Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 18:56

General

  • Target

    tq9604oy0Xa6q6L.exe

  • Size

    335KB

  • MD5

    82dd8a6c5f49f0dcff5c10e62571a3c7

  • SHA1

    d4fc14325a4a3ca7fb259bbdd95ae15ee47081c1

  • SHA256

    8fcc3e95c54613cec5176ad7aabc3a5d498fb608d825f98a087ce6784fdad992

  • SHA512

    bf8cbb7befa5ab3a2716634548c118dbdd7db9e4f150a48918488272e76977480acf1d3e7059216c6fbd55859a31debb08f2d2c1d8f6d5eca9989aa4fe9d0355

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

p07

Decoy

sgemlakdunyasi.net

xn--emhendis-75a.net

apptracker.tech

bb4h.com

izzyesq.com

adsum.digital

phylliselago.com

sellyourlistings.com

tjtdyy.com

w5ydhp.info

neurolat.info

sosecretoccultandconcealed.com

eastmount.biz

vonhiemer.com

chelseatowercondos.com

intarconnect.com

someoneask.com

knightsnorth.com

tthxlxs.com

darakandassociates.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

  • Formbook Payload 4 IoCs
  • ReZer0 packer 1 IoCs

    Detects ReZer0, a packer with multiple versions used in various campaigns.

  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1256
    • C:\Users\Admin\AppData\Local\Temp\tq9604oy0Xa6q6L.exe
      "C:\Users\Admin\AppData\Local\Temp\tq9604oy0Xa6q6L.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1996
      • C:\Users\Admin\AppData\Local\Temp\tq9604oy0Xa6q6L.exe
        "{path}"
        3⤵
          PID:1808
        • C:\Users\Admin\AppData\Local\Temp\tq9604oy0Xa6q6L.exe
          "{path}"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1828
      • C:\Windows\SysWOW64\chkdsk.exe
        "C:\Windows\SysWOW64\chkdsk.exe"
        2⤵
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Drops file in Program Files directory
        • Enumerates system info in registry
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1856
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\tq9604oy0Xa6q6L.exe"
          3⤵
          • Deletes itself
          PID:780
        • C:\Program Files\Mozilla Firefox\Firefox.exe
          "C:\Program Files\Mozilla Firefox\Firefox.exe"
          3⤵
            PID:1824

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Defense Evasion

      Modify Registry

      2
      T1112

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      1
      T1082

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/780-72-0x0000000000000000-mapping.dmp
      • memory/1256-67-0x0000000005F80000-0x0000000006066000-memory.dmp
        Filesize

        920KB

      • memory/1256-77-0x0000000004180000-0x0000000004251000-memory.dmp
        Filesize

        836KB

      • memory/1256-70-0x0000000006070000-0x0000000006157000-memory.dmp
        Filesize

        924KB

      • memory/1828-59-0x0000000000400000-0x000000000042D000-memory.dmp
        Filesize

        180KB

      • memory/1828-69-0x00000000002B0000-0x00000000002C4000-memory.dmp
        Filesize

        80KB

      • memory/1828-61-0x0000000000400000-0x000000000042D000-memory.dmp
        Filesize

        180KB

      • memory/1828-62-0x000000000041E2D0-mapping.dmp
      • memory/1828-64-0x0000000000400000-0x000000000042D000-memory.dmp
        Filesize

        180KB

      • memory/1828-65-0x0000000000850000-0x0000000000B53000-memory.dmp
        Filesize

        3.0MB

      • memory/1828-66-0x00000000001E0000-0x00000000001F4000-memory.dmp
        Filesize

        80KB

      • memory/1828-58-0x0000000000400000-0x000000000042D000-memory.dmp
        Filesize

        180KB

      • memory/1856-74-0x0000000000080000-0x00000000000AD000-memory.dmp
        Filesize

        180KB

      • memory/1856-71-0x0000000000000000-mapping.dmp
      • memory/1856-73-0x00000000003E0000-0x00000000003E7000-memory.dmp
        Filesize

        28KB

      • memory/1856-75-0x0000000001FA0000-0x00000000022A3000-memory.dmp
        Filesize

        3.0MB

      • memory/1856-76-0x0000000001E40000-0x0000000001ED3000-memory.dmp
        Filesize

        588KB

      • memory/1996-57-0x0000000004680000-0x00000000046BA000-memory.dmp
        Filesize

        232KB

      • memory/1996-56-0x0000000000650000-0x0000000000660000-memory.dmp
        Filesize

        64KB

      • memory/1996-54-0x0000000000110000-0x000000000016A000-memory.dmp
        Filesize

        360KB

      • memory/1996-55-0x0000000075841000-0x0000000075843000-memory.dmp
        Filesize

        8KB