Analysis

  • max time kernel
    139s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-07-2023 12:30

General

  • Target

    SecuriteInfo.com.Trojan.Generic.30369079.30803.exe

  • Size

    261KB

  • MD5

    b3368c7d14c040c8734d69b5bbc0c635

  • SHA1

    d34224b8b7e01e22292a7eac678d337f00834a2b

  • SHA256

    a8f5392112f282b9d32749631c3d85fc6b568dd0b3fe91ffb8c5c7215e3f7114

  • SHA512

    5b036fe1a1650b8fbf03b2d4a91692ad271ce3a7fd572d6256e7b8aa71d9a8849b610865e782d2ab8566b7c44ee61af8965ab922d9e7ea552cb04734aee39c34

  • SSDEEP

    3072:FJ2S2L6KbqDCwcrMEEKsmO39oW1jSAI+ltOJ7y4UjjiJ0bUSgSBQ8QNn9lmDe5+W:F8LxBszXOyrSJm/bQN9laFexrODdtKRf

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dn7r

Decoy

eventphotographerdfw.com

thehalalcoinstaking.com

philipfaziofineart.com

intercoh.com

gaiaseyephotography.com

chatbotforrealestate.com

lovelancemg.com

marlieskasberger.com

elcongoenespanol.info

lepirecredit.com

distribution-concept.com

e99game.com

exit11festival.com

twodollartoothbrushclub.com

cocktailsandlawn.com

performimprove.network

24horas-telefono-11840.com

cosmossify.com

kellenleote.com

perovskite.energy

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Generic.30369079.30803.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Generic.30369079.30803.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4240
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Generic.30369079.30803.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Generic.30369079.30803.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:5036

Network

MITRE ATT&CK Matrix ATT&CK v6

Discovery

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsiD3B.tmp\bvxzu.dll
    Filesize

    47KB

    MD5

    ea41f063d08a24c992a9db51ebd1fd7f

    SHA1

    f28dda174cb32acfdc47cae0a101de53ab78d3a4

    SHA256

    9b51a7156f242aaafb43c7ca8b5ff9547643a747e4a672d06669aec9a29b28ee

    SHA512

    ca7875967878aae950a48b1e149154d6181813717317cb3cb2ab95bff729e115d88b838912021c73f67cdf09fa30aa6a469b153a43e63f348613eb341d8bab58

  • C:\Users\Admin\AppData\Local\Temp\nsiD3B.tmp\bvxzu.dll
    Filesize

    47KB

    MD5

    ea41f063d08a24c992a9db51ebd1fd7f

    SHA1

    f28dda174cb32acfdc47cae0a101de53ab78d3a4

    SHA256

    9b51a7156f242aaafb43c7ca8b5ff9547643a747e4a672d06669aec9a29b28ee

    SHA512

    ca7875967878aae950a48b1e149154d6181813717317cb3cb2ab95bff729e115d88b838912021c73f67cdf09fa30aa6a469b153a43e63f348613eb341d8bab58

  • memory/4240-140-0x00000000749D0000-0x00000000749E0000-memory.dmp
    Filesize

    64KB

  • memory/4240-143-0x00000000749D0000-0x00000000749E0000-memory.dmp
    Filesize

    64KB

  • memory/5036-142-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

  • memory/5036-146-0x0000000000A00000-0x0000000000D4A000-memory.dmp
    Filesize

    3.3MB