Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
27-10-2022 11:43
General
-
Target
Shipment Document BL,INV and packing list.jpg.exe
-
Size
323KB
-
MD5
858a0b8a0c24df21ce22f3ff702a3737
-
SHA1
f285429ebe2a75c143abe1fd579c979122c6afe0
-
SHA256
88819addd430324a7461bdf59c1ab994bc613bb2b17f09e572b7ba1c0c47e6f9
-
SHA512
cfdab69ebe17d666b05a399c935a28f411a9bc1a5c014dd1fa533043992b7a947d6417982011b9fabc76c21d2d294d6384a2157580fc30b4ef46e53eb0c57ca7
-
SSDEEP
6144:/6dbOGzzzzzzzzzzzzzzzzzzzzzzzzzzzzkzTzzzzzzQtkauL/sVfEBlUbrQ2Inh:itka2UbrQlZI/JTV6V7KAF
Malware Config
Extracted
formbook
4.1
d06c
douglasdetoledopiza.com
yxcc.online
primo.llc
mediamomos.com
cosmetiq-pro.com
22labs.tech
turbowashing.com
lindaivell.site
princess-bed.club
groundget.cfd
agretaminiousa.com
lomoni.com
nessesse.us
lexgo.cloud
halilsener.xyz
kirokubo.cloud
corotip.sbs
meghq.net
5y6s.world
weasib.online
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook payload 3 IoCs
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
-
Loads dropped DLL 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious behavior: MapViewOfSection 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and packing list.jpg.exe"C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and packing list.jpg.exe"2⤵
- Checks QEMU agent file
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and packing list.jpg.exe"C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and packing list.jpg.exe"3⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and packing list.jpg.exe"3⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nsg7D9D.tmp\System.dllFilesize
11KB
MD50063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
memory/2500-133-0x00000000031A0000-0x00000000032A1000-memory.dmpFilesize
1.0MB
-
memory/2500-134-0x00000000031A0000-0x00000000032A1000-memory.dmpFilesize
1.0MB
-
memory/2500-135-0x00007FFAD6610000-0x00007FFAD6805000-memory.dmpFilesize
2.0MB
-
memory/2500-136-0x0000000077370000-0x0000000077513000-memory.dmpFilesize
1.6MB
-
memory/2500-148-0x00000000031A0000-0x00000000032A1000-memory.dmpFilesize
1.0MB
-
memory/2500-139-0x0000000077370000-0x0000000077513000-memory.dmpFilesize
1.6MB
-
memory/2628-155-0x0000000000000000-mapping.dmp
-
memory/2844-145-0x000000001D810000-0x000000001DB5A000-memory.dmpFilesize
3.3MB
-
memory/2844-151-0x0000000077370000-0x0000000077513000-memory.dmpFilesize
1.6MB
-
memory/2844-142-0x00007FFAD6610000-0x00007FFAD6805000-memory.dmpFilesize
2.0MB
-
memory/2844-143-0x0000000077370000-0x0000000077513000-memory.dmpFilesize
1.6MB
-
memory/2844-144-0x0000000000401000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/2844-146-0x000000001D640000-0x000000001D654000-memory.dmpFilesize
80KB
-
memory/2844-140-0x0000000001660000-0x0000000001760000-memory.dmpFilesize
1024KB
-
memory/2844-137-0x0000000000000000-mapping.dmp
-
memory/2844-138-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/2844-152-0x0000000001660000-0x0000000001760000-memory.dmpFilesize
1024KB
-
memory/2844-150-0x00007FFAD6610000-0x00007FFAD6805000-memory.dmpFilesize
2.0MB
-
memory/2844-141-0x0000000001660000-0x0000000001760000-memory.dmpFilesize
1024KB
-
memory/3092-147-0x0000000007DE0000-0x0000000007F27000-memory.dmpFilesize
1.3MB
-
memory/3092-158-0x0000000007F30000-0x0000000008057000-memory.dmpFilesize
1.2MB
-
memory/3092-160-0x0000000007F30000-0x0000000008057000-memory.dmpFilesize
1.2MB
-
memory/4988-149-0x0000000000000000-mapping.dmp
-
memory/4988-154-0x00000000004E0000-0x000000000050F000-memory.dmpFilesize
188KB
-
memory/4988-153-0x0000000000410000-0x000000000041E000-memory.dmpFilesize
56KB
-
memory/4988-156-0x0000000001100000-0x000000000144A000-memory.dmpFilesize
3.3MB
-
memory/4988-157-0x0000000001000000-0x0000000001093000-memory.dmpFilesize
588KB
-
memory/4988-159-0x00000000004E0000-0x000000000050F000-memory.dmpFilesize
188KB