Analysis

  • max time kernel
    158s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2023, 15:28

General

  • Target

    SecuriteInfo.com.Win32.PWSX-gen.21070.31490.exe

  • Size

    852KB

  • MD5

    9db2aef89a0872e99d266cfb6ed00999

  • SHA1

    4ff386a6dc8f254c76215243d28ca3efbd934c1b

  • SHA256

    ce345574366b94994a2aade4a96ade0eee23ad088211416b5695166cd251ec61

  • SHA512

    07b568f24429c68ec06b87457ff969f7b70e12720d656d91e0680f3251ec6600f7ac559b8e858ebd71c09e067dd09c009bb791e7a3333ed9e95babf70f970c48

  • SSDEEP

    12288:vP27U0WWObWpf57f6ESknqQrQJfI2CiPQfP12Xk/Nl1dSQ1Ulx3/z6OAq7hxfZuk:veD4+f5eEn1mxCiPQfP28NX0Qulxw

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

v93r

Decoy

labourcommunitymarket.com

nba82.com

datahabitsales.site

rosstony.link

baliorganic.farm

qefhyjngrxcbjfvgft.autos

bippttcg.click

tldrschool.com

vcdaawug.click

garage2mats.com

soulrin.store

themezodermacream.com

522fairwaylookout.com

jmhoa.cyou

sygcb.link

thanhpresident.com

biy-home.com

imtmlife.online

dijitalpasaj.app

105261.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.21070.31490.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.21070.31490.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1404
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.21070.31490.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.21070.31490.exe"
      2⤵
        PID:4836
      • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.21070.31490.exe
        "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.21070.31490.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4620

    Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1404-6-0x00000000071A0000-0x00000000071B4000-memory.dmp

            Filesize

            80KB

          • memory/1404-10-0x0000000007E90000-0x0000000007EFE000-memory.dmp

            Filesize

            440KB

          • memory/1404-2-0x0000000007590000-0x0000000007B34000-memory.dmp

            Filesize

            5.6MB

          • memory/1404-3-0x0000000006FE0000-0x0000000007072000-memory.dmp

            Filesize

            584KB

          • memory/1404-4-0x0000000007270000-0x0000000007280000-memory.dmp

            Filesize

            64KB

          • memory/1404-5-0x0000000007180000-0x000000000718A000-memory.dmp

            Filesize

            40KB

          • memory/1404-1-0x0000000000090000-0x000000000016A000-memory.dmp

            Filesize

            872KB

          • memory/1404-8-0x0000000007270000-0x0000000007280000-memory.dmp

            Filesize

            64KB

          • memory/1404-0-0x0000000074B20000-0x00000000752D0000-memory.dmp

            Filesize

            7.7MB

          • memory/1404-9-0x0000000007380000-0x000000000738C000-memory.dmp

            Filesize

            48KB

          • memory/1404-7-0x0000000074B20000-0x00000000752D0000-memory.dmp

            Filesize

            7.7MB

          • memory/1404-11-0x000000000B430000-0x000000000B4CC000-memory.dmp

            Filesize

            624KB

          • memory/1404-14-0x0000000074B20000-0x00000000752D0000-memory.dmp

            Filesize

            7.7MB

          • memory/4620-12-0x0000000000400000-0x000000000042F000-memory.dmp

            Filesize

            188KB

          • memory/4620-15-0x0000000001630000-0x000000000197A000-memory.dmp

            Filesize

            3.3MB