Analysis
-
max time kernel
134s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-07-2022 13:29
General
-
Target
4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe
-
Size
272KB
-
MD5
3c17caa9d17af995510b24b8481a8c49
-
SHA1
0a84e1c55247d791756f7f564bec1d99599282c1
-
SHA256
4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6
-
SHA512
a251960ccc5f82834bfaf97a9c3a7d00a7613e5b8cc004ffa7e8e05ed22fbfd01a8cbece925013cf4dfd601c05cdfc5278e03cd064e3f2710ae24770da75a038
Malware Config
Extracted
formbook
3.8
c100
pipegas.site
financemedianews24.com
fucome.net
zjzy2008.com
prettypeonyweddings.com
experientialcentre.com
unitrvl.net
hostracoin.com
empreintevocaletd.com
3564tabardln.info
hello-cheese.com
adserver4m3.com
nashuanhinteriordesign.com
taughtnot.com
manx641.com
loanplanner.net
freelanceunderground.com
rungoplushtoys.com
mariahsmccarthy.com
butterfliesandblueskies.com
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook payload 1 IoCs
-
Loads dropped DLL 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe"C:\Users\Admin\AppData\Local\Temp\4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe"C:\Users\Admin\AppData\Local\Temp\4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\captaincy.dllFilesize
70KB
MD5b274c1ed9903070c97864eaa917bf273
SHA1685e7d1ad7f272cebb4561c5044bb2af227894bc
SHA256ff9077e745e9b2e8f75793280efadd1dd3b921e79fc21311440d79ec4cd7795a
SHA512d075d5c75d98f5b298f329b8f3bd93d38737b24105519b5fee2463122f423c1e9f77b6acf9aa71d5bf2d5fb94b9f36cee12905389a1372498857bcdb5f20e3e7
-
C:\Users\Admin\AppData\Local\Temp\captaincy.dllFilesize
70KB
MD5b274c1ed9903070c97864eaa917bf273
SHA1685e7d1ad7f272cebb4561c5044bb2af227894bc
SHA256ff9077e745e9b2e8f75793280efadd1dd3b921e79fc21311440d79ec4cd7795a
SHA512d075d5c75d98f5b298f329b8f3bd93d38737b24105519b5fee2463122f423c1e9f77b6acf9aa71d5bf2d5fb94b9f36cee12905389a1372498857bcdb5f20e3e7
-
C:\Users\Admin\AppData\Local\Temp\nsn5CBC.tmp\System.dllFilesize
11KB
MD575ed96254fbf894e42058062b4b4f0d1
SHA1996503f1383b49021eb3427bc28d13b5bbd11977
SHA256a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
SHA51258174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4
-
memory/3136-133-0x0000000030860000-0x0000000030876000-memory.dmpFilesize
88KB
-
memory/3408-134-0x0000000000000000-mapping.dmp
-
memory/3408-135-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/3408-136-0x0000000000A50000-0x0000000000D9A000-memory.dmpFilesize
3.3MB