Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
04-05-2023 08:17
General
-
Target
quotation orda.exe
-
Size
685KB
-
MD5
79ac7b7624cbab492eb2444876e0fc7a
-
SHA1
8f59ff54e030341dd66debe13ccf3a80c630201e
-
SHA256
08fc30191cdb3900aad985dd7203f002dd7ac1176acd1ae7861021cc641b6a40
-
SHA512
ae184f1feae78804ffa2eb427b1b744a951cfea63d8005b259f81cabe145e876aab3a78df5c8e583c6916ff920d8a827e10e7254c47b91241c57e777d3a07864
-
SSDEEP
12288:2qKqnAoLzp6iEZrm4RQMIUa6ijcswvP5IwZ7poXduuW:9n38M4a4Li/0GwuXY
Malware Config
Extracted
formbook
4.1
n13e
cowiemarketing.com
uniqueliquidz.co.uk
755259.com
7bw95.com
luxbarstools.co.uk
baccaratda.com
berkayakpinar.xyz
gistus.africa
hjd387.com
leave-fly.com
golfclubdaddy.com
engineeringea.buzz
countryrevisited.com
decoracioneskalite.com
imaginationlirbary.com
moneytransfer.africa
brainwaveproject.com
3039sjbqf2022.com
184hotels.com
aromamiaro.com
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook payload 5 IoCs
-
Deletes itself 1 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\quotation orda.exe"C:\Users\Admin\AppData\Local\Temp\quotation orda.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tQEuZJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC063.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\quotation orda.exe"{path}"3⤵
-
C:\Users\Admin\AppData\Local\Temp\quotation orda.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\quotation orda.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpC063.tmpFilesize
1KB
MD590a704b4d9cf374087f60b40552c9092
SHA1db1637e78828589c1a745236a68171267dddaa00
SHA25654df21f81aa23c7be11c827da81c47545d7214a8911cec6481688870f2331534
SHA51202ca75fd49d79bb843cfe33eb73faa0d6919a8d8d55c09c3c02d75e19f74d739ffd5127d7d1d9d41998863feaef4e85b283805fa8f96c311d399e17e29f27289
-
memory/1216-80-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1216-67-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1216-72-0x0000000000210000-0x0000000000224000-memory.dmpFilesize
80KB
-
memory/1216-73-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1216-71-0x0000000000A00000-0x0000000000D03000-memory.dmpFilesize
3.0MB
-
memory/1216-77-0x00000000002C0000-0x00000000002D4000-memory.dmpFilesize
80KB
-
memory/1216-66-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1216-65-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1216-68-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1280-74-0x00000000065C0000-0x0000000006702000-memory.dmpFilesize
1.3MB
-
memory/1280-90-0x00000000071E0000-0x000000000734F000-memory.dmpFilesize
1.4MB
-
memory/1280-88-0x00000000071E0000-0x000000000734F000-memory.dmpFilesize
1.4MB
-
memory/1280-70-0x0000000000660000-0x0000000000670000-memory.dmpFilesize
64KB
-
memory/1280-78-0x0000000006BC0000-0x0000000006D01000-memory.dmpFilesize
1.3MB
-
memory/1280-87-0x00000000071E0000-0x000000000734F000-memory.dmpFilesize
1.4MB
-
memory/1640-79-0x0000000000870000-0x000000000087A000-memory.dmpFilesize
40KB
-
memory/1640-81-0x0000000000870000-0x000000000087A000-memory.dmpFilesize
40KB
-
memory/1640-86-0x0000000001E10000-0x0000000001EA3000-memory.dmpFilesize
588KB
-
memory/1640-84-0x00000000000C0000-0x00000000000EF000-memory.dmpFilesize
188KB
-
memory/1640-82-0x00000000000C0000-0x00000000000EF000-memory.dmpFilesize
188KB
-
memory/1640-83-0x0000000001FA0000-0x00000000022A3000-memory.dmpFilesize
3.0MB
-
memory/1916-58-0x0000000000380000-0x00000000003C0000-memory.dmpFilesize
256KB
-
memory/1916-54-0x00000000000C0000-0x0000000000172000-memory.dmpFilesize
712KB
-
memory/1916-61-0x0000000000B60000-0x0000000000B94000-memory.dmpFilesize
208KB
-
memory/1916-59-0x000000007EF40000-0x000000007EF50000-memory.dmpFilesize
64KB
-
memory/1916-57-0x000000007EF40000-0x000000007EF50000-memory.dmpFilesize
64KB
-
memory/1916-60-0x0000000005D10000-0x0000000005D98000-memory.dmpFilesize
544KB
-
memory/1916-56-0x00000000005C0000-0x00000000005CC000-memory.dmpFilesize
48KB
-
memory/1916-55-0x0000000000380000-0x00000000003C0000-memory.dmpFilesize
256KB