Analysis
-
max time kernel
62s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
01-12-2022 21:08
General
-
Target
a8d97304d740bb44b27e40303d72326a34d30973e801161f4bf026fff552c1a8.exe
-
Size
2.1MB
-
MD5
dc86d8c67a66d23d6cba86036dacd475
-
SHA1
3c803edc8f87f3c69c460ccf1255ed8c9c1651f6
-
SHA256
a8d97304d740bb44b27e40303d72326a34d30973e801161f4bf026fff552c1a8
-
SHA512
941b380f3c393ebb776b0d181b290550b528534f50b6bb55ada418f3639d8ccd07587303a7b680937c0b641e838cc2f98265d93f56d7bbcd9419e7a2512a69f3
-
SSDEEP
24576:MuOolI+AqJiMqbPf8/cEnn8jrO+jfn2QaRgRBmjb+Ba56r19EvAI3eQFZ:x3Aq0U/cbjjL2Q+gRBKyq6r19mAI3RF
Malware Config
Extracted
formbook
4.1
do25
nickifarina.site
nfptrwge.bar
nobreemporio.com
split-acres.com
sharingservice-act.com
nakedinktees.shop
zhensheng1988.com
ipiton.com
liftoffdigitalmarketing.com
karen.cool
theprotestantchurch.com
shirhadarr.com
azdtwp.com
comzestdent.com
jnsjh.com
in-heat-cool.com
dfefej.top
tumingchun.com
eisei-shouji.tokyo
sparecreeping.com
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook payload 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8d97304d740bb44b27e40303d72326a34d30973e801161f4bf026fff552c1a8.exe"C:\Users\Admin\AppData\Local\Temp\a8d97304d740bb44b27e40303d72326a34d30973e801161f4bf026fff552c1a8.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\a8d97304d740bb44b27e40303d72326a34d30973e801161f4bf026fff552c1a8.exeC:\Users\Admin\AppData\Local\Temp\a8d97304d740bb44b27e40303d72326a34d30973e801161f4bf026fff552c1a8.exe2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/484-56-0x0000000000000000-mapping.dmp
-
memory/484-57-0x00000000764C1000-0x00000000764C3000-memory.dmpFilesize
8KB
-
memory/484-58-0x000000006EAA0000-0x000000006F04B000-memory.dmpFilesize
5.7MB
-
memory/484-59-0x000000006EAA0000-0x000000006F04B000-memory.dmpFilesize
5.7MB
-
memory/1272-54-0x0000000001290000-0x00000000014AA000-memory.dmpFilesize
2.1MB
-
memory/1272-55-0x00000000048B0000-0x0000000004AC4000-memory.dmpFilesize
2.1MB
-
memory/1772-60-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1772-61-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1772-63-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1772-64-0x000000000041F160-mapping.dmp
-
memory/1772-65-0x0000000000840000-0x0000000000B43000-memory.dmpFilesize
3.0MB