Analysis

  • max time kernel
    147s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    10-05-2024 05:56

General

  • Target

    Doc20189700.exe

  • Size

    545KB

  • MD5

    7bce7d55931c5f34701501a38aa95cd3

  • SHA1

    7af77f1afe68b94a6617ac9a1ed5d21b66ca4008

  • SHA256

    742be802e5d909d41c46fd374e6682f0467003e03f5387f37fe18d407322e5a5

  • SHA512

    7bb4e470452a1f0dcd2bcc247c179d3c41b3fdac2aa694f6c79f7af71605226648ad3b57129f3930f85c7b10fc4329a622cbb7ffc27fe9fbb1b7aa4258a742c7

  • SSDEEP

    12288:WwSpsazDx3ScS946sj0kBFZWHcupoC+22bFK9Z47:1yDzcn4jrZTrJbG4

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

h323

Decoy

sanfransiscolotto.com

mcginnisformayor.com

puer-energy.net

hieusport.com

alevelcourse.net

excelcium-promotion.info

waehlergemeinschaft-bergen.com

capstone-asphalt.com

ppacspromsecureproved3.info

bm9993.com

zhuozixf119.com

sgy64dq.ink

qukuaifun.com

boletosdeavion.store

ministeriofaceaface.com

xn--fiq06lpuc3zab58o04p.com

sunglassessales.win

jano.tech

tillillishop.com

tyty544.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1340
    • C:\Users\Admin\AppData\Local\Temp\Doc20189700.exe
      "C:\Users\Admin\AppData\Local\Temp\Doc20189700.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2240
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\Doc20189700.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\kist.exe"
        3⤵
          PID:3008
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\kist.exe"
          3⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2672
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\kist.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\kist.exe"
            4⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of SetThreadContext
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2660
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\kist.exe
              "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\kist.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              PID:2736
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\SysWOW64\cmd.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2516
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\kist.exe"
          3⤵
            PID:1788

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\kist.exe

        Filesize

        545KB

        MD5

        7bce7d55931c5f34701501a38aa95cd3

        SHA1

        7af77f1afe68b94a6617ac9a1ed5d21b66ca4008

        SHA256

        742be802e5d909d41c46fd374e6682f0467003e03f5387f37fe18d407322e5a5

        SHA512

        7bb4e470452a1f0dcd2bcc247c179d3c41b3fdac2aa694f6c79f7af71605226648ad3b57129f3930f85c7b10fc4329a622cbb7ffc27fe9fbb1b7aa4258a742c7

      • memory/1340-15-0x0000000003040000-0x0000000003140000-memory.dmp

        Filesize

        1024KB

      • memory/1340-17-0x0000000007630000-0x00000000077D4000-memory.dmp

        Filesize

        1.6MB

      • memory/2240-0-0x000000007415E000-0x000000007415F000-memory.dmp

        Filesize

        4KB

      • memory/2240-1-0x0000000000060000-0x00000000000F0000-memory.dmp

        Filesize

        576KB

      • memory/2240-2-0x0000000000960000-0x00000000009F8000-memory.dmp

        Filesize

        608KB

      • memory/2240-3-0x00000000002A0000-0x00000000002BE000-memory.dmp

        Filesize

        120KB

      • memory/2240-4-0x0000000074150000-0x000000007483E000-memory.dmp

        Filesize

        6.9MB

      • memory/2240-9-0x0000000074150000-0x000000007483E000-memory.dmp

        Filesize

        6.9MB

      • memory/2516-16-0x000000004A1C0000-0x000000004A20C000-memory.dmp

        Filesize

        304KB

      • memory/2660-11-0x0000000000CF0000-0x0000000000D80000-memory.dmp

        Filesize

        576KB

      • memory/2736-12-0x0000000000400000-0x000000000042A000-memory.dmp

        Filesize

        168KB