Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    21-03-2023 14:57

General

  • Target

    0b793ae840102dff93fa1ec0a38bd603.exe

  • Size

    430KB

  • MD5

    0b793ae840102dff93fa1ec0a38bd603

  • SHA1

    ac9a73ff2b30557949547e4b1d30fb2a2dd3f06c

  • SHA256

    6ae760d9b669fbcc87fd61647e1904de552f09b6af8d36d48eff89df60b06cd8

  • SHA512

    374a7258257a3735bed3e9aa7c941058388d4411d486077e7e77b3b3be6e2f7d9de1ed4496330c6d472482a84ca156780390faca795e5a926dd8e2b6874d1bb7

  • SSDEEP

    6144:AbUTp1kKX7AB/N0A6SgZUNuhYHOrq9V56lSN0WFOnxMfEa+pvLf+xM+Y:AIFEzDgZUYyurc/2KEa4vLfH

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

u34f

Decoy

carpool.bar

badburyparkbakery.co.uk

aigooglebot.com

arihantautogas.com

specmart.online

newschatgpt.net

mmcroberts.com

ativeerrtechnologies.com

pheonix-blog-lomg-1098.com

simplisetup.com

teorikatapublishing.com

stephanyvgrfingle.click

tropicoa.com

isystem.world

tiger-lion.space

mackenziefarms.net

tl8841.buzz

alfabank.credit

lockdaccesactolapqqk.com

directaccesspetroleum.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Formbook payload 1 IoCs
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b793ae840102dff93fa1ec0a38bd603.exe
    "C:\Users\Admin\AppData\Local\Temp\0b793ae840102dff93fa1ec0a38bd603.exe"
    1⤵
    • Checks QEMU agent file
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1064
    • C:\Users\Admin\AppData\Local\Temp\0b793ae840102dff93fa1ec0a38bd603.exe
      "C:\Users\Admin\AppData\Local\Temp\0b793ae840102dff93fa1ec0a38bd603.exe"
      2⤵
      • Checks QEMU agent file
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:764

Network

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Command and Control

Web Service

1
T1102

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsd3F72.tmp\System.dll
    Filesize

    11KB

    MD5

    7399323923e3946fe9140132ac388132

    SHA1

    728257d06c452449b1241769b459f091aabcffc5

    SHA256

    5a1c20a3e2e2eb182976977669f2c5d9f3104477e98f74d69d2434e79b92fdc3

    SHA512

    d6f28ba761351f374ae007c780be27758aea7b9f998e2a88a542eede459d18700adffe71abcb52b8a8c00695efb7ccc280175b5eeb57ca9a645542edfabb64f1

  • memory/764-72-0x0000000000400000-0x0000000001462000-memory.dmp
    Filesize

    16.4MB

  • memory/764-73-0x0000000001470000-0x0000000002258000-memory.dmp
    Filesize

    13.9MB

  • memory/764-74-0x0000000000400000-0x0000000001462000-memory.dmp
    Filesize

    16.4MB

  • memory/764-75-0x0000000001470000-0x0000000002258000-memory.dmp
    Filesize

    13.9MB

  • memory/764-97-0x0000000000400000-0x0000000001462000-memory.dmp
    Filesize

    16.4MB

  • memory/764-98-0x0000000001470000-0x0000000002258000-memory.dmp
    Filesize

    13.9MB

  • memory/764-101-0x0000000001470000-0x0000000002258000-memory.dmp
    Filesize

    13.9MB

  • memory/764-102-0x0000000032750000-0x0000000032A53000-memory.dmp
    Filesize

    3.0MB

  • memory/1064-70-0x0000000003110000-0x0000000003EF8000-memory.dmp
    Filesize

    13.9MB

  • memory/1064-71-0x0000000003110000-0x0000000003EF8000-memory.dmp
    Filesize

    13.9MB