Analysis
-
max time kernel
151s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
15-01-2023 09:33
Static task
static1
Behavioral task
behavioral1
Sample
formbook1.exe
Resource
win7-20221111-en
General
-
Target
formbook1.exe
-
Size
433KB
-
MD5
9672b2beca3027b6f008dfc291d21777
-
SHA1
9dfa2b2cc3d1f04fd715068e9eee238d6b1ca5a7
-
SHA256
ba10a45e13a79398a5802c91636684e54e53f26409feed99e7c89bbbe0c720d3
-
SHA512
6396c39d4b9da16e541bb29659737d9841c5841c808c58a7d88accb35715d673820d63679ea0e0ff7642cd952158e11029b5fd689b0588cff8987816df3ccb2e
-
SSDEEP
6144:6bE/HUrUAGxkcrTRkHqqZMWq1cD8YGMOsPEF75noWa4zbzDp/TkLNlkDfkDSDr0x:6bkxJkKqx4rB75HpALLkD0SMx
Malware Config
Extracted
formbook
nrln
IG7zJSm49UqTTuu/N/oTCIg=
CVLdAPgw0CRSMuZnRRU=
PiA5Z3umP2NyX81VGQhjWyS59nFYhXiG
5i6p4GeQqtBgNRfGNQ==
5984keYswxh8mGZHz4ipAHtQ
VNJaK4Gh0CrOvHpW/p353A==
71rEtrL2icToyKGhcWrTxjsFU5T98zeO
r3q1sy1iZaL+2XIUAob7yw==
9+83Qkrk/vV/jVXsDvoTCIg=
aMFAgYF1prov8/UErH/Y1A==
Alqtx/0rxwEbCLdudftl
ImCbnglBSUHF0mv2tTSP40bPeYao
s4DFNvAJ4GIJ+g==
phOa6mtS8QQICuZnRRU=
7TSu5vqRtB45EZtf4WDSTBHPeYao
ImPWqwUUIVWMQLyMbUab7tmspvNCcT8=
HF7jKjbGox2SAffTPw==
yAM3mOQot5l+cD0ikR5MGp8=
UYzW0/8z70JcQenVLidu1kLPeYao
OoCznp5UWz+hT9OBFXbfVhXPeYao
RZAWUeouUqpRAffTPw==
qQZsaG6uSqBRXS0J4PoTCIg=
idE3YO0X4GIJ+g==
NZQvYOWIBkHd4Z7AmQwAslxY
1KTdRR1OPJb88A==
8iap4OQKp/C3gQludftl
9Tyi5kaIC/Dk7JRTK/5lx1LLzRi53w==
3Lbm4soAuhRHLuZnRRU=
F4rw7+2RqgQp3urIPPoTCIg=
WcAxntfwcZZxHdfbgtoL1FbLzRi53w==
Cb4Mn+LGQzI=
v6zC+zJc9ggtoRfSUKT5VgjPeYao
8SNotqm7G3gx
zkfYBpVE7kZy6Z1eRBc=
fGC3taUlU5/grJFa/p353A==
guxOQaxAp/H3/7hudftl
1ySVyYygrPSWgzsz5voTCIg=
kgzOYyfN4GIJ+g==
uI3MyBlFYb9zLp9O/p353A==
LiJEdPqeLRv/dUMZph0=
P44MT+MPGVCfAffTPw==
92zQztuUoOD397dudftl
KAIeV2q7G3gx
16rd9Lv/EDB9NuZnRRU=
Zq8rUUtzFDYhDLdudftl
0TzN9nwSt9Ld5oQMz8oX7KcwExI=
8C4/Zed9GAoGCuZnRRU=
0R6HvJ+vT2pZMuZnRRU=
PXCroG2LPYhB92PmoRh6SNSmrvNCcT8=
jcoShE+OVbsoB4Vm
XKDr2FEDkRYoA6F7B3bfVhXPeYao
lxlqoFqiNTE=
gth+8scYHF4q9oJM/p353A==
kV6UlVdWZM+9b/WfNw==
mMkJeLvrdq91ULk=
Nxw5ckJtib7+oGdQ/p353A==
K4vu5D5UecNAxJtKPxM=
abYdRE3u8iYkqH9x
KnPrFJC5zSp1V9mCQbIDbiMamCw7zg==
DXEGJOvxscsrAcaZBs0qfqcwExI=
JxA3dYsfQKRsEMqqNrMQekNL0+MJaAkWNg==
Q4dtrcgmnb1BThr40YjqkyMQ3A==
7l7NPgxGZMGfhgludftl
MYT9Mshe6ejKfvG1lYXezH0WmCo61w==
sincewordsmatter.com
Extracted
xloader
3.8
nrln
IG7zJSm49UqTTuu/N/oTCIg=
CVLdAPgw0CRSMuZnRRU=
PiA5Z3umP2NyX81VGQhjWyS59nFYhXiG
5i6p4GeQqtBgNRfGNQ==
5984keYswxh8mGZHz4ipAHtQ
VNJaK4Gh0CrOvHpW/p353A==
71rEtrL2icToyKGhcWrTxjsFU5T98zeO
r3q1sy1iZaL+2XIUAob7yw==
9+83Qkrk/vV/jVXsDvoTCIg=
aMFAgYF1prov8/UErH/Y1A==
Alqtx/0rxwEbCLdudftl
ImCbnglBSUHF0mv2tTSP40bPeYao
s4DFNvAJ4GIJ+g==
phOa6mtS8QQICuZnRRU=
7TSu5vqRtB45EZtf4WDSTBHPeYao
ImPWqwUUIVWMQLyMbUab7tmspvNCcT8=
HF7jKjbGox2SAffTPw==
yAM3mOQot5l+cD0ikR5MGp8=
UYzW0/8z70JcQenVLidu1kLPeYao
OoCznp5UWz+hT9OBFXbfVhXPeYao
RZAWUeouUqpRAffTPw==
qQZsaG6uSqBRXS0J4PoTCIg=
idE3YO0X4GIJ+g==
NZQvYOWIBkHd4Z7AmQwAslxY
1KTdRR1OPJb88A==
8iap4OQKp/C3gQludftl
9Tyi5kaIC/Dk7JRTK/5lx1LLzRi53w==
3Lbm4soAuhRHLuZnRRU=
F4rw7+2RqgQp3urIPPoTCIg=
WcAxntfwcZZxHdfbgtoL1FbLzRi53w==
Cb4Mn+LGQzI=
