formbook | 93e11bd9c359b03f6d2a3add3d1a109275eaadc5b9875b395f9d87e302db93dd

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
10-10-2022 10:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFQ PBMS 401055-STR-22.pdf.exe
Size

1.0MB
MD5

bbbffc29c40c5e0e4aba9fd4e2a677f9
SHA1

a9ab9ba1a90d144a6ba982003d2116a5b7dd42da
SHA256

93e11bd9c359b03f6d2a3add3d1a109275eaadc5b9875b395f9d87e302db93dd
SHA512

4381510e00a00b55e41e85cbfc4f67520570d43e1e76918679fba06812dcceebd8002e5f84b963a010c2f5f1c59f123f15b6ff6615ba174299166197845e228e
SSDEEP

12288:FSmZqMm9II2iNPv9sXAwe7CrtPVGVh9dpcjSJnu5lzAKp:ZTI1LWAt7YVkdTJn2lDp

Score

10^/10

formbook nworm mmtr downloader evasion rat spyware stealer trojan worm

Malware Config

Extracted

Family

nworm

Version

v0.3.8

svetanakravenova247.ddns.net:3498

Mutex

37f24ea7

Extracted

Family

formbook

Campaign

mmtr

Decoy

A2DZqKcj5ytLVZtHJA==

fMXPWQG+JWa0S6lZOg==

8kymMDxB6ShVJHxu2gshFtXY9Rw=

1TcOF6WxcdzplqFGcUCNkBY=

k3TLhZ+bOG7ahplcPA==

K4kL5Aq5abHNS6lZOg==

mXDSo9XmxlqYN6psOA==

m+RNCVT4shAb

G1kzROn+2jCug7F5psQ=

qNYsJkWzqwkZ

0BcDQuH0xt4oBh4=

pfRW4ZhmRsEiyvP2Mg==

Sqgj4eztyCg0Ezwo39iHXQ==

bIi2etJbcdUB

k2g3gBesND9hUoKOzGaVFKX6IuUaknqH1Q==

8dFDXQPnb4s+sWfhwoqOdgmABBK+YGg=

Pn9PmDzelx84EjfdzY0WkiRPz6i4

SrUfvOfNO3DMdLvB

GFXHQ9NuPdHsxOiU2umGMSiTvQE=

Kv9sdrhSbDfMdLvB

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

RFQ PBMS 401055-STR-22.pdf.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	RFQ PBMS 401055-STR-22.pdf.exe

NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
worm downloader nworm

Executes dropped EXE 2 IoCs

Processes:

tmp6826.tmpQ2Dmo8cwUrb1GWZ.exetmp6826.tmpQ2Dmo8cwUrb1GWZ.exe

pid	Process
1776	tmp6826.tmpQ2Dmo8cwUrb1GWZ.exe
1936	tmp6826.tmpQ2Dmo8cwUrb1GWZ.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmp6826.tmpQ2Dmo8cwUrb1GWZ.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\Geo\Nation	tmp6826.tmpQ2Dmo8cwUrb1GWZ.exe

Loads dropped DLL 3 IoCs

Processes:

RFQ PBMS 401055-STR-22.pdf.exetmp6826.tmpQ2Dmo8cwUrb1GWZ.exe

pid	Process
1772	RFQ PBMS 401055-STR-22.pdf.exe
1772	RFQ PBMS 401055-STR-22.pdf.exe
1776	tmp6826.tmpQ2Dmo8cwUrb1GWZ.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 3 IoCs

Processes:

RFQ PBMS 401055-STR-22.pdf.exetmp6826.tmpQ2Dmo8cwUrb1GWZ.exetmp6826.tmpQ2Dmo8cwUrb1GWZ.exe

description	pid	Process	procid_target
PID 1912 set thread context of 1772	1912	RFQ PBMS 401055-STR-22.pdf.exe	28
PID 1776 set thread context of 1936	1776	tmp6826.tmpQ2Dmo8cwUrb1GWZ.exe	31
PID 1936 set thread context of 1256	1936	tmp6826.tmpQ2Dmo8cwUrb1GWZ.exe	16

