Analysis
-
max time kernel
250s -
max time network
244s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
17-10-2022 12:23
General
-
Target
New Inquiry/New inquiry.exe
-
Size
236KB
-
MD5
dd1a098f5e803e0d80f1d7a7333ca8a5
-
SHA1
224bf29996d204c81e825c28b2955a6f2f01973f
-
SHA256
48c09aadd19df65dcb19eed8da77377e60aa7e6e5cba53ba0507faa9c550c193
-
SHA512
d0ef4d2a6dda49b0c513fb76a81f78cba3c67ace14b7254c580b8c41972406bbe3324c0ae7d5bd3e23ee916b8a9080c25b331a80ccf727635da373682627bfc1
-
SSDEEP
6144:i6bAcJ3iiPiaIj0sBo+0iBDQp9tHjaq8fRlilqaerDbI6Iu:JjIj0op0i1iHHTn0nkO
Score
10/10
Malware Config
Extracted
Family
formbook
Version
4.1
Campaign
d06c
Decoy
douglasdetoledopiza.com
yxcc.online
primo.llc
mediamomos.com
cosmetiq-pro.com
22labs.tech
turbowashing.com
lindaivell.site
princess-bed.club
groundget.cfd
agretaminiousa.com
lomoni.com
nessesse.us
lexgo.cloud
halilsener.xyz
kirokubo.cloud
corotip.sbs
meghq.net
5y6s.world
weasib.online
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook payload 5 IoCs
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
-
Loads dropped DLL 1 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 6 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 13 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\New Inquiry\New inquiry.exe"C:\Users\Admin\AppData\Local\Temp\New Inquiry\New inquiry.exe"2⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\New Inquiry\New inquiry.exe"C:\Users\Admin\AppData\Local\Temp\New Inquiry\New inquiry.exe"3⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\New Inquiry\New inquiry.exe"3⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2f4 0x4181⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nsg4A29.tmp\System.dllFilesize
11KB
MD58b3830b9dbf87f84ddd3b26645fed3a0
SHA1223bef1f19e644a610a0877d01eadc9e28299509
SHA256f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37
SHA512d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03
-
memory/652-148-0x0000000002F40000-0x0000000003002000-memory.dmpFilesize
776KB
-
memory/652-152-0x000000000F2B0000-0x000000000F377000-memory.dmpFilesize
796KB
-
memory/652-162-0x000000000F2B0000-0x000000000F377000-memory.dmpFilesize
796KB
-
memory/652-165-0x0000000008AA0000-0x0000000008C1E000-memory.dmpFilesize
1.5MB
-
memory/652-166-0x0000000008AA0000-0x0000000008C1E000-memory.dmpFilesize
1.5MB
-
memory/2336-161-0x0000000001260000-0x00000000015AA000-memory.dmpFilesize
3.3MB
-
memory/2336-164-0x0000000000980000-0x00000000009AF000-memory.dmpFilesize
188KB
-
memory/2336-163-0x0000000001100000-0x0000000001193000-memory.dmpFilesize
588KB
-
memory/2336-159-0x0000000000980000-0x00000000009AF000-memory.dmpFilesize
188KB
-
memory/2336-158-0x00000000000D0000-0x00000000000DA000-memory.dmpFilesize
40KB
-
memory/2336-154-0x0000000000000000-mapping.dmp
-
memory/3752-160-0x0000000000000000-mapping.dmp
-
memory/4316-139-0x00000000777C0000-0x0000000077963000-memory.dmpFilesize
1.6MB
-
memory/4316-136-0x00000000777C0000-0x0000000077963000-memory.dmpFilesize
1.6MB
-
memory/4316-135-0x00007FF917850000-0x00007FF917A45000-memory.dmpFilesize
2.0MB
-
memory/4316-134-0x0000000002E90000-0x0000000002F91000-memory.dmpFilesize
1.0MB
-
memory/4316-133-0x0000000002E90000-0x0000000002F91000-memory.dmpFilesize
1.0MB
-
memory/4316-149-0x0000000002E90000-0x0000000002F91000-memory.dmpFilesize
1.0MB
-
memory/5088-140-0x0000000001660000-0x0000000001760000-memory.dmpFilesize
1024KB
-
memory/5088-151-0x0000000000170000-0x0000000000184000-memory.dmpFilesize
80KB
-
memory/5088-153-0x00007FF917850000-0x00007FF917A45000-memory.dmpFilesize
2.0MB
-
memory/5088-150-0x0000000000401000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/5088-155-0x00007FF917850000-0x00007FF917A45000-memory.dmpFilesize
2.0MB
-
memory/5088-156-0x00000000777C0000-0x0000000077963000-memory.dmpFilesize
1.6MB
-
memory/5088-157-0x0000000001660000-0x0000000001760000-memory.dmpFilesize
1024KB
-
memory/5088-147-0x000000001D400000-0x000000001D414000-memory.dmpFilesize
80KB
-
memory/5088-146-0x000000001D610000-0x000000001D95A000-memory.dmpFilesize
3.3MB
-
memory/5088-145-0x00000000777C0000-0x0000000077963000-memory.dmpFilesize
1.6MB
-
memory/5088-144-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/5088-143-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/5088-142-0x00007FF917850000-0x00007FF917A45000-memory.dmpFilesize
2.0MB
-
memory/5088-141-0x0000000001660000-0x0000000001760000-memory.dmpFilesize
1024KB
-
memory/5088-138-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/5088-137-0x0000000000000000-mapping.dmp