v6zC+zJc9ggtoRfSUKT5VgjPeYao
8SNotqm7G3gx
zkfYBpVE7kZy6Z1eRBc=
fGC3taUlU5/grJFa/p353A==
guxOQaxAp/H3/7hudftl
1ySVyYygrPSWgzsz5voTCIg=
kgzOYyfN4GIJ+g==
uI3MyBlFYb9zLp9O/p353A==
LiJEdPqeLRv/dUMZph0=
P44MT+MPGVCfAffTPw==
92zQztuUoOD397dudftl
KAIeV2q7G3gx
16rd9Lv/EDB9NuZnRRU=
Zq8rUUtzFDYhDLdudftl
0TzN9nwSt9Ld5oQMz8oX7KcwExI=
8C4/Zed9GAoGCuZnRRU=
0R6HvJ+vT2pZMuZnRRU=
PXCroG2LPYhB92PmoRh6SNSmrvNCcT8=
jcoShE+OVbsoB4Vm
XKDr2FEDkRYoA6F7B3bfVhXPeYao
lxlqoFqiNTE=
gth+8scYHF4q9oJM/p353A==
kV6UlVdWZM+9b/WfNw==
mMkJeLvrdq91ULk=
Nxw5ckJtib7+oGdQ/p353A==
K4vu5D5UecNAxJtKPxM=
abYdRE3u8iYkqH9x
KnPrFJC5zSp1V9mCQbIDbiMamCw7zg==
DXEGJOvxscsrAcaZBs0qfqcwExI=
JxA3dYsfQKRsEMqqNrMQekNL0+MJaAkWNg==
Q4dtrcgmnb1BThr40YjqkyMQ3A==
7l7NPgxGZMGfhgludftl
MYT9Mshe6ejKfvG1lYXezH0WmCo61w==
sincewordsmatter.com
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
nbeggsncal.exenbeggsncal.exenbeggsncal.exenbeggsncal.exepid process 4912 nbeggsncal.exe 4984 nbeggsncal.exe 3324 nbeggsncal.exe 4968 nbeggsncal.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
nbeggsncal.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation nbeggsncal.exe -
Loads dropped DLL 1 IoCs
Processes:
nbeggsncal.exepid process 5004 nbeggsncal.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
nbeggsncal.exenbeggsncal.execmmon32.exedescription pid process target process PID 4912 set thread context of 5004 4912 nbeggsncal.exe nbeggsncal.exe PID 5004 set thread context of 2228 5004 nbeggsncal.exe Explorer.EXE PID 3636 set thread context of 2228 3636 cmmon32.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1224 4912 WerFault.exe nbeggsncal.exe -
Processes:
cmmon32.exedescription ioc process Key created \Registry\User\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmmon32.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
nbeggsncal.execmmon32.exepid process 5004 nbeggsncal.exe 5004 nbeggsncal.exe 5004 nbeggsncal.exe 5004 nbeggsncal.exe 5004 nbeggsncal.exe 5004 nbeggsncal.exe 5004 nbeggsncal.exe 5004 nbeggsncal.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2228 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
nbeggsncal.execmmon32.exepid process 5004 nbeggsncal.exe 5004 nbeggsncal.exe 5004 nbeggsncal.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe 3636 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
nbeggsncal.exeExplorer.EXEcmmon32.exedescription pid process Token: SeDebugPrivilege 5004 nbeggsncal.exe Token: SeShutdownPrivilege 2228 Explorer.EXE Token: SeCreatePagefilePrivilege 2228 Explorer.EXE Token: SeShutdownPrivilege 2228 Explorer.EXE Token: SeCreatePagefilePrivilege 2228 Explorer.EXE Token: SeShutdownPrivilege 2228 Explorer.EXE Token: SeCreatePagefilePrivilege 2228 Explorer.EXE Token: SeDebugPrivilege 3636 cmmon32.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
