Analysis
-
max time kernel
148s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
09-04-2022 16:46
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220331-en
General
-
Target
tmp.exe
-
Size
1.5MB
-
MD5
a1c4645815d0ab06831f62042cfa0da0
-
SHA1
e3ce2d0fc9bd18ab30d589f052edce9ca410f2ee
-
SHA256
a03ebb1ad2450b07206923043ad865cb83e1d4798a9273704a9626854fd17399
-
SHA512
a34d0c18b833f36e0698e2396270a43ed93d5d2839fa94753ad5fa4e4bf9ec8ecfb3d38f17c0384f30dde1d838c1cf462a40f14da8f430788e5e51cd0162e020
Malware Config
Extracted
formbook
4.1
nff
shinseikai.site
creditmystartup.com
howtovvbucks.com
betterfromthebeginning.com
oubacm.com
stonalogov.com
gentrypartyof8.com
cuesticksandsupplies.com
joelsavestheday.com
llanobnb.com
ecclogic.com
miempaque.com
cai23668.com
miscdr.net
twzhhq.com
bloomandbrewcafe.com
angcomleisure.com
mafeeboutique.com
300coin.club
brooksranchhomes.com
konversiondigital.com
dominivision.com
superiorshinedetailing.net
thehomechef.global
dating-web.site
gcbsclubc.com
mothererph.com
pacleanfuel.com
jerseryshorenflflagfootball.com
roberthyatt.com
wwwmacsports.com
tearor.com
american-ai.com
mkyiyuan.com
gempharmatechllc.com
verdijvtc.com
zimnik-bibo.one
heatherdarkauthor.net
dunn-labs.com
automotivevita.com
bersatubagaidulu.com
gorillarecruiting.com
mikecdmusic.com
femuveewedre.com
onyxmodsllc.com
ooweesports.com
dezeren.com
foeweifgoor73dz.com
sorchaashe.com
jamiitulivu.com
jifengshijie.com
ranchfiberglas.com
glendalesocialmediaagency.com
icuvietnam.com
404hapgood.com
planetturmeric.com
danfrem.com
amazonautomationbusiness.com
switchfinder.com
diversifiedforest.com
findnehomes.com
rsyueda.com
colombianmatrimony.com
evan-dawson.info
yellow-wink.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3160-137-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/3160-139-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/4388-145-0x00000000008F0000-0x000000000091E000-memory.dmp formbook -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
tmp.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion tmp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion tmp.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
tmp.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum tmp.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 tmp.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
tmp.exetmp.exeNETSTAT.EXEdescription pid process target process PID 4268 set thread context of 3160 4268 tmp.exe tmp.exe PID 3160 set thread context of 1552 3160 tmp.exe Explorer.EXE PID 4388 set thread context of 1552 4388 NETSTAT.EXE Explorer.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 4388 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 45 IoCs
Processes:
tmp.exetmp.exeNETSTAT.EXEpid process 4268 tmp.exe 3160 tmp.exe 3160 tmp.exe 3160 tmp.exe 3160 tmp.exe 4388 NETSTAT.EXE 4388 NETSTAT.EXE 4388 NETSTAT.EXE 4388 NETSTAT.EXE 4388 NETSTAT.EXE 4388 NETSTAT.EXE 4388 NETSTAT.EXE 4388 NETSTAT.EXE 4388 NETSTAT.EXE 4388 NETSTAT.EXE 4388 NETSTAT.EXE 4388 NETSTAT.EXE 4388 NETSTAT.EXE 4388 NETSTAT.EXE 4388 NETSTAT.EXE 4388 NETSTAT.EXE 4388 NETSTAT.EXE 4388 NETSTAT.EXE 4388 NETSTAT.EXE 4388 NETSTAT.EXE 4388 NETSTAT.EXE 4388 NETSTAT.EXE 4388 NETSTAT.EXE 4388 NETSTAT.EXE 4388 NETSTAT.EXE 4388 NETSTAT.EXE 4388 NETSTAT.EXE 4388 NETSTAT.EXE 4388 NETSTAT.EXE 4388 NETSTAT.EXE 4388 NETSTAT.EXE 4388 NETSTAT.EXE 4388 NETSTAT.EXE 4388 NETSTAT.EXE 4388 NETSTAT.EXE 4388 NETSTAT.EXE 4388 NETSTAT.EXE 4388 NETSTAT.EXE 4388 NETSTAT.EXE 4388 NETSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1552 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
tmp.exeNETSTAT.EXEpid process 3160 tmp.exe 3160 tmp.exe 3160 tmp.exe 4388 NETSTAT.EXE 4388 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
tmp.exetmp.exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 4268 tmp.exe Token: SeDebugPrivilege 3160 tmp.exe Token: SeDebugPrivilege 4388 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
tmp.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 4268 wrote to memory of 3160 4268 tmp.exe tmp.exe PID 4268 wrote to memory of 3160 4268 tmp.exe tmp.exe PID 4268 wrote to memory of 3160 4268 tmp.exe tmp.exe PID 4268 wrote to memory of 3160 4268 tmp.exe tmp.exe PID 4268 wrote to memory of 3160 4268 tmp.exe tmp.exe PID 4268 wrote to memory of 3160 4268 tmp.exe tmp.exe PID 1552 wrote to memory of 4388 1552 Explorer.EXE NETSTAT.EXE PID 1552 wrote to memory of 4388 1552 Explorer.EXE NETSTAT.EXE PID 1552 wrote to memory of 4388 1552 Explorer.EXE NETSTAT.EXE PID 4388 wrote to memory of 3128 4388 NETSTAT.EXE cmd.exe PID 4388 wrote to memory of 3128 4388 NETSTAT.EXE cmd.exe PID 4388 wrote to memory of 3128 4388 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\tmp.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1552-149-0x00000000026C0000-0x0000000002758000-memory.dmpFilesize
608KB
-
memory/1552-142-0x0000000007B20000-0x0000000007C32000-memory.dmpFilesize
1.1MB
-
memory/3128-146-0x0000000000000000-mapping.dmp
-
memory/3160-139-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/3160-141-0x0000000001500000-0x0000000001514000-memory.dmpFilesize
80KB
-
memory/3160-140-0x00000000011B0000-0x00000000014FA000-memory.dmpFilesize
3.3MB
-
memory/3160-136-0x0000000000000000-mapping.dmp
-
memory/3160-137-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/4268-134-0x0000000007900000-0x000000000799C000-memory.dmpFilesize
624KB
-
memory/4268-135-0x000000000D490000-0x000000000D4F6000-memory.dmpFilesize
408KB
-
memory/4268-130-0x0000000000850000-0x00000000009DA000-memory.dmpFilesize
1.5MB
-
memory/4268-133-0x0000000005370000-0x000000000537A000-memory.dmpFilesize
40KB
-
memory/4268-132-0x0000000005390000-0x0000000005422000-memory.dmpFilesize
584KB
-
memory/4268-131-0x0000000005A40000-0x0000000005FE4000-memory.dmpFilesize
5.6MB
-
memory/4388-143-0x0000000000000000-mapping.dmp
-
memory/4388-144-0x0000000000870000-0x000000000087B000-memory.dmpFilesize
44KB
-
memory/4388-145-0x00000000008F0000-0x000000000091E000-memory.dmpFilesize
184KB
-
memory/4388-147-0x0000000001080000-0x00000000013CA000-memory.dmpFilesize
3.3MB
-
memory/4388-148-0x00000000013D0000-0x0000000001463000-memory.dmpFilesize
588KB