Analysis

  • max time kernel
    149s
  • max time network
    205s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    08-12-2022 22:23

General

  • Target

    RFQ No. 980007 & 983185.exe

  • Size

    239KB

  • MD5

    a9ee4f66b0686b6696d2853667da9c18

  • SHA1

    6c4ec8743ac76cd05fc33ba3d05e82c47d87ecce

  • SHA256

    05740669c4c15fd382ace1ce3a03d78ad0bbd9b1dafa5d22d13fea990e07e65b

  • SHA512

    d222a4cc4ea8b89b6aa66eee2f2ee0510cae392e15b04945e75baf3db7302ff9e9b8d063dce021096b539e26c26ea3478ecb4d17f3d763ff1f60a98e9c6a20c9

  • SSDEEP

    6144:xBnYpMnlMPjMn6m3AWilyG6M2abL9cBjr8Jiw:UpglZ6m373G6M2alc9AJX

Malware Config

Extracted

Family

formbook

Campaign

m5oe

Decoy

HdR8hG6r12hBYuHY4zv6YeeFPQ==

tD1V9gswYvgQXEGd

1xKtJ1LdqRYMRMC84U1A

MbhjiWb7Lz8z7KIWl3UyUIJwA6Tb

joVB5Xggy2RtE+odsZg=

TrduAIay6Y3SvoIK20xI

pSna7LOsXXwXT/zz3Iow4g==

QnthmO4Qst5gC3sDoA==

eAirzOOgO7SOCenz3Iow4g==

xg0uSbfLTg==

YWQXwyGRzPEHzGrDFE8CBSE=

ujLnfuXoH9dbgHIK20xI

291v0XsGFrYQXEGd

MRvTd/qMuaHpjCM=

X131fLC6VWX4MsvCb2IPjIfq8wlksWfg

Y9Bur8DbgqFt/Yni86MMCCE=

q6RTBmJkmy5pWTmmCCrvmuCDPw==

mQS26DojT+EQXEGd

sjHQ+Kav2Wx9FeodsZg=

JA24UKnTA5re1LhcQaVo/w==

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1284
    • C:\Users\Admin\AppData\Local\Temp\RFQ No. 980007 & 983185.exe
      "C:\Users\Admin\AppData\Local\Temp\RFQ No. 980007 & 983185.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1276
      • C:\Users\Admin\AppData\Local\Temp\zxcia.exe
        "C:\Users\Admin\AppData\Local\Temp\zxcia.exe" C:\Users\Admin\AppData\Local\Temp\wwgysm.u
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:936
        • C:\Users\Admin\AppData\Local\Temp\zxcia.exe
          "C:\Users\Admin\AppData\Local\Temp\zxcia.exe"
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:856
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe"
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:520
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:1860

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Collection

    Data from Local System

    1
    T1005

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\addqembg.akh
      Filesize

      185KB

      MD5

      1004c011123dca04b18de42d207a7eda

      SHA1

      7c6704ec238046df9679742104d3fcce2221a436

      SHA256

      d9b8ddbba450f37caf3ff8b88cec37f269ce37bf41fb173c8659c9818c08c2f2

      SHA512

      2406f35ce017a43bfec7b2050b79dc9aebcad34cbb14f5598284791287aeb2d5a4464b8dc3b4ea5a0f55f95f0942b5b6887defbb5205eb3a64c0a40a12e01472

    • C:\Users\Admin\AppData\Local\Temp\wwgysm.u
      Filesize

      5KB

      MD5

      faa57729447a24669e0d3e46b18e0232

      SHA1

      49f11122be3748b0b0acf5c329c533457a18f954

      SHA256

      0db5fa443f4e268da1c759bb827eff866ff89a5f9dcadf7a5ee96d94a079d97d

      SHA512

      5cdc0ff8fe1a5850f39979c656c3ac4eef58d8f1a773064568464b6e199e20f92ec15ecc43837017835dc5e413fbec45c5be16f2b450e9d90e2ac20d319d5b62

    • C:\Users\Admin\AppData\Local\Temp\zxcia.exe
      Filesize

      12KB

      MD5

      aa22266d15fb5c32c2d556f73928ca4f

      SHA1

      bf8abdf87eb0ff02ab397be1e0b80c7c32d8f1a5

      SHA256

      207b2b2b68c53a3983aca22eeafd50e7bf065e347379332692c716ef8e7303d5

      SHA512

      6cf19e8c36bfcb78d1a18f2637671132e1d4bc50fd23818c50ec1facbf2786d1404ba2e8a679e66c9f705eaaa25047887b46ee776c624335278320760c3fa294

    • C:\Users\Admin\AppData\Local\Temp\zxcia.exe
      Filesize

      12KB

      MD5

      aa22266d15fb5c32c2d556f73928ca4f

      SHA1

      bf8abdf87eb0ff02ab397be1e0b80c7c32d8f1a5

      SHA256

      207b2b2b68c53a3983aca22eeafd50e7bf065e347379332692c716ef8e7303d5

      SHA512

      6cf19e8c36bfcb78d1a18f2637671132e1d4bc50fd23818c50ec1facbf2786d1404ba2e8a679e66c9f705eaaa25047887b46ee776c624335278320760c3fa294