formbook1.exenbeggsncal.exeExplorer.EXEcmmon32.exedescription pid process target process PID 4572 wrote to memory of 4912 4572 formbook1.exe nbeggsncal.exe PID 4572 wrote to memory of 4912 4572 formbook1.exe nbeggsncal.exe PID 4572 wrote to memory of 4912 4572 formbook1.exe nbeggsncal.exe PID 4912 wrote to memory of 4984 4912 nbeggsncal.exe nbeggsncal.exe PID 4912 wrote to memory of 4984 4912 nbeggsncal.exe nbeggsncal.exe PID 4912 wrote to memory of 4984 4912 nbeggsncal.exe nbeggsncal.exe PID 4912 wrote to memory of 3324 4912 nbeggsncal.exe nbeggsncal.exe PID 4912 wrote to memory of 3324 4912 nbeggsncal.exe nbeggsncal.exe PID 4912 wrote to memory of 3324 4912 nbeggsncal.exe nbeggsncal.exe PID 4912 wrote to memory of 4968 4912 nbeggsncal.exe nbeggsncal.exe PID 4912 wrote to memory of 4968 4912 nbeggsncal.exe nbeggsncal.exe PID 4912 wrote to memory of 4968 4912 nbeggsncal.exe nbeggsncal.exe PID 4912 wrote to memory of 5004 4912 nbeggsncal.exe nbeggsncal.exe PID 4912 wrote to memory of 5004 4912 nbeggsncal.exe nbeggsncal.exe PID 4912 wrote to memory of 5004 4912 nbeggsncal.exe nbeggsncal.exe PID 4912 wrote to memory of 5004 4912 nbeggsncal.exe nbeggsncal.exe PID 2228 wrote to memory of 3636 2228 Explorer.EXE cmmon32.exe PID 2228 wrote to memory of 3636 2228 Explorer.EXE cmmon32.exe PID 2228 wrote to memory of 3636 2228 Explorer.EXE cmmon32.exe PID 3636 wrote to memory of 2096 3636 cmmon32.exe Firefox.exe PID 3636 wrote to memory of 2096 3636 cmmon32.exe Firefox.exe PID 3636 wrote to memory of 2096 3636 cmmon32.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\formbook1.exe"C:\Users\Admin\AppData\Local\Temp\formbook1.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nbeggsncal.exe"C:\Users\Admin\AppData\Local\Temp\nbeggsncal.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nbeggsncal.exe"C:\Users\Admin\AppData\Local\Temp\nbeggsncal.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\nbeggsncal.exe"C:\Users\Admin\AppData\Local\Temp\nbeggsncal.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\nbeggsncal.exe"C:\Users\Admin\AppData\Local\Temp\nbeggsncal.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\nbeggsncal.exe"C:\Users\Admin\AppData\Local\Temp\nbeggsncal.exe"4⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 5324⤵
- Program crash
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4912 -ip 49121⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\cimrcc.gFilesize
185KB
MD5874dc59d7571e9ffa32c16740763a222
SHA1cf2e6e6c8e7e3a2f4e1a348a289983a730b676fc
SHA256da67c1628cfe982e5aa0995fd4c4f92a434e2e8a577941d7d9d0d8d1373a9183
SHA512d4a8d8c5107cd029fd638f49efabee51d4a4167de260b998497f715fc80f205c03458bbf433c326b46b0fd647ba383df557015428b62457207bb335ce75cb41e
-
C:\Users\Admin\AppData\Local\Temp\nbeggsncal.exeFilesize
131KB
MD5669c2269eea6c11fd71038f0918193fb
SHA1b2da793470b99bd215fbd9b3c7396ac402b068e9
SHA256ba605ae9b548c05ffa985ddad9217cbdd99c1aecc83ce6e7cf36a162cb69938e
SHA5120759ebe446901ab0974ff7cdac1b5517a7a739890a20858da93aaec94bd06bc4e6cb697b706864d78df044c41211990185b4bd9c00a24c616ce6004f371bc91c
-
C:\Users\Admin\AppData\Local\Temp\nbeggsncal.exeFilesize
131KB
MD5669c2269eea6c11fd71038f0918193fb
SHA1b2da793470b99bd215fbd9b3c7396ac402b068e9
SHA256ba605ae9b548c05ffa985ddad9217cbdd99c1aecc83ce6e7cf36a162cb69938e
