Analysis

  • max time kernel
    148s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    10-05-2024 07:33

General

  • Target

    Asiaction__ Purchase Order_Specification.exe

  • Size

    616KB

  • MD5

    19e12707415e84553f9743a4d109ef73

  • SHA1

    96fc30b169baa93b1c45cac3de430cb52cfad229

  • SHA256

    56e0ddbe7333484dbf0251177a4fd5fa51cce0b5cd42efcc7f9c312b1818be56

  • SHA512

    5cbb44f5894e8cb139e54d9cc664ff00e3a1dde901fc9dc3017f49ae03e382bf648164526d233c869c48fdbda7c0ae2a23b4d70229de986341d1c26d5120b988

  • SSDEEP

    12288:SIKHQ8nWqI00M5PKTOd5iudnHR+vzjKQqePFLVoq3Fw:SIKH5fI0B5Pr57dnHMLqePRVoMF

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sg36

Decoy

cookfranschhoek.com

rajaslot138.today

eightfigureroundtable.com

sdklwdz.com

novaturienthealth.com

sk87k.xyz

defoutenmakers.online

eadsanuncios.com

drewkav.com

car-insurance-94416.bond

m3nm.site

6vab.site

towing-barnesville.top

authentifizierung-beginnen.com

thejmfc.com

beggiapizza.site

gttsfibermill.com

cdugood.com

dominiongeneralcontractors.com

deprepagos.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1192
    • C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe
      "C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:848
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\nRGThSlhfFI.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2684
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nRGThSlhfFI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp677A.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:2728
      • C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe
        "C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2660
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2760
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe"
        3⤵
        • Deletes itself
        PID:2924

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp677A.tmp

    Filesize

    1KB

    MD5

    963bad9a208e910f2564295499d7f6ae

    SHA1

    2fee43c44e15299e40a96b150f1a5e5876c8e560

    SHA256

    4335348bd9b7d19e43494057605100a1bb07fa5e39d1f3d363d7cc4474602b69

    SHA512

    4637a29c434f877a92921f655dc7d53bd818d5c29217ce0550a10e0eaf8f20861c886fa2e0f06684a57d89316787d7c5146866dd72ba6808776e6bf8d402f56e

  • memory/848-22-0x0000000074250000-0x000000007493E000-memory.dmp

    Filesize

    6.9MB

  • memory/848-0-0x000000007425E000-0x000000007425F000-memory.dmp

    Filesize

    4KB

  • memory/848-3-0x0000000000980000-0x00000000009A0000-memory.dmp

    Filesize

    128KB

  • memory/848-4-0x0000000000430000-0x000000000043A000-memory.dmp

    Filesize

    40KB

  • memory/848-6-0x0000000005D90000-0x0000000005DFE000-memory.dmp

    Filesize

    440KB

  • memory/848-2-0x0000000074250000-0x000000007493E000-memory.dmp

    Filesize

    6.9MB

  • memory/848-1-0x0000000000AE0000-0x0000000000B80000-memory.dmp

    Filesize

    640KB

  • memory/848-5-0x0000000000450000-0x000000000045E000-memory.dmp

    Filesize

    56KB

  • memory/1192-21-0x0000000000310000-0x0000000000410000-memory.dmp

    Filesize

    1024KB

  • memory/2660-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2660-14-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2660-16-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2660-19-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2760-23-0x00000000006B0000-0x00000000006C4000-memory.dmp

    Filesize

    80KB

  • memory/2760-25-0x00000000006B0000-0x00000000006C4000-memory.dmp

    Filesize

    80KB

  • memory/2760-26-0x00000000000D0000-0x00000000000FF000-memory.dmp

    Filesize

    188KB