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

RFQ PBMS 401055-STR-22.pdf.exetmp6826.tmpQ2Dmo8cwUrb1GWZ.exe

pid	Process
1772	RFQ PBMS 401055-STR-22.pdf.exe
1936	tmp6826.tmpQ2Dmo8cwUrb1GWZ.exe
1936	tmp6826.tmpQ2Dmo8cwUrb1GWZ.exe
1936	tmp6826.tmpQ2Dmo8cwUrb1GWZ.exe
1936	tmp6826.tmpQ2Dmo8cwUrb1GWZ.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

tmp6826.tmpQ2Dmo8cwUrb1GWZ.exe

pid	Process
1936	tmp6826.tmpQ2Dmo8cwUrb1GWZ.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RFQ PBMS 401055-STR-22.pdf.exetmp6826.tmpQ2Dmo8cwUrb1GWZ.exe

description	pid	Process
Token: SeDebugPrivilege	1772	RFQ PBMS 401055-STR-22.pdf.exe
Token: SeDebugPrivilege	1936	tmp6826.tmpQ2Dmo8cwUrb1GWZ.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

RFQ PBMS 401055-STR-22.pdf.exeRFQ PBMS 401055-STR-22.pdf.exetmp6826.tmpQ2Dmo8cwUrb1GWZ.exeExplorer.EXE

description	pid	Process	procid_target
PID 1912 wrote to memory of 1772	1912	RFQ PBMS 401055-STR-22.pdf.exe	28
PID 1912 wrote to memory of 1772	1912	RFQ PBMS 401055-STR-22.pdf.exe	28
PID 1912 wrote to memory of 1772	1912	RFQ PBMS 401055-STR-22.pdf.exe	28
PID 1912 wrote to memory of 1772	1912	RFQ PBMS 401055-STR-22.pdf.exe	28
PID 1912 wrote to memory of 1772	1912	RFQ PBMS 401055-STR-22.pdf.exe	28
PID 1912 wrote to memory of 1772	1912	RFQ PBMS 401055-STR-22.pdf.exe	28
PID 1912 wrote to memory of 1772	1912	RFQ PBMS 401055-STR-22.pdf.exe	28
PID 1912 wrote to memory of 1772	1912	RFQ PBMS 401055-STR-22.pdf.exe	28
PID 1912 wrote to memory of 1772	1912	RFQ PBMS 401055-STR-22.pdf.exe	28
PID 1772 wrote to memory of 1776	1772	RFQ PBMS 401055-STR-22.pdf.exe	30
PID 1772 wrote to memory of 1776	1772	RFQ PBMS 401055-STR-22.pdf.exe	30
PID 1772 wrote to memory of 1776	1772	RFQ PBMS 401055-STR-22.pdf.exe	30
PID 1772 wrote to memory of 1776	1772	RFQ PBMS 401055-STR-22.pdf.exe	30
PID 1776 wrote to memory of 1936	1776	tmp6826.tmpQ2Dmo8cwUrb1GWZ.exe	31
PID 1776 wrote to memory of 1936	1776	tmp6826.tmpQ2Dmo8cwUrb1GWZ.exe	31
PID 1776 wrote to memory of 1936	1776	tmp6826.tmpQ2Dmo8cwUrb1GWZ.exe	31
PID 1776 wrote to memory of 1936	1776	tmp6826.tmpQ2Dmo8cwUrb1GWZ.exe	31
PID 1776 wrote to memory of 1936	1776	tmp6826.tmpQ2Dmo8cwUrb1GWZ.exe	31
PID 1776 wrote to memory of 1936	1776	tmp6826.tmpQ2Dmo8cwUrb1GWZ.exe	31
PID 1776 wrote to memory of 1936	1776	tmp6826.tmpQ2Dmo8cwUrb1GWZ.exe	31
PID 1256 wrote to memory of 1584	1256	Explorer.EXE	32
PID 1256 wrote to memory of 1584	1256	Explorer.EXE	32
PID 1256 wrote to memory of 1584	1256	Explorer.EXE	32
PID 1256 wrote to memory of 1584	1256	Explorer.EXE	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Users\Admin\AppData\Local\Temp\RFQ PBMS 401055-STR-22.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\RFQ PBMS 401055-STR-22.pdf.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Users\Admin\AppData\Local\Temp\RFQ PBMS 401055-STR-22.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\RFQ PBMS 401055-STR-22.pdf.exe"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1772
  - - C:\Users\Admin\AppData\Local\Temp\tmp6826.tmpQ2Dmo8cwUrb1GWZ.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp6826.tmpQ2Dmo8cwUrb1GWZ.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1776
    - - C:\Users\Admin\AppData\Local\Temp\tmp6826.tmpQ2Dmo8cwUrb1GWZ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6826.tmpQ2Dmo8cwUrb1GWZ.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\SysWOW64\netsh.exe"
  2⤵
  PID:1584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6826.tmpQ2Dmo8cwUrb1GWZ.exe

