formbook | e619a4c3b283514f6fec91b45659f766050d86117cbd75752096b719fb444b69

General

Target

RFQ PBMS 401055-STR-22.pdf.exe
Size

960KB
MD5

d53349008874b77d087eac5ee7380c5b
SHA1

676219bcf2de1c6b73a366cf880d0702cbfc6f99
SHA256

e619a4c3b283514f6fec91b45659f766050d86117cbd75752096b719fb444b69
SHA512

8fc2de3635c447216b1aad8f1dd0b41152f9debb1d53da877dfd439cfb8551e5ebebf2621c9cd2c243e87786645e2fe12cd02db256f0c70b750a6c330442adae
SSDEEP

12288:KUTQO2iNCJ2uT8ejSo+aI2PfwnlOvAsijEo9Ogi5LGXshr9lyAKp:lD1FQtO5aIqAk8oUTixWsh5lWp

Score

10^/10

formbook nworm mmtr downloader evasion rat spyware stealer trojan worm

Malware Config

Extracted

Family

nworm

Version

v0.3.8

C2

svetanakravenova247.ddns.net:3498

Mutex

37f24ea7

Extracted

Family

formbook

Campaign

mmtr

Decoy

A2DZqKcj5ytLVZtHJA==

fMXPWQG+JWa0S6lZOg==

8kymMDxB6ShVJHxu2gshFtXY9Rw=

1TcOF6WxcdzplqFGcUCNkBY=

k3TLhZ+bOG7ahplcPA==

K4kL5Aq5abHNS6lZOg==

mXDSo9XmxlqYN6psOA==

m+RNCVT4shAb

G1kzROn+2jCug7F5psQ=

qNYsJkWzqwkZ

0BcDQuH0xt4oBh4=

pfRW4ZhmRsEiyvP2Mg==

Sqgj4eztyCg0Ezwo39iHXQ==

bIi2etJbcdUB

k2g3gBesND9hUoKOzGaVFKX6IuUaknqH1Q==

8dFDXQPnb4s+sWfhwoqOdgmABBK+YGg=

Pn9PmDzelx84EjfdzY0WkiRPz6i4

SrUfvOfNO3DMdLvB

GFXHQ9NuPdHsxOiU2umGMSiTvQE=

Kv9sdrhSbDfMdLvB

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

RFQ PBMS 401055-STR-22.pdf.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	RFQ PBMS 401055-STR-22.pdf.exe

NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
worm downloader nworm
Executes dropped EXE 2 IoCs

Processes:

tmpBE9F.tmp8Nz5fWCl2izgmL6.exetmpBE9F.tmp8Nz5fWCl2izgmL6.exe

pid process

1072 tmpBE9F.tmp8Nz5fWCl2izgmL6.exe
888 tmpBE9F.tmp8Nz5fWCl2izgmL6.exe

pid	process
1072	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe
888	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmpBE9F.tmp8Nz5fWCl2izgmL6.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe

Loads dropped DLL 3 IoCs

Processes:

RFQ PBMS 401055-STR-22.pdf.exetmpBE9F.tmp8Nz5fWCl2izgmL6.exe

pid process

940 RFQ PBMS 401055-STR-22.pdf.exe
940 RFQ PBMS 401055-STR-22.pdf.exe
1072 tmpBE9F.tmp8Nz5fWCl2izgmL6.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
940	RFQ PBMS 401055-STR-22.pdf.exe
940	RFQ PBMS 401055-STR-22.pdf.exe
1072	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

RFQ PBMS 401055-STR-22.pdf.exetmpBE9F.tmp8Nz5fWCl2izgmL6.exetmpBE9F.tmp8Nz5fWCl2izgmL6.exe

description	pid	process	target process
PID 784 set thread context of 940	784	RFQ PBMS 401055-STR-22.pdf.exe	RFQ PBMS 401055-STR-22.pdf.exe
PID 1072 set thread context of 888	1072	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe
PID 888 set thread context of 1360	888	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

tmpBE9F.tmp8Nz5fWCl2izgmL6.exe

pid process

888 tmpBE9F.tmp8Nz5fWCl2izgmL6.exe
888 tmpBE9F.tmp8Nz5fWCl2izgmL6.exe
888 tmpBE9F.tmp8Nz5fWCl2izgmL6.exe
888 tmpBE9F.tmp8Nz5fWCl2izgmL6.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

tmpBE9F.tmp8Nz5fWCl2izgmL6.exe

pid process

888 tmpBE9F.tmp8Nz5fWCl2izgmL6.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

tmpBE9F.tmp8Nz5fWCl2izgmL6.exe

description pid process

Token: SeDebugPrivilege 888 tmpBE9F.tmp8Nz5fWCl2izgmL6.exe

pid	process
888	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe
888	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe
888	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe
888	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe

pid	process
888	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe

description	pid	process
Token: SeDebugPrivilege	888	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

