Analysis
-
max time kernel
149s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
-
submitted
28/06/2023, 14:09
General
-
Target
shegro2.1.exe
-
Size
236KB
-
MD5
fe7fb44408912cfcc134fece3697776b
-
SHA1
f4ba9fd0270bcd4ce6090e950cdeae5bd9880432
-
SHA256
2a8783a8fa5d2994fdce8d2bce2aeb59434d13534e9f13ccae8de38f72f0798f
-
SHA512
f3848e8410fa82a497634f6888f19483cb6f65a7a16d1b85921d0d3e2e710c167b82dd27ab163cf83270a3bcc2cdeed7b6264c084c37b1a887e35c1b492f86db
-
SSDEEP
6144:PYa6erNOk21nYN/GQT/J/gUNF8vx+SdJmdMmitT:PYIJEYN/GiJ4GF8vx3dJmdZG
Malware Config
Extracted
formbook
4.1
sy18
mgn4.com
gemellebeauty.com
emj2x.top
melissamcduffee.com
holangman.top
cqmksw.com
pinax.info
u2sr03.shop
weighing.xyz
jetcasinosite-official6.top
xyz.ngo
suandoc.xyz
aboutwean.site
stockprob.com
bawdydesignz.com
buddybooster.net
scuderiaexotics.com
design-de-interiores.wiki
shipsmartstore.com
patricklloydrunning.com
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook payload 4 IoCs
-
Loads dropped DLL 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\shegro2.1.exe"C:\Users\Admin\AppData\Local\Temp\shegro2.1.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\shegro2.1.exe"C:\Users\Admin\AppData\Local\Temp\shegro2.1.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\shegro2.1.exe"3⤵
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5236bddbd45b2ecabfca5a9e1aec6604e
SHA1d04ab12768dd2401877c7e92bc6a89f5188b98fc
SHA256cd8f85488967fd784f34554ce2598ff0c935818d5f81d7e9303e8985e3e58db0
SHA512c33c10a62c6a29312756f91a85365363885f942cfecfecbe3841d16c5c2588e0b5d4f7778e5bc20ecbb11363710bf890b33e65d1fad6bccc5291bd643eff0bf6
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
1.6MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
1.6MB
-
Filesize
64KB
-
Filesize
656KB
-
Filesize
656KB
-
Filesize
656KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
188KB
-
Filesize
3.3MB
-
Filesize
80KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
588KB
-
Filesize
188KB
-
Filesize
3.3MB
-
Filesize
360KB
-
Filesize
360KB