SHA5120759ebe446901ab0974ff7cdac1b5517a7a739890a20858da93aaec94bd06bc4e6cb697b706864d78df044c41211990185b4bd9c00a24c616ce6004f371bc91c
-
C:\Users\Admin\AppData\Local\Temp\nbeggsncal.exeFilesize
131KB
MD5669c2269eea6c11fd71038f0918193fb
SHA1b2da793470b99bd215fbd9b3c7396ac402b068e9
SHA256ba605ae9b548c05ffa985ddad9217cbdd99c1aecc83ce6e7cf36a162cb69938e
SHA5120759ebe446901ab0974ff7cdac1b5517a7a739890a20858da93aaec94bd06bc4e6cb697b706864d78df044c41211990185b4bd9c00a24c616ce6004f371bc91c
-
C:\Users\Admin\AppData\Local\Temp\nbeggsncal.exeFilesize
131KB
MD5669c2269eea6c11fd71038f0918193fb
SHA1b2da793470b99bd215fbd9b3c7396ac402b068e9
SHA256ba605ae9b548c05ffa985ddad9217cbdd99c1aecc83ce6e7cf36a162cb69938e
SHA5120759ebe446901ab0974ff7cdac1b5517a7a739890a20858da93aaec94bd06bc4e6cb697b706864d78df044c41211990185b4bd9c00a24c616ce6004f371bc91c
-
C:\Users\Admin\AppData\Local\Temp\nbeggsncal.exeFilesize
131KB
MD5669c2269eea6c11fd71038f0918193fb
SHA1b2da793470b99bd215fbd9b3c7396ac402b068e9
SHA256ba605ae9b548c05ffa985ddad9217cbdd99c1aecc83ce6e7cf36a162cb69938e
SHA5120759ebe446901ab0974ff7cdac1b5517a7a739890a20858da93aaec94bd06bc4e6cb697b706864d78df044c41211990185b4bd9c00a24c616ce6004f371bc91c
-
C:\Users\Admin\AppData\Local\Temp\nbeggsncal.exeFilesize
131KB
MD5669c2269eea6c11fd71038f0918193fb
SHA1b2da793470b99bd215fbd9b3c7396ac402b068e9
SHA256ba605ae9b548c05ffa985ddad9217cbdd99c1aecc83ce6e7cf36a162cb69938e
SHA5120759ebe446901ab0974ff7cdac1b5517a7a739890a20858da93aaec94bd06bc4e6cb697b706864d78df044c41211990185b4bd9c00a24c616ce6004f371bc91c
-
C:\Users\Admin\AppData\Local\Temp\qzhglh.zoFilesize
4KB
MD50bd04364eecd4445c14e6f6a52045245
SHA129cd354bba1a83d8e8342d2f7e13a90c87af59a4
SHA25662cb82f57397ea5a5622f990d4729bc6838f5db0e17161080acf4fd46d0b751f
SHA512efda83747836c79a852c0261c0843a3a55991c16fc16b6fd58e7cef3a3b0a4efe561c40b8701c9bb05b74792d273bbd75fd2818b7380a3aacb81a94729d7f6c7
-
memory/2228-146-0x0000000008320000-0x0000000008441000-memory.dmpFilesize
1.1MB
-
memory/2228-155-0x0000000008500000-0x000000000868A000-memory.dmpFilesize
1.5MB
-
memory/2228-153-0x0000000008500000-0x000000000868A000-memory.dmpFilesize
1.5MB
-
memory/3636-151-0x0000000002F50000-0x000000000329A000-memory.dmpFilesize
3.3MB
-
memory/3636-147-0x0000000000000000-mapping.dmp
-
memory/3636-149-0x0000000000A50000-0x0000000000A5C000-memory.dmpFilesize
48KB
-
memory/3636-150-0x00000000010A0000-0x00000000010CD000-memory.dmpFilesize
180KB
-
memory/3636-152-0x0000000002DB0000-0x0000000002E3F000-memory.dmpFilesize
572KB
-
memory/3636-154-0x00000000010A0000-0x00000000010CD000-memory.dmpFilesize
180KB
-
memory/4912-132-0x0000000000000000-mapping.dmp
-
memory/5004-144-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/5004-145-0x00000000009B0000-0x00000000009C0000-memory.dmpFilesize
64KB
-
memory/5004-143-0x0000000001000000-0x000000000134A000-memory.dmpFilesize
3.3MB
-
memory/5004-148-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/5004-142-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/5004-140-0x0000000000000000-mapping.dmp