Analysis

  • max time kernel
    28s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-20230621-en
  • resource tags

    arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
  • submitted
    28-06-2023 14:23

General

  • Target

    0128e78a9fc3a12e1f247dec90b1de6ed4176587febc5ab0a9dcc0fc3735db0d.exe

  • Size

    264KB

  • MD5

    6c3e6d63a617f95d0452b8ca799b9575

  • SHA1

    eaa7aba61ddd90a3ade1ec30c304abc79d430882

  • SHA256

    0128e78a9fc3a12e1f247dec90b1de6ed4176587febc5ab0a9dcc0fc3735db0d

  • SHA512

    63844d52aaab6ec6cc0f584d5dc343fddf7ee3df07760888371bc0e4202c88f8208210639218b0f1d8b40ee1a4c227402ed41bb0f5cbf202043efbbead39c7a6

  • SSDEEP

    3072:WfY/TU9fE9PEtu+bQk+mX8K1JwlVRMKprcTc+xf3nKPn1Pw0kxXjVPSJMtFdUpvw:AYa6yi395cTbvoBw1QaeRk0bk

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sy18

Decoy

mgn4.com

gemellebeauty.com

emj2x.top

melissamcduffee.com

holangman.top

cqmksw.com

pinax.info

u2sr03.shop

weighing.xyz

jetcasinosite-official6.top

xyz.ngo

suandoc.xyz

aboutwean.site

stockprob.com

bawdydesignz.com

buddybooster.net

scuderiaexotics.com

design-de-interiores.wiki

shipsmartstore.com

patricklloydrunning.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0128e78a9fc3a12e1f247dec90b1de6ed4176587febc5ab0a9dcc0fc3735db0d.exe
    "C:\Users\Admin\AppData\Local\Temp\0128e78a9fc3a12e1f247dec90b1de6ed4176587febc5ab0a9dcc0fc3735db0d.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2012
    • C:\Users\Admin\AppData\Local\Temp\0128e78a9fc3a12e1f247dec90b1de6ed4176587febc5ab0a9dcc0fc3735db0d.exe
      "C:\Users\Admin\AppData\Local\Temp\0128e78a9fc3a12e1f247dec90b1de6ed4176587febc5ab0a9dcc0fc3735db0d.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2000

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsd10D5.tmp\pcegqjdi.dll

    Filesize

    7KB

    MD5

    b6be15788bf209e3ccb061ac55ff2f23

    SHA1

    9ea41d21f1253f37d93065acc3a86c4390580ca8

    SHA256

    b0caa32d9b5d1773f3c2c9819635dcb58143f9a9faf9ebb2ed998195c70ba94e

    SHA512

    83395bac1b2d328e141aa10f1ce8e30c793a523e324210e505631b4f3037fa2dc8ef9d9e3ffd9847609262237e7f0f0ee24965829acbae235208051fd47759cd

  • \Users\Admin\AppData\Local\Temp\nsd10D5.tmp\pcegqjdi.dll

    Filesize

    7KB

    MD5

    b6be15788bf209e3ccb061ac55ff2f23

    SHA1

    9ea41d21f1253f37d93065acc3a86c4390580ca8

    SHA256

    b0caa32d9b5d1773f3c2c9819635dcb58143f9a9faf9ebb2ed998195c70ba94e

    SHA512

    83395bac1b2d328e141aa10f1ce8e30c793a523e324210e505631b4f3037fa2dc8ef9d9e3ffd9847609262237e7f0f0ee24965829acbae235208051fd47759cd

  • memory/2000-63-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2000-66-0x0000000000810000-0x0000000000B13000-memory.dmp

    Filesize

    3.0MB