Analysis

  • max time kernel
    64s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    08-12-2022 11:06

General

  • Target

    3f208f220000f38395c96a06011496d755e7f4932a037ac08f884dbe81462a0e.exe

  • Size

    1.0MB

  • MD5

    6be4ed58ccaac533af70b264d7132bac

  • SHA1

    0084169c3f9e4acef3917f29873f81d7474bcd82

  • SHA256

    3f208f220000f38395c96a06011496d755e7f4932a037ac08f884dbe81462a0e

  • SHA512

    4e51bca0bd135f3800371481121c439b3a138fb90e70f7a50b66811940199e34f35cddabaff64fcacab5c45d9544844bd34eb4e29c8fce72bbd7bc8bec4c6743

  • SSDEEP

    12288:rXWgh/PsZ1DX/VDJIhp+dTjmuYqfaIGU0MgXo5BASa37dI6R82HOC7:rWgh/P9h2ugJhLASaW6R82HOs

Malware Config

Extracted

Family

formbook

Campaign

wu27

Decoy

69/AbbgufRx7loCQ5G4WYQ==

uydiDFvHsFxlIrdq

NBlmCe8ii+DEa2ye5G4WYQ==

LicGnHCl/UZ2UMg=

e2lQ8e1lsXvAeX+U5G4WYQ==

2bF/M54rOGusdYqc5G4WYQ==

mQLidD9i82JIsrqysw==

ZdlDYrcsl/L9eH+U5G4WYQ==

80ucyjCJdqXkcNI=

/eg6aKbVvNkwOcxzZyAx3cCTN5E=

lflaF0MvE+fHXoWmrg==

qRfykIXbxMkND1kwe3I=

s6iSNSVOMwnpvFDxdFLlOfqBMw==

imkLObSlIdc=

oBUBm36yNaZ99JYxenA=

ngFE7+IP8Te6N75o

O6Htl8Oyjb0Msrqysw==

f4JgCEnC0LEC9w==

9+dNeq/hVxaAhxzT1pbgzZ2mb3Nf

980jQpYF3y1wMomLfWU=

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3f208f220000f38395c96a06011496d755e7f4932a037ac08f884dbe81462a0e.exe
    "C:\Users\Admin\AppData\Local\Temp\3f208f220000f38395c96a06011496d755e7f4932a037ac08f884dbe81462a0e.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:584
    • C:\Users\Admin\AppData\Local\Temp\3f208f220000f38395c96a06011496d755e7f4932a037ac08f884dbe81462a0e.exe
      "C:\Users\Admin\AppData\Local\Temp\3f208f220000f38395c96a06011496d755e7f4932a037ac08f884dbe81462a0e.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:960

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/584-54-0x0000000000A70000-0x0000000000B80000-memory.dmp

    Filesize

    1.1MB

  • memory/584-55-0x0000000075B11000-0x0000000075B13000-memory.dmp

    Filesize

    8KB

  • memory/584-56-0x0000000000280000-0x0000000000298000-memory.dmp

    Filesize

    96KB

  • memory/584-57-0x0000000000210000-0x000000000021C000-memory.dmp

    Filesize

    48KB

  • memory/584-58-0x00000000048E0000-0x0000000004950000-memory.dmp

    Filesize

    448KB

  • memory/584-59-0x0000000005660000-0x0000000005694000-memory.dmp

    Filesize

    208KB

  • memory/960-60-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/960-61-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/960-63-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/960-64-0x00000000004012B0-mapping.dmp

  • memory/960-66-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/960-67-0x0000000000401000-0x000000000042F000-memory.dmp

    Filesize

    184KB

  • memory/960-68-0x0000000000B80000-0x0000000000E83000-memory.dmp

    Filesize

    3.0MB