Analysis

  • max time kernel
    122s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    23/10/2023, 19:35

General

  • Target

    NEAS.f98b2fefbfa54e17d684f60629172f5f160259a6041b671f423eefbf0e51f949exe_JC.exe

  • Size

    635KB

  • MD5

    0d92c4776d31205c7b2275d1a78b4085

  • SHA1

    985fba4c665f1f1250df0a85c3169bc631d9e0a5

  • SHA256

    f98b2fefbfa54e17d684f60629172f5f160259a6041b671f423eefbf0e51f949

  • SHA512

    965c80653a4e4a0bfaacd60131248aaf15fca1487df8a72f2780c7fba63e6a09227252271cb1e5d8547a241ec644e16b924dd1cf683f39b08f3cbf08b8008e22

  • SSDEEP

    12288:Noj7s93wIxbzM1k19Rvt7l+SAd+GSJnhY5RgzTaz6uiczg:Oj7s93nfxfha7SJCuOz9k

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

eg02

Decoy

erc20.gold

elainevannmorgan.photography

melbet-el4.top

guvenilir.bet

sesamecsre.com

kevinjaydenwivano.tech

condohotelguru.com

shjcdz.com

innocarta.store

collinstradingpost.com

6om3j4.top

nagtco.xyz

fasist.fit

arkansaspremiertournaments.com

mrscsnowschool.com

ma-group.online

lillyjriley.icu

electric-cars-87253.bond

lila.tools

hollamia.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.f98b2fefbfa54e17d684f60629172f5f160259a6041b671f423eefbf0e51f949exe_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.f98b2fefbfa54e17d684f60629172f5f160259a6041b671f423eefbf0e51f949exe_JC.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1264
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Ruwtgxl.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2912
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Ruwtgxl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp954.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2716
    • C:\Users\Admin\AppData\Local\Temp\NEAS.f98b2fefbfa54e17d684f60629172f5f160259a6041b671f423eefbf0e51f949exe_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.f98b2fefbfa54e17d684f60629172f5f160259a6041b671f423eefbf0e51f949exe_JC.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2564

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmp954.tmp

          Filesize

          1KB

          MD5

          7a127e68830078d9c2b9490bb1957762

          SHA1

          3bf4dedec481ca06df8d66192f1a45659f95135a

          SHA256

          cb03dfc141181516ef76049eba71f5819f4ec50f8e63c4b4990994b81f782d98

          SHA512

          892753087e0fc9e9c19115dd305814ed1df81fd8bea218afe18287e4cee194da8b13a63bc0e6a55003d8a7f24a4e171091650fb6ae5b8cd40241e94a97fcc9b3

        • memory/1264-0-0x0000000001160000-0x0000000001204000-memory.dmp

          Filesize

          656KB

        • memory/1264-1-0x0000000074DA0000-0x000000007548E000-memory.dmp

          Filesize

          6.9MB

        • memory/1264-2-0x0000000000430000-0x0000000000470000-memory.dmp

          Filesize

          256KB

        • memory/1264-3-0x0000000000470000-0x0000000000488000-memory.dmp

          Filesize

          96KB

        • memory/1264-4-0x0000000074DA0000-0x000000007548E000-memory.dmp

          Filesize

          6.9MB

        • memory/1264-5-0x0000000000430000-0x0000000000470000-memory.dmp

          Filesize

          256KB

        • memory/1264-6-0x00000000003D0000-0x00000000003E0000-memory.dmp

          Filesize

          64KB

        • memory/1264-7-0x0000000004880000-0x00000000048EE000-memory.dmp

          Filesize

          440KB

        • memory/1264-20-0x0000000074DA0000-0x000000007548E000-memory.dmp

          Filesize

          6.9MB

        • memory/2564-16-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/2564-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

        • memory/2564-19-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/2564-15-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/2564-21-0x0000000000700000-0x0000000000A03000-memory.dmp

          Filesize

          3.0MB

        • memory/2912-22-0x000000006F170000-0x000000006F71B000-memory.dmp

          Filesize

          5.7MB

        • memory/2912-23-0x000000006F170000-0x000000006F71B000-memory.dmp

          Filesize

          5.7MB

        • memory/2912-24-0x0000000002350000-0x0000000002390000-memory.dmp

          Filesize

          256KB

        • memory/2912-25-0x0000000002350000-0x0000000002390000-memory.dmp

          Filesize

          256KB

        • memory/2912-26-0x000000006F170000-0x000000006F71B000-memory.dmp

          Filesize

          5.7MB