Overview

overview

10

Static

static

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    tmp

  • Size

    177KB

  • Sample

    220725-hn9w3abadk

  • MD5

    90f6fded7e723bec5f87d99310c4d6c7

  • SHA1

    45a628682111c4d4e1fc1adcf86abb4f112f6f5a

  • SHA256

    b17e291e0dde8310125a67358658010ed0f6ac6131d8bca2373343405c4e68d7

  • SHA512

    fd1189d46eb87c61e6c51a3588aed67ff3029f8d59d86761aa8f72f21eaf479751a0fe5d7b984cbb5016f3cf0188a1bda9c3b354717305ed79a0f4f080634541

Score
10/10
persistencesuricata

Malware Config

Targets

    • Target

      tmp

    • Size

      177KB

    • MD5

      90f6fded7e723bec5f87d99310c4d6c7

    • SHA1

      45a628682111c4d4e1fc1adcf86abb4f112f6f5a

    • SHA256

      b17e291e0dde8310125a67358658010ed0f6ac6131d8bca2373343405c4e68d7

    • SHA512

      fd1189d46eb87c61e6c51a3588aed67ff3029f8d59d86761aa8f72f21eaf479751a0fe5d7b984cbb5016f3cf0188a1bda9c3b354717305ed79a0f4f080634541

    Score
    10/10
    persistencesuricata

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata

    • Adds policy Run key to start application

      persistence

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks