formbook | c8e6840e3aa32b2f68c912e0cd09d6956863418a7bb5cd552dc2fde563d53327

Analysis

max time kernel
151s
max time network
148s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
22/09/2022, 04:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DRAFT.exe
Size

859KB
MD5

eeef1bb50b50ea56de000b58d5d1af23
SHA1

913f174bbe99536c02b13b814aece6618dd44d88
SHA256

c8e6840e3aa32b2f68c912e0cd09d6956863418a7bb5cd552dc2fde563d53327
SHA512

4845b3e98c4ab85ec65da6219464057bcd6fc3bfa0ae3f460c81c9d5bf93586f118deb433369779a3782deea9a34406830d2a7932e120b54087228ee4bf7f4bd
SSDEEP

12288:32wnbnku/zUCyxjiurvwqFrl/FeYnjSScwGlW0b:3JnTkyy2urJFJ3jJ7g

Score

10^/10

formbook d6iz rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

d6iz

Decoy

FkA/Rc+zw+0paU+GEiQh+g==

u54Xp6nujzFowU4P

EOvDCsjIcMgdORQ=

AuwHDKo90fNowU4P

pgyJWSAeSn6PEafn3w==

3uX1Rw+ed9vrNQ==

jF5ap2Dv9C1PwGrd2Q==

HO748Nunv9ftKA==

Y3nTdCLF3gspa0+HEiQh+g==

sTcJEshxAzXL5wGzPaA=

E/w4u2Vb6henwGrd2Q==

HyiDPgQFmbk/EuMX3D7NrWLX0XU=

E2QDkA/Sapg7+GJV8ULKrGLX0XU=

OSgyD3k1WHd+8vQc48OmEfvTww==

AVwcD5BnNY6o588P2A==

OghAuUYpwNlqf3CtJsAyRL5h

qQbNBg5d+StQ22hVZXWVOK0=

/+bLGhaIK8gdORQ=

2EwZLB/UCA4=

he9L+LfD0TAFfsIA0Q==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	1204	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation	DRAFT.exe

Loads dropped DLL 1 IoCs

pid	Process
1204	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2020 set thread context of 1332	2020	DRAFT.exe	32
PID 1332 set thread context of 1404	1332	DRAFT.exe	16
PID 1204 set thread context of 1404	1204	msiexec.exe	16

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1052	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	msiexec.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2020	DRAFT.exe
2020	DRAFT.exe
840	powershell.exe
1332	DRAFT.exe
1332	DRAFT.exe
1332	DRAFT.exe
1332	DRAFT.exe
1204	msiexec.exe
1204	msiexec.exe
1204	msiexec.exe
1204	msiexec.exe
1204	msiexec.exe
1204	msiexec.exe
1204	msiexec.exe
1204	msiexec.exe
1204	msiexec.exe
1204	msiexec.exe
1204	msiexec.exe
1204	msiexec.exe
1204	msiexec.exe
1204	msiexec.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
1332	DRAFT.exe
1332	DRAFT.exe
1332	DRAFT.exe
1204	msiexec.exe
1204	msiexec.exe
1204	msiexec.exe
1204	msiexec.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2020	DRAFT.exe
Token: SeDebugPrivilege	840	powershell.exe
Token: SeDebugPrivilege	1332	DRAFT.exe
Token: SeDebugPrivilege	1204	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1404	Explorer.EXE
1404	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1404	Explorer.EXE
1404	Explorer.EXE

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 840	2020	DRAFT.exe	28
PID 2020 wrote to memory of 840	2020	DRAFT.exe	28
PID 2020 wrote to memory of 840	2020	DRAFT.exe	28
PID 2020 wrote to memory of 840	2020	DRAFT.exe	28
PID 2020 wrote to memory of 1052	2020	DRAFT.exe	30
PID 2020 wrote to memory of 1052	2020	DRAFT.exe	30
PID 2020 wrote to memory of 1052	2020	DRAFT.exe	30
PID 2020 wrote to memory of 1052	2020	DRAFT.exe	30
PID 2020 wrote to memory of 1332	2020	DRAFT.exe	32
PID 2020 wrote to memory of 1332	2020	DRAFT.exe	32
PID 2020 wrote to memory of 1332	2020	DRAFT.exe	32
PID 2020 wrote to memory of 1332	2020	DRAFT.exe	32
PID 2020 wrote to memory of 1332	2020	DRAFT.exe	32
PID 2020 wrote to memory of 1332	2020	DRAFT.exe	32
PID 2020 wrote to memory of 1332	2020	DRAFT.exe	32
PID 1404 wrote to memory of 1204	1404	Explorer.EXE	61
PID 1404 wrote to memory of 1204	1404	Explorer.EXE	61
PID 1404 wrote to memory of 1204	1404	Explorer.EXE	61
PID 1404 wrote to memory of 1204	1404	Explorer.EXE	61
PID 1404 wrote to memory of 1204	1404	Explorer.EXE	61
PID 1404 wrote to memory of 1204	1404	Explorer.EXE	61
PID 1404 wrote to memory of 1204	1404	Explorer.EXE	61
PID 1204 wrote to memory of 1548	1204	msiexec.exe	64
PID 1204 wrote to memory of 1548	1204	msiexec.exe	64
PID 1204 wrote to memory of 1548	1204	msiexec.exe	64
PID 1204 wrote to memory of 1548	1204	msiexec.exe	64
PID 1204 wrote to memory of 1548	1204	msiexec.exe	64

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Users\Admin\AppData\Local\Temp\DRAFT.exe
  "C:\Users\Admin\AppData\Local\Temp\DRAFT.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\VJZbyPULlZx.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:840
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VJZbyPULlZx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp932C.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:1052
- - C:\Users\Admin\AppData\Local\Temp\DRAFT.exe
    "C:\Users\Admin\AppData\Local\Temp\DRAFT.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1332
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:1640
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:1796
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:1880
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:636
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:552
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:1816
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:1828
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:540
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:1072
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:816
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:1040
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:1368
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:1328
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:1480
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:1512
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:676
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1736
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1988
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:576
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1112
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1732
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1964
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1760
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:812
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2000
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1908
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1196
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:288
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp932C.tmp

Filesize
1KB

MD5
5d873070ceef323a791029fa897b225e

SHA1
261646755f21d5940d899702f93e6204c4176df4

SHA256
0330ccb059fe29fcc666ad967cb4949ef0a3a7ce81522fc4b805570cf0fd30b8

SHA512
4337aea2452e1256bdd46c2e98a06d5fd5f2a8d7de0a1ea1fbffacacc2b5d9e48d9b60d78e1d9d9160781b1d9348d40940c1bfb66ac78598d432bd51d02e518b

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
902KB

MD5
50338cc1fa2582fa0cad8a8fa7ceb4d2

SHA1
ae697ef05b6bec38fb79ff4512ae50a303dcdbce

SHA256
0815a80fa73286d8c6bf0982471c61833821d9f10a20612deaa134562e7a3cda

SHA512
02a006e26b1d08cb53a4b3dab23ce6a6756a7275f8b3ef00b7412f10cff75411685a3542c5dc330dad7c9f7ff26288a2e94254d00bf53c1394e7252e000c9a61

Download Submit
memory/840-77-0x000000006E9E0000-0x000000006EF8B000-memory.dmp

Filesize
5.7MB

Download
memory/840-73-0x000000006E9E0000-0x000000006EF8B000-memory.dmp

Filesize
5.7MB

Download
memory/1204-80-0x0000000000FD0000-0x0000000000FE4000-memory.dmp

Filesize
80KB

Download
memory/1204-85-0x00000000000D0000-0x00000000000FD000-memory.dmp

Filesize
180KB

Download
memory/1204-83-0x0000000000B90000-0x0000000000C1F000-memory.dmp

Filesize
572KB

Download
memory/1204-82-0x00000000023F0000-0x00000000026F3000-memory.dmp

Filesize
3.0MB

Download
memory/1204-81-0x00000000000D0000-0x00000000000FD000-memory.dmp

Filesize
180KB

Download
memory/1332-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1332-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1332-72-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1332-70-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1332-74-0x0000000000990000-0x0000000000C93000-memory.dmp

Filesize
3.0MB

Download
memory/1332-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1332-75-0x0000000000110000-0x0000000000120000-memory.dmp

Filesize
64KB

Download
memory/1332-67-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1404-76-0x0000000004230000-0x0000000004321000-memory.dmp

Filesize
964KB

Download
memory/1404-84-0x0000000004C70000-0x0000000004D30000-memory.dmp

Filesize
768KB

Download
memory/1404-86-0x0000000004C70000-0x0000000004D30000-memory.dmp

Filesize
768KB

Download
memory/2020-54-0x0000000001300000-0x00000000013DC000-memory.dmp

Filesize
880KB

Download
memory/2020-58-0x0000000007FE0000-0x000000000806E000-memory.dmp

Filesize
568KB

Download
memory/2020-56-0x00000000003D0000-0x00000000003E6000-memory.dmp

Filesize
88KB

Download
memory/2020-57-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2020-63-0x00000000048F0000-0x0000000004924000-memory.dmp

Filesize
208KB

Download
memory/2020-55-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download