    • C:\Users\Admin\AppData\Local\Temp\zxcia.exe
      Filesize

      12KB

      MD5

      aa22266d15fb5c32c2d556f73928ca4f

      SHA1

      bf8abdf87eb0ff02ab397be1e0b80c7c32d8f1a5

      SHA256

      207b2b2b68c53a3983aca22eeafd50e7bf065e347379332692c716ef8e7303d5

      SHA512

      6cf19e8c36bfcb78d1a18f2637671132e1d4bc50fd23818c50ec1facbf2786d1404ba2e8a679e66c9f705eaaa25047887b46ee776c624335278320760c3fa294

    • \Users\Admin\AppData\Local\Temp\sqlite3.dll
      Filesize

      825KB

      MD5

      00a91261929192a7facc32a9f330029a

      SHA1

      7df4ffdf48a6df0bac21a82d6db56aa11db470dc

      SHA256

      c1de8eca6419634c5f6e0e8c6ef14d9b3daa28fa28e8d1c4ce0175dbc310a77f

      SHA512

      18a178ca0e70fa6e8f04b4ae229cfd6ef0df252e3fd85d09cf79f89e69ada89e3479db83227095a8c16325b1dc27c9ec0c782af304f7ce0afa78c2e25b49b01e

    • \Users\Admin\AppData\Local\Temp\zxcia.exe
      Filesize

      12KB

      MD5

      aa22266d15fb5c32c2d556f73928ca4f

      SHA1

      bf8abdf87eb0ff02ab397be1e0b80c7c32d8f1a5

      SHA256

      207b2b2b68c53a3983aca22eeafd50e7bf065e347379332692c716ef8e7303d5

      SHA512

      6cf19e8c36bfcb78d1a18f2637671132e1d4bc50fd23818c50ec1facbf2786d1404ba2e8a679e66c9f705eaaa25047887b46ee776c624335278320760c3fa294

    • \Users\Admin\AppData\Local\Temp\zxcia.exe
      Filesize

      12KB

      MD5

      aa22266d15fb5c32c2d556f73928ca4f

      SHA1

      bf8abdf87eb0ff02ab397be1e0b80c7c32d8f1a5

      SHA256

      207b2b2b68c53a3983aca22eeafd50e7bf065e347379332692c716ef8e7303d5

      SHA512

      6cf19e8c36bfcb78d1a18f2637671132e1d4bc50fd23818c50ec1facbf2786d1404ba2e8a679e66c9f705eaaa25047887b46ee776c624335278320760c3fa294

    • memory/520-76-0x00000000006E0000-0x00000000006EE000-memory.dmp
      Filesize

      56KB

    • memory/520-79-0x0000000001DB0000-0x0000000001E3F000-memory.dmp
      Filesize

      572KB

    • memory/520-81-0x00000000000D0000-0x00000000000FD000-memory.dmp
      Filesize

      180KB

    • memory/520-78-0x0000000002080000-0x0000000002383000-memory.dmp
      Filesize

      3.0MB

    • memory/520-77-0x00000000000D0000-0x00000000000FD000-memory.dmp
      Filesize

      180KB

    • memory/520-73-0x0000000000000000-mapping.dmp
    • memory/856-64-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

    • memory/856-66-0x0000000000830000-0x0000000000B33000-memory.dmp
      Filesize

      3.0MB

    • memory/856-65-0x0000000000401000-0x000000000042F000-memory.dmp
      Filesize

      184KB

    • memory/856-71-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

    • memory/856-72-0x0000000000401000-0x000000000042F000-memory.dmp
      Filesize

      184KB

    • memory/856-62-0x00000000004012B0-mapping.dmp
    • memory/856-69-0x0000000000230000-0x0000000000240000-memory.dmp
      Filesize

      64KB

    • memory/856-67-0x0000000000090000-0x00000000000A0000-memory.dmp
      Filesize

      64KB

    • memory/936-56-0x0000000000000000-mapping.dmp
    • memory/1276-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp
      Filesize

      8KB

    • memory/1284-75-0x00000000045E0000-0x00000000046C9000-memory.dmp
      Filesize

      932KB

    • memory/1284-68-0x0000000002AB0000-0x0000000002B9A000-memory.dmp
      Filesize

      936KB

    • memory/1284-80-0x00000000046D0000-0x00000000047FA000-memory.dmp
      Filesize

      1.2MB

    • memory/1284-70-0x00000000045E0000-0x00000000046C9000-memory.dmp
      Filesize

      932KB

    • memory/1284-82-0x00000000046D0000-0x00000000047FA000-memory.dmp
      Filesize

      1.2MB