Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
20-12-2022 23:53
Static task
static1
Behavioral task
behavioral1
Sample
payload_formbook.exe
Resource
win7-20220812-en
General
-
Target
payload_formbook.exe
-
Size
188KB
-
MD5
96525c4a51a40ab74dcb485b86d72a84
-
SHA1
c0f5fb91272bcf033156266d447fadb58668fb96
-
SHA256
9e7423c4b8904ca8dc44c184cd15e755e1e0b554a9182b0e5d4c4e85f341eb84
-
SHA512
96f142b2eabc5109d87df0b3a6f39a4e735401981d71e471753215b2048924cb9f4f028f3b830de4f5f93d3e4d8711247c1d187f86549e6c3c8c06cfef62b3e3
-
SSDEEP
3072:y8qzRkfWIYczfzD7nqV+K0fp1TpckexJReVMsYykt9WIFMfWynpXA:yziWIYGzD77jp1FMRKMsCFMrn
Malware Config
Extracted
formbook
pgnt
0WG18LbM4lR9iqMRa4nlBzTb
jcfGYzPgZTqFZVO9FV2yIw==
laIfrdSC8/4CNg==
Q73ilev5GIWuOrAAFV2yIw==
Q2u/pMw7pv4sPA==
TbqvIUHwlQscPo0HFV2yIw==
8PNWfGPyE8n0IQ==
WtgROxXzvY2L
PryaRBNjm4eP
Y9Hdi06Cry1um9Sj68YAu1o=
3Gulyp7CMQtR78jvLkk=
JJ3GasTVTCRQT6Tfz6S6GlI=
RnS42bhb9tI0R6UpD6wOxriNxw==
he1mi2sOGfzTRGHnuA==
eaYjCtjxVjdU5XLRtBMBLKk9quA=
k9rTeEqYzzw8WaTfz6S6GlI=
5luVQwe2vJWKEAiMdF4=
MGW14L9OVk5Y5TaR6w/DqdhYxXVY
mAsYz6k6sQkDC0/DoHj9t1RPWLSgFQ==
y5klhuMbE8n0IQ==
u/NKcEKARatNn/dT
ZJaHJQCvzDWRuPPmMsEVxriNxw==
nRhddlcPOegWrv5R
/njA0TJ1U+osPA==
pi8az6AySKlNn/dT
e/k+YjN+U+osPA==
kMAZ36lMWa3gRGHnuA==
wfX0nGsGE1yUJb1Jq33LoDdDWLSgFQ==
wfk35UJcfeHoRGHnuA==
dbzljekZ3ka2QYCYOP1I
Nq3kDeMNNJWDMnWYOP1I
Sa0SN/04cNje8xbaJLgUxriNxw==
yDejyZiQ/X/BQYiYOP1I
UIPN7ckznp2W
s/HtqJNKdmtv88jvLkk=
KanG2bhM0CsdiNrNF0E=
QLrtp3svzjcsTaJ9y5kPopyQzQ==
syhbC2iJZ8obK2Y7nHSa7CmdUuA=
HZXK676zo5OV
5WFoCWeuxqekcHx5YkE=
PbX1H/gmE8n0IQ==
3HTB6Asznp2W
9HGhWLLyrJXPcq4FRecyGU247XBS
/oW437jofmJ8DQiMdF4=
sh415lJ8q3cL3XJvaEA=
XucfBGWzVEg=
PKWeQgpB1cUHprue4sYAu1o=
MXFzDmuO/nBtmjc6g5elIVMbQeWFjyMN
q+v2lgI9Vb0rC2juug==
WYvkDdX8kEjU73U=
6BJjmWGiizGT
fLHageH29Ex1m8jvLkk=
3D+hsVkFtIyr5WI=
ntIbRgolp0jU73U=
GGGJMpC3pJPdQ8ZGkpxA
8FtjHvNDiICP
L63yFOor5uMdLqnrNNblBzTb
Gav/MgU4AByfuddW
xek7Tm3lhlY=
n2sDng5BBdtNn/dT
LZsINfoQH6dNn/dT
Io+SQh7ak0Ti7Gg=
T8Xci1oCP63aRGHnuA==
bZX0DnWMqxcyQ39hzOH+7U0BvmhP
hf9blwwuwpx7j8k.live
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
payload_formbook.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation payload_formbook.exe -
Loads dropped DLL 1 IoCs
Processes:
NETSTAT.EXEpid process 1520 NETSTAT.EXE -
Suspicious use of SetThreadContext 2 IoCs
Processes:
payload_formbook.exeNETSTAT.EXEdescription pid process target process PID 1944 set thread context of 1288 1944 payload_formbook.exe Explorer.EXE PID 1520 set thread context of 1288 1520 NETSTAT.EXE Explorer.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 1520 NETSTAT.EXE -
Processes:
NETSTAT.EXEdescription ioc process Key created \Registry\User\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
