Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08-05-2024 02:59

General

  • Target

    9dad6e1350810eaee247d225c134a39441f286907c861fd6c825656cc9224613.exe

  • Size

    816KB

  • MD5

    240f134e5318c9efc8f4edb219a9b16f

  • SHA1

    7150a57a5817c1602524fc2b3b8dfc2910b77148

  • SHA256

    9dad6e1350810eaee247d225c134a39441f286907c861fd6c825656cc9224613

  • SHA512

    704090e6007ae618f397d86ec1c7ffd8b2152cb2dfcbe6813a4d04963f07805ff7fd7f3ae4bdf99477f0791c31ede7609f59265a803893c7c89f07b62841f581

  • SSDEEP

    12288:JYuePwisfcgWf/j5VtK+CVINMX9yKBg7vj1UJ:2uIydk/jPoi+9yKe/1U

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ij84

Decoy

resetter.xyz

simonbelanger.me

kwip.xyz

7dbb9.baby

notion-everyday.com

saftiwall.com

pulse-gaming.com

fafafa1.shop

ihaveahole.com

sxtzzj.com

996688x.xyz

komalili.monster

haberdashere.store

nurselifegng.com

kidtryz.com

ghvx.xyz

1minvideopro.com

hidef.group

stylishbeststyler.space

spx21.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 3 IoCs
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1204
      • C:\Users\Admin\AppData\Local\Temp\9dad6e1350810eaee247d225c134a39441f286907c861fd6c825656cc9224613.exe
        "C:\Users\Admin\AppData\Local\Temp\9dad6e1350810eaee247d225c134a39441f286907c861fd6c825656cc9224613.exe"
        2⤵
        • Drops startup file
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: RenamesItself
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2872
        • C:\Users\Admin\AppData\Local\Temp\teget3eet36.exe
          "C:\Users\Admin\AppData\Local\Temp\teget3eet36.exe"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3024
          • C:\Windows\SysWOW64\cmd.exe
            "cmd" /c ping 127.0.0.1 -n 13 > nul && copy "C:\Users\Admin\AppData\Local\Temp\teget3eet36.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6y363yshy3\83je7dhd73hyh.exe" && ping 127.0.0.1 -n 13 > nul && "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6y363yshy3\83je7dhd73hyh.exe"
            4⤵
            • Drops startup file
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2172
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 13
              5⤵
              • Runs ping.exe
              PID:2744
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 13
              5⤵
              • Runs ping.exe
              PID:2448
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6y363yshy3\83je7dhd73hyh.exe
              "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6y363yshy3\83je7dhd73hyh.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2496
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                6⤵
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3064
                • C:\Windows\SysWOW64\systray.exe
                  "C:\Windows\SysWOW64\systray.exe"
                  7⤵
                  • Suspicious use of SetThreadContext
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: MapViewOfSection
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2296
                  • C:\Windows\SysWOW64\cmd.exe
                    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    8⤵
                      PID:2272

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6y363yshy3\83je7dhd73hyh.exe

        Filesize

        816KB

        MD5

        240f134e5318c9efc8f4edb219a9b16f

        SHA1

        7150a57a5817c1602524fc2b3b8dfc2910b77148

        SHA256

        9dad6e1350810eaee247d225c134a39441f286907c861fd6c825656cc9224613

        SHA512

        704090e6007ae618f397d86ec1c7ffd8b2152cb2dfcbe6813a4d04963f07805ff7fd7f3ae4bdf99477f0791c31ede7609f59265a803893c7c89f07b62841f581

      • memory/1204-34-0x0000000004EE0000-0x0000000004FC9000-memory.dmp

        Filesize

        932KB

      • memory/1204-31-0x00000000052A0000-0x00000000053B8000-memory.dmp

        Filesize

        1.1MB

      • memory/1204-29-0x0000000003110000-0x0000000003210000-memory.dmp

        Filesize

        1024KB

      • memory/2296-32-0x0000000000790000-0x0000000000795000-memory.dmp

        Filesize

        20KB

      • memory/2296-33-0x0000000000080000-0x00000000000AF000-memory.dmp

        Filesize

        188KB

      • memory/2496-19-0x0000000000A50000-0x0000000000B22000-memory.dmp

        Filesize

        840KB

      • memory/2496-20-0x0000000000430000-0x000000000044A000-memory.dmp

        Filesize

        104KB

      • memory/2496-21-0x0000000000510000-0x0000000000516000-memory.dmp

        Filesize

        24KB

      • memory/2872-0-0x00000000745BE000-0x00000000745BF000-memory.dmp

        Filesize

        4KB

      • memory/2872-5-0x00000000745B0000-0x0000000074C9E000-memory.dmp

        Filesize

        6.9MB

      • memory/2872-3-0x0000000004EA0000-0x0000000004EE4000-memory.dmp

        Filesize

        272KB

      • memory/2872-2-0x00000000745B0000-0x0000000074C9E000-memory.dmp

        Filesize

        6.9MB

      • memory/2872-1-0x0000000000C90000-0x0000000000D62000-memory.dmp

        Filesize

        840KB

      • memory/3024-6-0x00000000745B0000-0x0000000074C9E000-memory.dmp

        Filesize

        6.9MB

      • memory/3024-8-0x00000000745B0000-0x0000000074C9E000-memory.dmp

        Filesize

        6.9MB

      • memory/3024-7-0x00000000745B0000-0x0000000074C9E000-memory.dmp

        Filesize

        6.9MB

      • memory/3064-27-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/3064-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

      • memory/3064-30-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/3064-24-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/3064-23-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB