Analysis

  • max time kernel
    133s
  • max time network
    106s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-05-2024 02:43

General

  • Target

    483080c26096e479fad0997bedffb6dd.exe

  • Size

    456KB

  • MD5

    483080c26096e479fad0997bedffb6dd

  • SHA1

    d7362052d9c1451b235075703b6c88f02d5ef71e

  • SHA256

    e16af0a74030cfbd17c2086bc1151995852fb5333949a54dfb36bc2992bb87eb

  • SHA512

    c976033a62a43766a71c7009d69d464f43f7de75db9228282467c35efcd25ec1905ff8e2c4422351edddd3ca7aa033cd62016b92a6d3ab8b45b6ec8bdb5b61fc

  • SSDEEP

    6144:Q/mPIFTMlikyqCQB+cxnQdoQsk+xi72mINsaU9h:Q0UwxyqCwFQdz+ojaU9h

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

sa

Decoy

masleyscabinetshop.com

drmarissathomas.com

alkalinewaterpurifier.com

kabluchok.com

jqm65e51.biz

hellomelmel.com

futsalfutsal.com

speedyrooftarp.com

cyberhostingnet.com

295qp.com

fais-moi-une-offre.com

maketing.today

thedevicreations.com

domuservizi.online

goldanddenim.com

oimkv4.info

benefitmanagementllc401k.com

niniiiiii.com

shortkits.com

nukamika.net

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\483080c26096e479fad0997bedffb6dd.exe
    "C:\Users\Admin\AppData\Local\Temp\483080c26096e479fad0997bedffb6dd.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:552
    • C:\Users\Admin\AppData\Local\Temp\483080c26096e479fad0997bedffb6dd.exe
      "C:\Users\Admin\AppData\Local\Temp\483080c26096e479fad0997bedffb6dd.exe"
      2⤵
        PID:1444
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 184
          3⤵
          • Program crash
          PID:3496
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1444 -ip 1444
      1⤵
        PID:4460

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/552-0-0x000000007449E000-0x000000007449F000-memory.dmp

        Filesize

        4KB

      • memory/552-1-0x0000000000A90000-0x0000000000B08000-memory.dmp

        Filesize

        480KB

      • memory/552-2-0x00000000059E0000-0x0000000005F84000-memory.dmp

        Filesize

        5.6MB

      • memory/552-3-0x0000000005510000-0x00000000055A2000-memory.dmp

        Filesize

        584KB

      • memory/552-4-0x00000000054E0000-0x0000000005500000-memory.dmp

        Filesize

        128KB

      • memory/552-6-0x0000000074490000-0x0000000074C40000-memory.dmp

        Filesize

        7.7MB

      • memory/552-5-0x0000000005740000-0x000000000574A000-memory.dmp

        Filesize

        40KB

      • memory/552-7-0x000000007449E000-0x000000007449F000-memory.dmp

        Filesize

        4KB

      • memory/552-8-0x0000000074490000-0x0000000074C40000-memory.dmp

        Filesize

        7.7MB

      • memory/552-9-0x0000000006B30000-0x0000000006BCC000-memory.dmp

        Filesize

        624KB

      • memory/552-14-0x0000000074490000-0x0000000074C40000-memory.dmp

        Filesize

        7.7MB

      • memory/1444-11-0x0000000000560000-0x000000000058A000-memory.dmp

        Filesize

        168KB