payload_formbook.exeNETSTAT.EXEpid process 1944 payload_formbook.exe 1944 payload_formbook.exe 1944 payload_formbook.exe 1944 payload_formbook.exe 1520 NETSTAT.EXE 1520 NETSTAT.EXE 1520 NETSTAT.EXE 1520 NETSTAT.EXE 1520 NETSTAT.EXE 1520 NETSTAT.EXE 1520 NETSTAT.EXE 1520 NETSTAT.EXE 1520 NETSTAT.EXE 1520 NETSTAT.EXE 1520 NETSTAT.EXE 1520 NETSTAT.EXE 1520 NETSTAT.EXE 1520 NETSTAT.EXE 1520 NETSTAT.EXE 1520 NETSTAT.EXE 1520 NETSTAT.EXE 1520 NETSTAT.EXE 1520 NETSTAT.EXE 1520 NETSTAT.EXE 1520 NETSTAT.EXE 1520 NETSTAT.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
payload_formbook.exeNETSTAT.EXEpid process 1944 payload_formbook.exe 1944 payload_formbook.exe 1944 payload_formbook.exe 1520 NETSTAT.EXE 1520 NETSTAT.EXE 1520 NETSTAT.EXE 1520 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
payload_formbook.exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 1944 payload_formbook.exe Token: SeDebugPrivilege 1520 NETSTAT.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1288 Explorer.EXE 1288 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1288 Explorer.EXE 1288 Explorer.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Explorer.EXENETSTAT.EXEdescription pid process target process PID 1288 wrote to memory of 1520 1288 Explorer.EXE NETSTAT.EXE PID 1288 wrote to memory of 1520 1288 Explorer.EXE NETSTAT.EXE PID 1288 wrote to memory of 1520 1288 Explorer.EXE NETSTAT.EXE PID 1288 wrote to memory of 1520 1288 Explorer.EXE NETSTAT.EXE PID 1520 wrote to memory of 1880 1520 NETSTAT.EXE Firefox.exe PID 1520 wrote to memory of 1880 1520 NETSTAT.EXE Firefox.exe PID 1520 wrote to memory of 1880 1520 NETSTAT.EXE Firefox.exe PID 1520 wrote to memory of 1880 1520 NETSTAT.EXE Firefox.exe PID 1520 wrote to memory of 1880 1520 NETSTAT.EXE Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\payload_formbook.exe"C:\Users\Admin\AppData\Local\Temp\payload_formbook.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\sqlite3.dllFilesize
904KB
MD55e5ba61531d74e45b11cadb79e7394a1
SHA1677224e14aac9dd35f367d5eb1704b36e69356b8
SHA25699e91ae250c955bd403ec1a2321d6b11fcb715bdcc7cb3f63ffb46b349afde5c
SHA512712bfe419ba97ecf0ec8323a68743013e8c767da9d986f74ab94d2a395c3086cac2a5823048e0022d3bbcebb55281b9e1f8c87fdc9295c70cc5521b57850bf46
-
memory/1288-63-0x0000000004360000-0x0000000004427000-memory.dmpFilesize
796KB
-
memory/1288-57-0x00000000064D0000-0x000000000662F000-memory.dmpFilesize
1.4MB
-
memory/1288-65-0x0000000004360000-0x0000000004427000-memory.dmpFilesize
796KB
-
memory/1520-58-0x0000000000000000-mapping.dmp
-
memory/1520-60-0x00000000000E0000-0x000000000010D000-memory.dmpFilesize
180KB
-
memory/1520-59-0x0000000000180000-0x0000000000189000-memory.dmpFilesize
36KB
-
memory/1520-61-0x00000000021F0000-0x00000000024F3000-memory.dmpFilesize
3.0MB
-
memory/1520-62-0x0000000001F40000-0x0000000001FCF000-memory.dmpFilesize
572KB
-
memory/1520-64-0x0000000075CF1000-0x0000000075CF3000-memory.dmpFilesize
8KB
-
memory/1944-56-0x0000000000110000-0x0000000000120000-memory.dmpFilesize
64KB
-
memory/1944-54-0x00000000013C0000-0x00000000013EF000-memory.dmpFilesize
188KB
-
memory/1944-55-0x0000000000960000-0x0000000000C63000-memory.dmpFilesize
3.0MB