Analysis

  • max time kernel
    94s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-07-2024 11:54

General

  • Target

    9d8bba178d59f8e1a7bbf2d793b30c58.exe

  • Size

    1.6MB

  • MD5

    9d8bba178d59f8e1a7bbf2d793b30c58

  • SHA1

    fcd9ddb47e8faac52d5f9450cbe8970d259cd63f

  • SHA256

    2908b204b48c6e54598045bed024df0a256f41d0e53239f5d5606d2be8111c07

  • SHA512

    e4e9223b006a7813ced3cf124ca25db3214929cc03d2b14688ba23f5b34949f4f156d646b5eb2f5d75ac17d526537b699f844bccdd19baa205a36de5b1d449b8

  • SSDEEP

    12288:TNLnJocGYWkX35QDuPSzBzsFXFIntvrP9zVYL/EyN7T20:JLnrNWkXo1BzsdeFxzS4ydi0

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kmge

Decoy

jia0752d.com

cq0jt.sbs

whimsicalweddingrentals.com

meetsex-here.life

hhe-crv220.com

bedbillionaire.com

soycmo.com

mrawkward.xyz

11ramshornroad.com

motoyonaturals.com

thischicloves.com

gacorbet.pro

ihsanid.com

pancaketurner.com

santanarstore.com

cr3dtv.com

negotools.com

landfillequip.com

sejasuapropriachefe.com

diamant-verkopen.store

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • UAC bypass 3 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 2 IoCs
  • Formbook payload 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 3 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9d8bba178d59f8e1a7bbf2d793b30c58.exe
    "C:\Users\Admin\AppData\Local\Temp\9d8bba178d59f8e1a7bbf2d793b30c58.exe"
    1⤵
    • UAC bypass
    • Windows security bypass
    • Checks computer location settings
    • Windows security modification
    • Checks whether UAC is enabled
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4992
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\9d8bba178d59f8e1a7bbf2d793b30c58.exe" -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1500
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      2⤵
        PID:1072
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
        2⤵
          PID:2852
        • C:\Windows\System32\calc.exe
          "C:\Windows\System32\calc.exe"
          2⤵
            PID:3548
          • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
            "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
            2⤵
              PID:1600
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
              2⤵
                PID:1248
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 24
                  3⤵
                  • Program crash
                  PID:1800
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
                2⤵
                  PID:804
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1248 -ip 1248
                1⤵
                  PID:400

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4w4shcn1.enp.ps1

                  Filesize

                  60B

                  MD5

                  d17fe0a3f47be24a6453e9ef58c94641

                  SHA1

                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                  SHA256

                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                  SHA512

                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                • memory/1248-21-0x0000000000400000-0x000000000042F000-memory.dmp

                  Filesize

                  188KB

                • memory/1500-16-0x000001B3FA760000-0x000001B3FA782000-memory.dmp

                  Filesize

                  136KB

                • memory/1500-5-0x00007FFF09540000-0x00007FFF0A001000-memory.dmp

                  Filesize

                  10.8MB

                • memory/1500-6-0x00007FFF09540000-0x00007FFF0A001000-memory.dmp

                  Filesize

                  10.8MB

                • memory/1500-17-0x00007FFF09540000-0x00007FFF0A001000-memory.dmp

                  Filesize

                  10.8MB

                • memory/1500-20-0x00007FFF09540000-0x00007FFF0A001000-memory.dmp

                  Filesize

                  10.8MB

                • memory/4992-3-0x000002056D500000-0x000002056D586000-memory.dmp

                  Filesize

                  536KB

                • memory/4992-4-0x00007FFF09540000-0x00007FFF0A001000-memory.dmp

                  Filesize

                  10.8MB

                • memory/4992-2-0x000002056F710000-0x000002056F71E000-memory.dmp

                  Filesize

                  56KB

                • memory/4992-0-0x000002056D120000-0x000002056D12E000-memory.dmp

                  Filesize

                  56KB

                • memory/4992-1-0x00007FFF09543000-0x00007FFF09545000-memory.dmp

                  Filesize

                  8KB

                • memory/4992-22-0x00007FFF09540000-0x00007FFF0A001000-memory.dmp

                  Filesize

                  10.8MB