Filesize
1009KB

MD5
a8ba4d5116a3db61e57d8de3b578b869

SHA1
dce87e252cf55b8366897bbf2cfd6b11d989859f

SHA256
f1c99e2f74b4c7b6b98e43b946e6ec8e2515ff2fac0cab86fb2a37ebb641eb01

SHA512
2c6221bd7dd230239afac5ae20e30495b7617579406a1058ab85942f414a2d22abdf7d7b2e71e3b1ff7129f246e6d0f6150d0bd433b970f70f936bfe7f990d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6826.tmpQ2Dmo8cwUrb1GWZ.exe

Filesize
1009KB

MD5
a8ba4d5116a3db61e57d8de3b578b869

SHA1
dce87e252cf55b8366897bbf2cfd6b11d989859f

SHA256
f1c99e2f74b4c7b6b98e43b946e6ec8e2515ff2fac0cab86fb2a37ebb641eb01

SHA512
2c6221bd7dd230239afac5ae20e30495b7617579406a1058ab85942f414a2d22abdf7d7b2e71e3b1ff7129f246e6d0f6150d0bd433b970f70f936bfe7f990d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6826.tmpQ2Dmo8cwUrb1GWZ.exe

Filesize
1009KB

MD5
a8ba4d5116a3db61e57d8de3b578b869

SHA1
dce87e252cf55b8366897bbf2cfd6b11d989859f

SHA256
f1c99e2f74b4c7b6b98e43b946e6ec8e2515ff2fac0cab86fb2a37ebb641eb01

SHA512
2c6221bd7dd230239afac5ae20e30495b7617579406a1058ab85942f414a2d22abdf7d7b2e71e3b1ff7129f246e6d0f6150d0bd433b970f70f936bfe7f990d47

Download Submit
\Users\Admin\AppData\Local\Temp\tmp6826.tmpQ2Dmo8cwUrb1GWZ.exe

Filesize
1009KB

MD5
a8ba4d5116a3db61e57d8de3b578b869

SHA1
dce87e252cf55b8366897bbf2cfd6b11d989859f

SHA256
f1c99e2f74b4c7b6b98e43b946e6ec8e2515ff2fac0cab86fb2a37ebb641eb01

SHA512
2c6221bd7dd230239afac5ae20e30495b7617579406a1058ab85942f414a2d22abdf7d7b2e71e3b1ff7129f246e6d0f6150d0bd433b970f70f936bfe7f990d47

Download Submit
\Users\Admin\AppData\Local\Temp\tmp6826.tmpQ2Dmo8cwUrb1GWZ.exe

Filesize
1009KB

MD5
a8ba4d5116a3db61e57d8de3b578b869

SHA1
dce87e252cf55b8366897bbf2cfd6b11d989859f

SHA256
f1c99e2f74b4c7b6b98e43b946e6ec8e2515ff2fac0cab86fb2a37ebb641eb01

SHA512
2c6221bd7dd230239afac5ae20e30495b7617579406a1058ab85942f414a2d22abdf7d7b2e71e3b1ff7129f246e6d0f6150d0bd433b970f70f936bfe7f990d47

Download Submit
\Users\Admin\AppData\Local\Temp\tmp6826.tmpQ2Dmo8cwUrb1GWZ.exe

Filesize
1009KB

MD5
a8ba4d5116a3db61e57d8de3b578b869

SHA1
dce87e252cf55b8366897bbf2cfd6b11d989859f

SHA256
f1c99e2f74b4c7b6b98e43b946e6ec8e2515ff2fac0cab86fb2a37ebb641eb01

SHA512
2c6221bd7dd230239afac5ae20e30495b7617579406a1058ab85942f414a2d22abdf7d7b2e71e3b1ff7129f246e6d0f6150d0bd433b970f70f936bfe7f990d47

Download Submit
memory/1256-106-0x0000000006A90000-0x0000000006C03000-memory.dmp

Filesize
1.4MB

Download
memory/1772-80-0x00000000050F0000-0x0000000005124000-memory.dmp

Filesize
208KB

Download
memory/1772-60-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1772-64-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1772-65-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1772-66-0x000000000040553E-mapping.dmp

Download
memory/1772-68-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1772-70-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1772-72-0x0000000000E60000-0x0000000000EC4000-memory.dmp

Filesize
400KB

Download
memory/1772-73-0x0000000005320000-0x00000000053AC000-memory.dmp

Filesize
560KB

Download
memory/1772-74-0x0000000004FC0000-0x000000000501E000-memory.dmp

Filesize
376KB

Download
memory/1772-75-0x0000000005AA0000-0x0000000005D82000-memory.dmp

Filesize
2.9MB

Download
memory/1772-76-0x0000000000800000-0x000000000081C000-memory.dmp

Filesize
112KB

Download
memory/1772-77-0x0000000005060000-0x00000000050A8000-memory.dmp

Filesize
288KB

Download
memory/1772-78-0x0000000000820000-0x0000000000828000-memory.dmp

Filesize
32KB

Download
memory/1772-79-0x0000000005830000-0x00000000058D6000-memory.dmp

Filesize
664KB

Download
memory/1772-91-0x0000000000EE0000-0x0000000000EF0000-memory.dmp

Filesize
64KB

Download
memory/1772-81-0x00000000056D0000-0x000000000571A000-memory.dmp

Filesize
296KB

Download
memory/1772-82-0x0000000000B10000-0x0000000000B26000-memory.dmp

Filesize
88KB

Download
memory/1772-61-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1772-63-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1776-85-0x0000000000000000-mapping.dmp

Download
memory/1776-88-0x0000000000E80000-0x0000000000F82000-memory.dmp

Filesize
1.0MB

Download
memory/1776-90-0x00000000077D0000-0x000000000785E000-memory.dmp

Filesize
568KB

Download
memory/1776-92-0x0000000004F80000-0x0000000004FB4000-memory.dmp

Filesize
208KB

Download
memory/1912-56-0x0000000000480000-0x0000000000498000-memory.dmp

Filesize
96KB

Download
memory/1912-58-0x0000000005050000-0x00000000050B4000-memory.dmp

Filesize
400KB

Download
memory/1912-54-0x0000000001360000-0x0000000001466000-memory.dmp

Filesize
1.0MB

Download
memory/1912-57-0x00000000003B0000-0x00000000003BC000-memory.dmp

Filesize
48KB

Download
memory/1912-59-0x0000000000D50000-0x0000000000D5A000-memory.dmp

Filesize
40KB

Download
memory/1912-55-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download
memory/1936-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1936-97-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1936-98-0x00000000004012B0-mapping.dmp

Download
memory/1936-101-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1936-102-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1936-103-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1936-104-0x0000000000830000-0x0000000000B33000-memory.dmp

Filesize
3.0MB

Download
memory/1936-94-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1936-105-0x00000000000E0000-0x00000000000F0000-memory.dmp

Filesize
64KB

Download