Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
07-06-2022 16:00
General
-
Target
aa603a1e4874a19e331322ac204fdc615b9e2c8eff810336a9540d4c7c5d0d38.exe
-
Size
328KB
-
MD5
23e421072b6ebe8b53fde252e6990340
-
SHA1
9a9f0b8fc33435bb8c29c55ff261b88e8b96eafa
-
SHA256
aa603a1e4874a19e331322ac204fdc615b9e2c8eff810336a9540d4c7c5d0d38
-
SHA512
6a0ce5b2494eacdec720e107605f95c2058fe75f8a52d72783b8dbbc2d9072a694c9a0f9eec07afc8e441fe2a88237121a2784c3f92ab44b622fc5938dc4d468
Malware Config
Extracted
formbook
4.1
g14s
highnessmagazine.com
mokeyshop.com
remotedesktop.xyz
bicielettrica.xyz
addoncarzspa.com
ironesteem.com
asset-management-int.com
newportnewsaccounting.com
seriesyonkis2.com
hhivac.com
shrmgattlnow.com
yangzhenyu1.xyz
prettylittlenail.com
phyform.com
fggloballlc.com
gamecentertx.com
apriltoken.com
agalign.com
jointventurecoop.club
pengqianyue.tech
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 5 IoCs
-
Executes dropped EXE 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Program Files directory 55 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 2 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 56 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\aa603a1e4874a19e331322ac204fdc615b9e2c8eff810336a9540d4c7c5d0d38.exe"C:\Users\Admin\AppData\Local\Temp\aa603a1e4874a19e331322ac204fdc615b9e2c8eff810336a9540d4c7c5d0d38.exe"2⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\aa603a1e4874a19e331322ac204fdc615b9e2c8eff810336a9540d4c7c5d0d38.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\aa603a1e4874a19e331322ac204fdc615b9e2c8eff810336a9540d4c7c5d0d38.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xlarfvuad.exeC:\Users\Admin\AppData\Local\Temp\xlarfvuad.exe C:\Users\Admin\AppData\Local\Temp\lafzmxlg4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xlarfvuad.exeC:\Users\Admin\AppData\Local\Temp\xlarfvuad.exe C:\Users\Admin\AppData\Local\Temp\lafzmxlg5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\SysWOW64\colorcpl.exe"C:\Windows\SysWOW64\colorcpl.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\xlarfvuad.exe"3⤵
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
184KB
MD539caefe2282d6b8c0eef7d657db7c154
SHA1cc6604f9985ae1a05f034f799dd6ee550be1d7e8
SHA25647fc6884f3dee9dfd8def2b3b5f0c38856c0eef9f0c005fd02fef0c1344592f2
SHA512930bb809904ff5f27420b1ae1a0005ee73b9383e21a41dbd93dbd18f4048c1bfcebbff1b6a189eb63444cd876e95b11c8c346bfa7166f4ddd172fcadbbf73cd5
-
Filesize
288KB
MD5f3369e93b9a197294c8ede7e84c1c382
SHA132f59edb66c19b0c483e36326f59ad374231ac58
SHA2564953b485a81de69f30981b5b8a9a2e65aff9be557c3e9b19c8b052f00eadfc4c
SHA5122253461239a4341c8fe9fe6bc825834e4350b0e796c9308a885144a7af37af7782f4793ff0f68e941262aa037b27666e01233e3811ce576ebbe12438dcf5c34f
-
Filesize
288KB
MD5f3369e93b9a197294c8ede7e84c1c382
SHA132f59edb66c19b0c483e36326f59ad374231ac58
SHA2564953b485a81de69f30981b5b8a9a2e65aff9be557c3e9b19c8b052f00eadfc4c
SHA5122253461239a4341c8fe9fe6bc825834e4350b0e796c9308a885144a7af37af7782f4793ff0f68e941262aa037b27666e01233e3811ce576ebbe12438dcf5c34f
-
Filesize
5KB
MD5bce94db7c34663df2cbd9246ff73a348
SHA17ae61ec3e2de7736c42059f798e33950b558e6b4
SHA25639220e3264b8bd27e6980a0edee02315c1a42e88181b8dc107122cd5d1590b29
SHA512f9d3fd89a54648cebfacfe1f2f12310b438fb53e8f1eb65fab70ac56ea94da8c72eb239e50da8160a4217f723f0727aa44434b65ebe6c3356a11194d328690e2
-
Filesize
57KB
MD51690cff1fe9dbef048f6e7dbe3cbf586
SHA1fc9a6318e2edb409e82d4f3ebfea8e7a6ad4206b
SHA256187f904724837129d9766744772d76e08c39004675011dd90b4da63922387077
SHA512f4d7c5642ba34817622507971da102ef8481ab462f424462c5ad4429190f208ab00a4706335c76c51dec35b59f9b942a2780c26e3060c44d02c639dbf142ba22
-
Filesize
57KB
MD51690cff1fe9dbef048f6e7dbe3cbf586
SHA1fc9a6318e2edb409e82d4f3ebfea8e7a6ad4206b
SHA256187f904724837129d9766744772d76e08c39004675011dd90b4da63922387077
SHA512f4d7c5642ba34817622507971da102ef8481ab462f424462c5ad4429190f208ab00a4706335c76c51dec35b59f9b942a2780c26e3060c44d02c639dbf142ba22
-
Filesize
57KB
MD51690cff1fe9dbef048f6e7dbe3cbf586
SHA1fc9a6318e2edb409e82d4f3ebfea8e7a6ad4206b
SHA256187f904724837129d9766744772d76e08c39004675011dd90b4da63922387077
SHA512f4d7c5642ba34817622507971da102ef8481ab462f424462c5ad4429190f208ab00a4706335c76c51dec35b59f9b942a2780c26e3060c44d02c639dbf142ba22
-
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.5MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
-
Filesize
188KB
-
-
Filesize
1.6MB
-
Filesize
3.1MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
188KB
-
Filesize
3.1MB
-
Filesize
188KB
-
Filesize
1.6MB
-
Filesize
100KB
-
Filesize
1.6MB
-