Resubmissions

24-07-2023 06:32

230724-haylwaag65 10

16-07-2023 18:15

230716-wwbacshb7z 10

Analysis

  • max time kernel
    116s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-07-2023 06:32

General

  • Target

    1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe

  • Size

    723KB

  • MD5

    b659d359a6fafaf7954c78199552852e

  • SHA1

    027ce3b08fe9c0c47114d6711fb26551eba96a72

  • SHA256

    1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a

  • SHA512

    6699fc5fa65b322edb6ea59062b36deb2a33e481c608a49503c24d3479d7a1feed07ddcefdd9987e9943b5999125148c9330a1717db4f1e10a7377d4a6ef5689

  • SSDEEP

    12288:Duc81q9I6/kldSCF3/86K+/YpJ6zFJpXZDyaod+ik4g8y3SoD:Duc8OM/8l+/2JW/JW2rEloD

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hkn

Decoy

nickherbal.info

desenlicoraplar.com

logo8023.com

gta5.ltd

surgicalmind.com

sigmanautomotive.com

theophileblog.com

wallaborate.com

ottawatotalfootcare.com

theusacoupons.com

lagharha.com

393351u.info

letthemeatcakeny.com

imgoingtohellgame.com

lovedovesbeauty.com

cheapsalenow.com

prodigynebula.win

suzhoucheckmate.com

splashautopark.com

lieflokken.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe
    "C:\Users\Admin\AppData\Local\Temp\1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1940
    • C:\Users\Admin\AppData\Local\Temp\1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe
      "{path}"
      2⤵
        PID:4656
      • C:\Users\Admin\AppData\Local\Temp\1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe
        "{path}"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1108

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1108-140-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

    • memory/1108-143-0x0000000000F60000-0x00000000012AA000-memory.dmp
      Filesize

      3MB

    • memory/1940-133-0x00000000748B0000-0x0000000075060000-memory.dmp
      Filesize

      7MB

    • memory/1940-134-0x0000000000030000-0x00000000000EC000-memory.dmp
      Filesize

      752KB

    • memory/1940-135-0x0000000004A80000-0x0000000004B1C000-memory.dmp
      Filesize

      624KB

    • memory/1940-136-0x0000000004BC0000-0x0000000004C52000-memory.dmp
      Filesize

      584KB

    • memory/1940-137-0x00000000748B0000-0x0000000075060000-memory.dmp
      Filesize

      7MB

    • memory/1940-138-0x0000000002390000-0x00000000023A0000-memory.dmp
      Filesize

      64KB

    • memory/1940-139-0x0000000005780000-0x0000000005D24000-memory.dmp
      Filesize

      5MB

    • memory/1940-142-0x00000000748B0000-0x0000000075060000-memory.dmp
      Filesize

      7MB