Analysis

  • max time kernel
    147s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    25-08-2022 03:48

General

  • Target

    tmp.exe

  • Size

    185KB

  • MD5

    b714b6e24d1d6e4951f4c83173412575

  • SHA1

    509ae497a7349827f4bbd9085e15b9e3cfc8f53e

  • SHA256

    86741510935fc30581a17848b7d391461c8aa3c749fd8c7998682c637f7486c0

  • SHA512

    e087aea2bb327f70a83b75bc81217c1c3041bb9d7e79f915b10af3fff1a9031bf6dce0d93a5a9564b99787ec5396fae23c9f024c56d747f7230604f8048ca89d

  • SSDEEP

    3072:tdpPkgyUnaoZ3G/UeoeIkqD47iVCAErfoHgcT5mEZB25EcJZ+2FAdqh:bzFGMhkqD47i0rfgv1nU5njh

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ba17

Decoy

zoltaron.tech

exopets.online

trippingtravel.com

banded.top

shinebrightdesigns.co.uk

djlbb.com

abcsofmindfulness.com

linkaktifasialive88.club

185068.sbs

tjhongguo.com

portaldigi.store

theshoe.club

r-ceive.app

kmwww.top

search-publishing.com

banksmanlights.net

flyonthewallmovie.com

congrulations.website

trnt.store

udajabojka.xyz

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 2 IoCs
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1384
    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      PID:1684
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1228
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
        3⤵
        • Deletes itself
        PID:1728

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1228-61-0x0000000000090000-0x00000000000BF000-memory.dmp
    Filesize

    188KB

  • memory/1228-57-0x0000000000000000-mapping.dmp
  • memory/1228-58-0x0000000076401000-0x0000000076403000-memory.dmp
    Filesize

    8KB

  • memory/1228-62-0x00000000023E0000-0x00000000026E3000-memory.dmp
    Filesize

    3.0MB

  • memory/1228-60-0x0000000000E00000-0x0000000000E14000-memory.dmp
    Filesize

    80KB

  • memory/1228-63-0x0000000000B70000-0x0000000000C03000-memory.dmp
    Filesize

    588KB

  • memory/1228-65-0x0000000000090000-0x00000000000BF000-memory.dmp
    Filesize

    188KB

  • memory/1384-56-0x0000000006980000-0x0000000006A83000-memory.dmp
    Filesize

    1.0MB

  • memory/1384-64-0x00000000070A0000-0x00000000071DE000-memory.dmp
    Filesize

    1.2MB

  • memory/1384-66-0x00000000070A0000-0x00000000071DE000-memory.dmp
    Filesize

    1.2MB

  • memory/1684-55-0x0000000000420000-0x0000000000434000-memory.dmp
    Filesize

    80KB

  • memory/1684-54-0x00000000007D0000-0x0000000000AD3000-memory.dmp
    Filesize

    3.0MB

  • memory/1728-59-0x0000000000000000-mapping.dmp