Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
08-12-2022 16:17
General
-
Target
Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe
-
Size
1.0MB
-
MD5
af4c90f16183a6ad67d309954e852c8a
-
SHA1
4b8612090c079bf462c55e774c7199d4f182e937
-
SHA256
e42dddf5106613702329f2fa39feac15baee21cd5b543d288dc82ed621eb7037
-
SHA512
c335c1ab1b2708530424dc094a9b864155275e4d462bf726b38338b9c33f6942c355b9092fa786bf1a20f99c7ac52b4c03e399ff5ab157fff556480db15fc823
-
SSDEEP
12288:0oQgKZ/nXt7virmWhlGLaQYIyzYEmgX/Lifi1SXAe73hdw7YVCiJM2dycvQ0piws:fPNNwAe7x78OQ0Hx4xUhlWp
Malware Config
Extracted
formbook
m9ae
nWTQpX6TYm6dfT3Lcw==
7JaBLgMm8EKn2AlTy5Ksj4Jq
yWRJIhE3viQgqEpZS3o=
ES9dFo0bytF8vlvRcg==
aX/aBZn29pD+cg==
lU64sYOZV7ZVpUy1ag==
9BpOCYAPv8L8TyIFAiTp2PSqLg==
uEJ2RyQ1BcBXfFr8kT5Z1KV0
oVM42Ury9pD+cg==
0Zl3VkcuKaY+
OjZeGI8dw67Z6eWtnOoBfoI=
ytwFn9j4i+N8nKYRSgcfh3xn5LU=
xMb1+YkOyxmbxJ53JsP7Pg==
HODQpzTBS1gVoi4X0hStKQ==
fQ417ycwD+ziKt1u0hStKQ==
nsApOqE62sA8uS735uCXVP+YcrQ=
4aobG3oZ3AHqTPs=
P2LEwJatZbQZUTayTW0=
/bopO7NR6clCfT3Lcw==
bBxRRkFY01R+20pZS3o=
Extracted
xloader
3.Æ…
m9ae
nWTQpX6TYm6dfT3Lcw==
7JaBLgMm8EKn2AlTy5Ksj4Jq
yWRJIhE3viQgqEpZS3o=
ES9dFo0bytF8vlvRcg==
aX/aBZn29pD+cg==
lU64sYOZV7ZVpUy1ag==
9BpOCYAPv8L8TyIFAiTp2PSqLg==
uEJ2RyQ1BcBXfFr8kT5Z1KV0
oVM42Ury9pD+cg==
0Zl3VkcuKaY+
OjZeGI8dw67Z6eWtnOoBfoI=
ytwFn9j4i+N8nKYRSgcfh3xn5LU=
xMb1+YkOyxmbxJ53JsP7Pg==
HODQpzTBS1gVoi4X0hStKQ==
fQ417ycwD+ziKt1u0hStKQ==
nsApOqE62sA8uS735uCXVP+YcrQ=
4aobG3oZ3AHqTPs=
P2LEwJatZbQZUTayTW0=
/bopO7NR6clCfT3Lcw==
bBxRRkFY01R+20pZS3o=
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
Blocklisted process makes network request 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe"C:\Users\Admin\AppData\Local\Temp\Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe"C:\Users\Admin\AppData\Local\Temp\Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe"3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\sqlite3.dllFilesize
810KB
MD5c6ec991471d42128268ea10236d9cdb8
SHA1d569350d02db6a118136220da8de40a9973084f1
SHA2561b755cc3093dd45a0df857854aedfeb3c8f3622cff5bc491f2d492ebfa3ef8e0
SHA512a67ed46547b9270c8a5a7a947b375cb6baf3211072f90170aae2bb6ce9c4fe9d7be3e9d782420dcfdbc19a1f232b3be561ca503b80e8dc3e036a62c54cad5b57
-
memory/852-54-0x00000000000D0000-0x00000000001E2000-memory.dmpFilesize
1.1MB
-
memory/852-55-0x0000000074E41000-0x0000000074E43000-memory.dmpFilesize
8KB
-
memory/852-56-0x00000000004D0000-0x00000000004E6000-memory.dmpFilesize
88KB
-
memory/852-57-0x0000000000560000-0x000000000056E000-memory.dmpFilesize
56KB
-
memory/852-58-0x0000000005E30000-0x0000000005EC4000-memory.dmpFilesize
592KB
-
memory/852-59-0x0000000000760000-0x00000000007BC000-memory.dmpFilesize
368KB
-
memory/1280-82-0x0000000003D50000-0x0000000003DFB000-memory.dmpFilesize
684KB
-
memory/1280-78-0x0000000003D50000-0x0000000003DFB000-memory.dmpFilesize
684KB
-
memory/1280-72-0x0000000004940000-0x0000000004A0F000-memory.dmpFilesize
828KB
-
memory/1492-68-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/1492-63-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1492-66-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1492-69-0x0000000000A80000-0x0000000000D83000-memory.dmpFilesize
3.0MB
-
memory/1492-71-0x0000000000070000-0x0000000000080000-memory.dmpFilesize
64KB
-
memory/1492-70-0x0000000000422000-0x0000000000424000-memory.dmpFilesize
8KB
-
memory/1492-64-0x00000000004012B0-mapping.dmp
-
memory/1492-67-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1492-61-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1492-60-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1864-73-0x0000000000000000-mapping.dmp
-
memory/1864-77-0x0000000001E50000-0x0000000001EDF000-memory.dmpFilesize
572KB
-
memory/1864-76-0x0000000001F50000-0x0000000002253000-memory.dmpFilesize
3.0MB
-
memory/1864-80-0x0000000000070000-0x000000000009D000-memory.dmpFilesize
180KB
-
memory/1864-75-0x0000000000070000-0x000000000009D000-memory.dmpFilesize
180KB
-
memory/1864-74-0x0000000000990000-0x00000000009B2000-memory.dmpFilesize
136KB