KB
-
memory/1048-55-0x0000000000950000-0x0000000000C53000-memory.dmpFilesize
3.0MB
-
memory/1116-58-0x0000000000000000-mapping.dmp
-
memory/1116-59-0x00000000000D0000-0x00000000000F2000-memory.dmpFilesize
136KB
-
memory/1116-60-0x0000000000070000-0x000000000009F000-memory.dmpFilesize
188KB
-
memory/1116-61-0x0000000001F10000-0x0000000002213000-memory.dmpFilesize
3.0MB
-
memory/1116-63-0x0000000001E20000-0x0000000001EB3000-memory.dmpFilesize
588KB
-
memory/1220-57-0x00000000063F0000-0x0000000006585000-memory.dmpFilesize
1.6MB
-
memory/1220-64-0x0000000006590000-0x0000000006704000-memory.dmpFilesize
1.5MB
-
memory/1664-62-0x0000000000000000-mapping.dmp