Analysis
-
max time kernel
161s -
max time network
157s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
27-01-2022 13:38
Behavioral task
behavioral1
Sample
o.exe
Resource
win7-en-20211208
General
-
Target
o.exe
-
Size
188KB
-
MD5
5f625c29e0ab782363acad948b13374f
-
SHA1
af2cb912c0d8c6eb43ade7940dbb56815d9c79a6
-
SHA256
e38ab4998d2ec00aef052328a9a289a9a96ab45fb52a49b81a223068b0f5899c
-
SHA512
ec409199c648bf6feec2eda0b00b959384a72942f7a3451a9e5a2889e7250b9595a765a0d4fc4cd2a8a2d8e9884d3bc4610cdc2d9cf538a945371f5a07cdabe5
Malware Config
Extracted
formbook
4.1
je16
antonavt.com
sdfvlog.xyz
xn--arbetslivsaktren-ywb.com
propelcolor.com
uniqueclsssiccars.com
colorbells.com
synjive.com
cloudymellows.com
walltage.com
qterps.com
kezorup.online
soakedindelight.online
thefirstgroupscam.biz
miclanka.com
mwm-security.com
trinksaifenradiodocumentary.com
spineklinik.com
javacodecafe.com
groovyrelease-toknowtoday.info
ventadesillasymesas.com
metaheaven.global
supershhhbros.com
tradecardsbtz.com
parcel-alert-redelivery.com
manoncollinet.com
yfsallegiance.com
my12127.com
connectedmk.com
m7ssucx.xyz
chefjeffrecipes.com
tgogziae.com
xu7d7mfh6fht.xyz
cdamanagementservices.com
tampanazareno.com
albanybestbuyers.com
cowboychannellpus.com
dreamyhousewife.com
wu8jvohkp12w.xyz
mohaisen.xyz
s-h-a-h.com
hainanmizhi.xyz
hypedrize.com
77hub.cloud
phxpowdercoating.com
vozeestore.com
infostate.store
woshinidie1990.com
riskfreeenergy.com
southernfreelancersph.com
smithstores.net
cryptopal.xyz
xk8abxci6ogf.xyz
explainersadvids.team
ponpesihsaniyah.com
szabossteakandseafood.com
willtuckfinancial.com
unitedwii.com
thenftlotterys.com
599qu.com
threegalasdesigns.com
bedplot.xyz
liquidministry.store
amazingfactsabouteverything.com
wofdex.com
wakilin.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3524-119-0x0000000000BA0000-0x0000000000BCF000-memory.dmp formbook -
Suspicious use of SetThreadContext 2 IoCs
Processes:
o.execmmon32.exedescription pid process target process PID 2732 set thread context of 3032 2732 o.exe Explorer.EXE PID 3524 set thread context of 3032 3524 cmmon32.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
o.execmmon32.exepid process 2732 o.exe 2732 o.exe 2732 o.exe 2732 o.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe 3524 cmmon32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3032 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
o.execmmon32.exepid process 2732 o.exe 2732 o.exe 2732 o.exe 3524 cmmon32.exe 3524 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
o.execmmon32.exedescription pid process Token: SeDebugPrivilege 2732 o.exe Token: SeDebugPrivilege 3524 cmmon32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Explorer.EXEcmmon32.exedescription pid process target process PID 3032 wrote to memory of 3524 3032 Explorer.EXE cmmon32.exe PID 3032 wrote to memory of 3524 3032 Explorer.EXE cmmon32.exe PID 3032 wrote to memory of 3524 3032 Explorer.EXE cmmon32.exe PID 3524 wrote to memory of 3888 3524 cmmon32.exe cmd.exe PID 3524 wrote to memory of 3888 3524 cmmon32.exe cmd.exe PID 3524 wrote to memory of 3888 3524 cmmon32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\o.exe"C:\Users\Admin\AppData\Local\Temp\o.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\o.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2732-115-0x0000000001070000-0x00000000011BA000-memory.dmpFilesize
1.3MB
-
memory/2732-116-0x00000000015E0000-0x00000000015F4000-memory.dmpFilesize
80KB
-
memory/3032-117-0x00000000064A0000-0x00000000065E5000-memory.dmpFilesize
1.3MB
-
memory/3032-122-0x00000000065F0000-0x000000000670C000-memory.dmpFilesize
1.1MB
-
memory/3524-119-0x0000000000BA0000-0x0000000000BCF000-memory.dmpFilesize
188KB
-
memory/3524-118-0x0000000001300000-0x000000000130C000-memory.dmpFilesize
48KB
-
memory/3524-120-0x0000000004D10000-0x0000000005030000-memory.dmpFilesize
3.1MB
-
memory/3524-121-0x00000000049E0000-0x0000000004B77000-memory.dmpFilesize
1.6MB