RFQ PBMS 401055-STR-22.pdf.exeRFQ PBMS 401055-STR-22.pdf.exetmpBE9F.tmp8Nz5fWCl2izgmL6.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\RFQ PBMS 401055-STR-22.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ PBMS 401055-STR-22.pdf.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:784

C:\Users\Admin\AppData\Local\Temp\RFQ PBMS 401055-STR-22.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ PBMS 401055-STR-22.pdf.exe"
3⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:940

C:\Users\Admin\AppData\Local\Temp\tmpBE9F.tmp8Nz5fWCl2izgmL6.exe
"C:\Users\Admin\AppData\Local\Temp\tmpBE9F.tmp8Nz5fWCl2izgmL6.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1072

C:\Users\Admin\AppData\Local\Temp\tmpBE9F.tmp8Nz5fWCl2izgmL6.exe
"C:\Users\Admin\AppData\Local\Temp\tmpBE9F.tmp8Nz5fWCl2izgmL6.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:888

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1

T1158

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpBE9F.tmp8Nz5fWCl2izgmL6.exe
Filesize
945KB

MD5
bf67bf82ca0611af42a8a5f72db58d0e

SHA1
3de7629b74d0992f2f472adc4f503284fdb3d630

SHA256
52955aa2af63917ab5894c0494b98f0bfe74c59ff557d1b7bcfdb16f2092695b

SHA512
3b9764c8e436027955559c0a3320c859babfdce015613ca30f16d8f91f652e5247e9b352535775c65b9f566148c691ab7f9e809f0ab86fbd503b65d9f417b958

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBE9F.tmp8Nz5fWCl2izgmL6.exe
Filesize
945KB

MD5
bf67bf82ca0611af42a8a5f72db58d0e

SHA1
3de7629b74d0992f2f472adc4f503284fdb3d630

SHA256
52955aa2af63917ab5894c0494b98f0bfe74c59ff557d1b7bcfdb16f2092695b

SHA512
3b9764c8e436027955559c0a3320c859babfdce015613ca30f16d8f91f652e5247e9b352535775c65b9f566148c691ab7f9e809f0ab86fbd503b65d9f417b958

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBE9F.tmp8Nz5fWCl2izgmL6.exe
Filesize
945KB

MD5
bf67bf82ca0611af42a8a5f72db58d0e

SHA1
3de7629b74d0992f2f472adc4f503284fdb3d630

SHA256
52955aa2af63917ab5894c0494b98f0bfe74c59ff557d1b7bcfdb16f2092695b

SHA512
3b9764c8e436027955559c0a3320c859babfdce015613ca30f16d8f91f652e5247e9b352535775c65b9f566148c691ab7f9e809f0ab86fbd503b65d9f417b958

Download Submit
\Users\Admin\AppData\Local\Temp\tmpBE9F.tmp8Nz5fWCl2izgmL6.exe
Filesize
945KB

MD5
bf67bf82ca0611af42a8a5f72db58d0e

SHA1
3de7629b74d0992f2f472adc4f503284fdb3d630

SHA256
52955aa2af63917ab5894c0494b98f0bfe74c59ff557d1b7bcfdb16f2092695b

SHA512
3b9764c8e436027955559c0a3320c859babfdce015613ca30f16d8f91f652e5247e9b352535775c65b9f566148c691ab7f9e809f0ab86fbd503b65d9f417b958

Download Submit
\Users\Admin\AppData\Local\Temp\tmpBE9F.tmp8Nz5fWCl2izgmL6.exe
Filesize
945KB

MD5
bf67bf82ca0611af42a8a5f72db58d0e

SHA1
3de7629b74d0992f2f472adc4f503284fdb3d630

SHA256
52955aa2af63917ab5894c0494b98f0bfe74c59ff557d1b7bcfdb16f2092695b

SHA512
3b9764c8e436027955559c0a3320c859babfdce015613ca30f16d8f91f652e5247e9b352535775c65b9f566148c691ab7f9e809f0ab86fbd503b65d9f417b958

Download Submit
\Users\Admin\AppData\Local\Temp\tmpBE9F.tmp8Nz5fWCl2izgmL6.exe
Filesize
945KB

MD5
bf67bf82ca0611af42a8a5f72db58d0e

SHA1
3de7629b74d0992f2f472adc4f503284fdb3d630

SHA256
52955aa2af63917ab5894c0494b98f0bfe74c59ff557d1b7bcfdb16f2092695b

SHA512
3b9764c8e436027955559c0a3320c859babfdce015613ca30f16d8f91f652e5247e9b352535775c65b9f566148c691ab7f9e809f0ab86fbd503b65d9f417b958

Download Submit
memory/784-54-0x0000000001080000-0x0000000001176000-memory.dmp

Filesize
984KB

Download
memory/784-55-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download
memory/784-56-0x0000000000490000-0x00000000004A8000-memory.dmp

Filesize
96KB

Download
memory/784-57-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/784-59-0x0000000000B70000-0x0000000000B7A000-memory.dmp

Filesize
40KB

Download
memory/784-58-0x0000000005190000-0x00000000051F4000-memory.dmp

Filesize
400KB

Download
memory/888-101-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/888-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/888-94-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/888-97-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/888-98-0x00000000004012B0-mapping.dmp

Download
memory/888-105-0x00000000000E0000-0x00000000000F0000-memory.dmp

Filesize
64KB

Download
memory/888-102-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/888-104-0x00000000009E0000-0x0000000000CE3000-memory.dmp

Filesize
3.0MB

Download
memory/940-80-0x0000000005630000-0x0000000005664000-memory.dmp

Filesize
208KB

Download
memory/940-66-0x000000000040553E-mapping.dmp

Download
memory/940-78-0x0000000000A60000-0x0000000000A68000-memory.dmp

Filesize
32KB

Download
memory/940-81-0x00000000056F0000-0x000000000573A000-memory.dmp

Filesize
296KB

Download
memory/940-82-0x0000000000DA0000-0x0000000000DB6000-memory.dmp

Filesize
88KB

Download
memory/940-77-0x0000000004FD0000-0x0000000005018000-memory.dmp

Filesize
288KB

Download
memory/940-60-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/940-76-0x0000000000A80000-0x0000000000A9C000-memory.dmp

Filesize
112KB

Download
memory/940-75-0x00000000059E0000-0x0000000005CC2000-memory.dmp

Filesize
2.9MB

Download
memory/940-74-0x0000000004A50000-0x0000000004AAE000-memory.dmp

Filesize
376KB

Download
memory/940-61-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/940-90-0x0000000000CA0000-0x0000000000CB0000-memory.dmp

Filesize
64KB

Download
memory/940-63-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/940-64-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/940-73-0x0000000004F40000-0x0000000004FCC000-memory.dmp

Filesize
560KB

Download
memory/940-72-0x0000000000F50000-0x0000000000FB4000-memory.dmp

Filesize
400KB

Download
memory/940-70-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/940-68-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/940-65-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/940-79-0x0000000005580000-0x0000000005626000-memory.dmp

Filesize
664KB

Download
memory/1072-92-0x0000000004840000-0x0000000004874000-memory.dmp

Filesize
208KB

Download
memory/1072-91-0x0000000005650000-0x00000000056DE000-memory.dmp

Filesize
568KB

Download
memory/1072-88-0x0000000000E10000-0x0000000000F02000-memory.dmp

Filesize
968KB

Download
memory/1072-85-0x0000000000000000-mapping.dmp

Download
memory/1360-106-0x0000000004EB0000-0x0000000004FBA000-memory.dmp

Filesize
1.0MB

Download

description	pid	process	target process
PID 784 wrote to memory of 940	784	RFQ PBMS 401055-STR-22.pdf.exe	RFQ PBMS 401055-STR-22.pdf.exe
PID 784 wrote to memory of 940	784	RFQ PBMS 401055-STR-22.pdf.exe	RFQ PBMS 401055-STR-22.pdf.exe
PID 784 wrote to memory of 940	784	RFQ PBMS 401055-STR-22.pdf.exe	RFQ PBMS 401055-STR-22.pdf.exe
PID 784 wrote to memory of 940	784	RFQ PBMS 401055-STR-22.pdf.exe	RFQ PBMS 401055-STR-22.pdf.exe
PID 784 wrote to memory of 940	784	RFQ PBMS 401055-STR-22.pdf.exe	RFQ PBMS 401055-STR-22.pdf.exe
PID 784 wrote to memory of 940	784	RFQ PBMS 401055-STR-22.pdf.exe	RFQ PBMS 401055-STR-22.pdf.exe
PID 784 wrote to memory of 940	784	RFQ PBMS 401055-STR-22.pdf.exe	RFQ PBMS 401055-STR-22.pdf.exe
PID 784 wrote to memory of 940	784	RFQ PBMS 401055-STR-22.pdf.exe	RFQ PBMS 401055-STR-22.pdf.exe
PID 784 wrote to memory of 940	784	RFQ PBMS 401055-STR-22.pdf.exe	RFQ PBMS 401055-STR-22.pdf.exe
PID 940 wrote to memory of 1072	940	RFQ PBMS 401055-STR-22.pdf.exe	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe
PID 940 wrote to memory of 1072	940	RFQ PBMS 401055-STR-22.pdf.exe	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe
PID 940 wrote to memory of 1072	940	RFQ PBMS 401055-STR-22.pdf.exe	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe
PID 940 wrote to memory of 1072	940	RFQ PBMS 401055-STR-22.pdf.exe	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe
PID 1072 wrote to memory of 888	1072	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe
PID 1072 wrote to memory of 888	1072	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe
PID 1072 wrote to memory of 888	1072	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe
PID 1072 wrote to memory of 888	1072	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe
PID 1072 wrote to memory of 888	1072	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe
PID 1072 wrote to memory of 888	1072	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe
PID 1072 wrote to memory of 888	1072	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads