formbook | e619a4c3b283514f6fec91b45659f766050d86117cbd75752096b719fb444b69

General

Target

RFQ PBMS 401055-STR-22.pdf.exe
Size

960KB
MD5

d53349008874b77d087eac5ee7380c5b
SHA1

676219bcf2de1c6b73a366cf880d0702cbfc6f99
SHA256

e619a4c3b283514f6fec91b45659f766050d86117cbd75752096b719fb444b69
SHA512

8fc2de3635c447216b1aad8f1dd0b41152f9debb1d53da877dfd439cfb8551e5ebebf2621c9cd2c243e87786645e2fe12cd02db256f0c70b750a6c330442adae
SSDEEP

12288:KUTQO2iNCJ2uT8ejSo+aI2PfwnlOvAsijEo9Ogi5LGXshr9lyAKp:lD1FQtO5aIqAk8oUTixWsh5lWp

Score

10^/10

formbook nworm mmtr downloader evasion rat spyware stealer trojan worm

Malware Config

Extracted

Family

nworm

Version

v0.3.8

C2

svetanakravenova247.ddns.net:3498

Mutex

37f24ea7

Extracted

Family

formbook

Campaign

mmtr

Decoy

A2DZqKcj5ytLVZtHJA==

fMXPWQG+JWa0S6lZOg==

8kymMDxB6ShVJHxu2gshFtXY9Rw=

1TcOF6WxcdzplqFGcUCNkBY=

k3TLhZ+bOG7ahplcPA==

K4kL5Aq5abHNS6lZOg==

mXDSo9XmxlqYN6psOA==

m+RNCVT4shAb

G1kzROn+2jCug7F5psQ=

qNYsJkWzqwkZ

0BcDQuH0xt4oBh4=

pfRW4ZhmRsEiyvP2Mg==

Sqgj4eztyCg0Ezwo39iHXQ==

bIi2etJbcdUB

k2g3gBesND9hUoKOzGaVFKX6IuUaknqH1Q==

8dFDXQPnb4s+sWfhwoqOdgmABBK+YGg=

Pn9PmDzelx84EjfdzY0WkiRPz6i4

SrUfvOfNO3DMdLvB

GFXHQ9NuPdHsxOiU2umGMSiTvQE=

Kv9sdrhSbDfMdLvB

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	RFQ PBMS 401055-STR-22.pdf.exe

NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
worm downloader nworm

Executes dropped EXE 2 IoCs

pid	Process
1072	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe
888	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe

Loads dropped DLL 3 IoCs

pid	Process
940	RFQ PBMS 401055-STR-22.pdf.exe
940	RFQ PBMS 401055-STR-22.pdf.exe
1072	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 784 set thread context of 940	784	RFQ PBMS 401055-STR-22.pdf.exe	26
PID 1072 set thread context of 888	1072	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe	29
PID 888 set thread context of 1360	888	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe	20

