Analysis

  • max time kernel
    149s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-05-2024 02:59

General

  • Target

    9dad6e1350810eaee247d225c134a39441f286907c861fd6c825656cc9224613.exe

  • Size

    816KB

  • MD5

    240f134e5318c9efc8f4edb219a9b16f

  • SHA1

    7150a57a5817c1602524fc2b3b8dfc2910b77148

  • SHA256

    9dad6e1350810eaee247d225c134a39441f286907c861fd6c825656cc9224613

  • SHA512

    704090e6007ae618f397d86ec1c7ffd8b2152cb2dfcbe6813a4d04963f07805ff7fd7f3ae4bdf99477f0791c31ede7609f59265a803893c7c89f07b62841f581

  • SSDEEP

    12288:JYuePwisfcgWf/j5VtK+CVINMX9yKBg7vj1UJ:2uIydk/jPoi+9yKe/1U

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ij84

Decoy

resetter.xyz

simonbelanger.me

kwip.xyz

7dbb9.baby

notion-everyday.com

saftiwall.com

pulse-gaming.com

fafafa1.shop

ihaveahole.com

sxtzzj.com

996688x.xyz

komalili.monster

haberdashere.store

nurselifegng.com

kidtryz.com

ghvx.xyz

1minvideopro.com

hidef.group

stylishbeststyler.space

spx21.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3520
    • C:\Users\Admin\AppData\Local\Temp\9dad6e1350810eaee247d225c134a39441f286907c861fd6c825656cc9224613.exe
      "C:\Users\Admin\AppData\Local\Temp\9dad6e1350810eaee247d225c134a39441f286907c861fd6c825656cc9224613.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:832
      • C:\Users\Admin\AppData\Local\Temp\teget3eet36.exe
        "C:\Users\Admin\AppData\Local\Temp\teget3eet36.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2512
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c ping 127.0.0.1 -n 11 > nul && copy "C:\Users\Admin\AppData\Local\Temp\teget3eet36.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6y363yshy3\83je7dhd73hyh.exe" && ping 127.0.0.1 -n 11 > nul && "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6y363yshy3\83je7dhd73hyh.exe"
          4⤵
          • Drops startup file
          • Suspicious use of WriteProcessMemory
          PID:4472
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 11
            5⤵
            • Runs ping.exe
            PID:4108
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 11
            5⤵
            • Runs ping.exe
            PID:1492
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6y363yshy3\83je7dhd73hyh.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6y363yshy3\83je7dhd73hyh.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3740
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
              6⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              PID:3984
    • C:\Windows\SysWOW64\NETSTAT.EXE
      "C:\Windows\SysWOW64\NETSTAT.EXE"
      2⤵
      • Suspicious use of SetThreadContext
      • Gathers network information
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4324
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        3⤵
          PID:884

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6y363yshy3\83je7dhd73hyh.exe

      Filesize

      816KB

      MD5

      240f134e5318c9efc8f4edb219a9b16f

      SHA1

      7150a57a5817c1602524fc2b3b8dfc2910b77148

      SHA256

      9dad6e1350810eaee247d225c134a39441f286907c861fd6c825656cc9224613

      SHA512

      704090e6007ae618f397d86ec1c7ffd8b2152cb2dfcbe6813a4d04963f07805ff7fd7f3ae4bdf99477f0791c31ede7609f59265a803893c7c89f07b62841f581

    • memory/832-12-0x00000000743D0000-0x0000000074B80000-memory.dmp

      Filesize

      7.7MB

    • memory/832-5-0x00000000743D0000-0x0000000074B80000-memory.dmp

      Filesize

      7.7MB

    • memory/832-1-0x0000000000420000-0x00000000004F2000-memory.dmp

      Filesize

      840KB

    • memory/832-4-0x0000000005750000-0x00000000057EC000-memory.dmp

      Filesize

      624KB

    • memory/832-2-0x0000000005B80000-0x0000000006124000-memory.dmp

      Filesize

      5.6MB

    • memory/832-6-0x0000000006810000-0x0000000006854000-memory.dmp

      Filesize

      272KB

    • memory/832-7-0x00000000069C0000-0x00000000069CA000-memory.dmp

      Filesize

      40KB

    • memory/832-9-0x0000000007CB0000-0x00000000081DC000-memory.dmp

      Filesize

      5.2MB

    • memory/832-3-0x00000000056B0000-0x0000000005742000-memory.dmp

      Filesize

      584KB

    • memory/832-0-0x00000000743DE000-0x00000000743DF000-memory.dmp

      Filesize

      4KB

    • memory/2512-11-0x00000000743D0000-0x0000000074B80000-memory.dmp

      Filesize

      7.7MB

    • memory/2512-14-0x00000000743D0000-0x0000000074B80000-memory.dmp

      Filesize

      7.7MB

    • memory/2512-16-0x00000000743D0000-0x0000000074B80000-memory.dmp

      Filesize

      7.7MB

    • memory/2512-13-0x00000000743D0000-0x0000000074B80000-memory.dmp

      Filesize

      7.7MB

    • memory/3520-33-0x0000000003060000-0x000000000311F000-memory.dmp

      Filesize

      764KB

    • memory/3740-22-0x0000000000C50000-0x0000000000D22000-memory.dmp

      Filesize

      840KB

    • memory/3740-23-0x0000000007280000-0x000000000729A000-memory.dmp

      Filesize

      104KB

    • memory/3740-24-0x00000000072B0000-0x00000000072B6000-memory.dmp

      Filesize

      24KB

    • memory/3984-25-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4324-28-0x0000000000E60000-0x0000000000E6B000-memory.dmp

      Filesize

      44KB

    • memory/4324-29-0x0000000000770000-0x000000000079F000-memory.dmp

      Filesize

      188KB