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
888	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe
888	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe
888	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe
888	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
888	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	888	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 784 wrote to memory of 940	784	RFQ PBMS 401055-STR-22.pdf.exe	26
PID 784 wrote to memory of 940	784	RFQ PBMS 401055-STR-22.pdf.exe	26
PID 784 wrote to memory of 940	784	RFQ PBMS 401055-STR-22.pdf.exe	26
PID 784 wrote to memory of 940	784	RFQ PBMS 401055-STR-22.pdf.exe	26
PID 784 wrote to memory of 940	784	RFQ PBMS 401055-STR-22.pdf.exe	26
PID 784 wrote to memory of 940	784	RFQ PBMS 401055-STR-22.pdf.exe	26
PID 784 wrote to memory of 940	784	RFQ PBMS 401055-STR-22.pdf.exe	26
PID 784 wrote to memory of 940	784	RFQ PBMS 401055-STR-22.pdf.exe	26
PID 784 wrote to memory of 940	784	RFQ PBMS 401055-STR-22.pdf.exe	26
PID 940 wrote to memory of 1072	940	RFQ PBMS 401055-STR-22.pdf.exe	28
PID 940 wrote to memory of 1072	940	RFQ PBMS 401055-STR-22.pdf.exe	28
PID 940 wrote to memory of 1072	940	RFQ PBMS 401055-STR-22.pdf.exe	28
PID 940 wrote to memory of 1072	940	RFQ PBMS 401055-STR-22.pdf.exe	28
PID 1072 wrote to memory of 888	1072	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe	29
PID 1072 wrote to memory of 888	1072	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe	29
PID 1072 wrote to memory of 888	1072	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe	29
PID 1072 wrote to memory of 888	1072	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe	29
PID 1072 wrote to memory of 888	1072	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe	29
PID 1072 wrote to memory of 888	1072	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe	29
PID 1072 wrote to memory of 888	1072	tmpBE9F.tmp8Nz5fWCl2izgmL6.exe	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1360
- C:\Users\Admin\AppData\Local\Temp\RFQ PBMS 401055-STR-22.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\RFQ PBMS 401055-STR-22.pdf.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:784
- - C:\Users\Admin\AppData\Local\Temp\RFQ PBMS 401055-STR-22.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\RFQ PBMS 401055-STR-22.pdf.exe"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:940
  - - C:\Users\Admin\AppData\Local\Temp\tmpBE9F.tmp8Nz5fWCl2izgmL6.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpBE9F.tmp8Nz5fWCl2izgmL6.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1072
    - - C:\Users\Admin\AppData\Local\Temp\tmpBE9F.tmp8Nz5fWCl2izgmL6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBE9F.tmp8Nz5fWCl2izgmL6.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpBE9F.tmp8Nz5fWCl2izgmL6.exe

Filesize
945KB

MD5
bf67bf82ca0611af42a8a5f72db58d0e

SHA1
3de7629b74d0992f2f472adc4f503284fdb3d630

SHA256
52955aa2af63917ab5894c0494b98f0bfe74c59ff557d1b7bcfdb16f2092695b

SHA512
3b9764c8e436027955559c0a3320c859babfdce015613ca30f16d8f91f652e5247e9b352535775c65b9f566148c691ab7f9e809f0ab86fbd503b65d9f417b958

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBE9F.tmp8Nz5fWCl2izgmL6.exe

Filesize
945KB

MD5
bf67bf82ca0611af42a8a5f72db58d0e

SHA1
3de7629b74d0992f2f472adc4f503284fdb3d630

SHA256
52955aa2af63917ab5894c0494b98f0bfe74c59ff557d1b7bcfdb16f2092695b

SHA512
3b9764c8e436027955559c0a3320c859babfdce015613ca30f16d8f91f652e5247e9b352535775c65b9f566148c691ab7f9e809f0ab86fbd503b65d9f417b958

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBE9F.tmp8Nz5fWCl2izgmL6.exe

Filesize
945KB

MD5
bf67bf82ca0611af42a8a5f72db58d0e

SHA1
3de7629b74d0992f2f472adc4f503284fdb3d630

SHA256
52955aa2af63917ab5894c0494b98f0bfe74c59ff557d1b7bcfdb16f2092695b

SHA512
3b9764c8e436027955559c0a3320c859babfdce015613ca30f16d8f91f652e5247e9b352535775c65b9f566148c691ab7f9e809f0ab86fbd503b65d9f417b958

Download Submit
\Users\Admin\AppData\Local\Temp\tmpBE9F.tmp8Nz5fWCl2izgmL6.exe

Filesize
945KB

MD5
bf67bf82ca0611af42a8a5f72db58d0e

SHA1
3de7629b74d0992f2f472adc4f503284fdb3d630

SHA256
52955aa2af63917ab5894c0494b98f0bfe74c59ff557d1b7bcfdb16f2092695b

SHA512
3b9764c8e436027955559c0a3320c859babfdce015613ca30f16d8f91f652e5247e9b352535775c65b9f566148c691ab7f9e809f0ab86fbd503b65d9f417b958

Download Submit
\Users\Admin\AppData\Local\Temp\tmpBE9F.tmp8Nz5fWCl2izgmL6.exe

Filesize
945KB

MD5
bf67bf82ca0611af42a8a5f72db58d0e

SHA1
3de7629b74d0992f2f472adc4f503284fdb3d630

SHA256
52955aa2af63917ab5894c0494b98f0bfe74c59ff557d1b7bcfdb16f2092695b

SHA512
3b9764c8e436027955559c0a3320c859babfdce015613ca30f16d8f91f652e5247e9b352535775c65b9f566148c691ab7f9e809f0ab86fbd503b65d9f417b958

Download Submit
\Users\Admin\AppData\Local\Temp\tmpBE9F.tmp8Nz5fWCl2izgmL6.exe

Filesize
945KB

MD5
bf67bf82ca0611af42a8a5f72db58d0e

SHA1
3de7629b74d0992f2f472adc4f503284fdb3d630

SHA256
52955aa2af63917ab5894c0494b98f0bfe74c59ff557d1b7bcfdb16f2092695b

SHA512
3b9764c8e436027955559c0a3320c859babfdce015613ca30f16d8f91f652e5247e9b352535775c65b9f566148c691ab7f9e809f0ab86fbd503b65d9f417b958

Download Submit
memory/784-54-0x0000000001080000-0x0000000001176000-memory.dmp

Filesize
984KB

Download
memory/784-55-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download
memory/784-56-0x0000000000490000-0x00000000004A8000-memory.dmp

Filesize
96KB

Download
memory/784-57-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/784-59-0x0000000000B70000-0x0000000000B7A000-memory.dmp

Filesize
40KB

Download
memory/784-58-0x0000000005190000-0x00000000051F4000-memory.dmp

Filesize
400KB

Download
memory/888-101-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/888-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/888-94-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/888-97-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/888-105-0x00000000000E0000-0x00000000000F0000-memory.dmp

Filesize
64KB

Download
memory/888-102-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/888-104-0x00000000009E0000-0x0000000000CE3000-memory.dmp

Filesize
3.0MB

Download
memory/940-80-0x0000000005630000-0x0000000005664000-memory.dmp

Filesize
208KB

Download
memory/940-78-0x0000000000A60000-0x0000000000A68000-memory.dmp

Filesize
32KB

Download
memory/940-81-0x00000000056F0000-0x000000000573A000-memory.dmp

Filesize
296KB

Download
memory/940-82-0x0000000000DA0000-0x0000000000DB6000-memory.dmp

Filesize
88KB

Download
memory/940-77-0x0000000004FD0000-0x0000000005018000-memory.dmp

Filesize
288KB

Download
memory/940-60-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/940-76-0x0000000000A80000-0x0000000000A9C000-memory.dmp

Filesize
112KB

Download
memory/940-75-0x00000000059E0000-0x0000000005CC2000-memory.dmp

Filesize
2.9MB

Download
memory/940-74-0x0000000004A50000-0x0000000004AAE000-memory.dmp

Filesize
376KB

Download
memory/940-61-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/940-90-0x0000000000CA0000-0x0000000000CB0000-memory.dmp

Filesize
64KB

Download
memory/940-63-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/940-64-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/940-73-0x0000000004F40000-0x0000000004FCC000-memory.dmp

Filesize
560KB

Download
memory/940-72-0x0000000000F50000-0x0000000000FB4000-memory.dmp

Filesize
400KB

Download
memory/940-70-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/940-68-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/940-65-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/940-79-0x0000000005580000-0x0000000005626000-memory.dmp

Filesize
664KB

Download
memory/1072-92-0x0000000004840000-0x0000000004874000-memory.dmp

Filesize
208KB

Download
memory/1072-91-0x0000000005650000-0x00000000056DE000-memory.dmp

Filesize
568KB

Download
memory/1072-88-0x0000000000E10000-0x0000000000F02000-memory.dmp

Filesize
968KB

Download
memory/1360-106-0x0000000004EB0000-0x0000000004FBA000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads