Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    12-07-2024 18:06

General

  • Target

    8bd0c48813f5c2578c3932b60ef84e4d62f7620f4f7e26d942f9765e2a589eae.exe

  • Size

    620KB

  • MD5

    6f6db1e7da6dcc039ad7a1bb95d153eb

  • SHA1

    4e69bc26c9e11faececb76dfb4876165842a7383

  • SHA256

    8bd0c48813f5c2578c3932b60ef84e4d62f7620f4f7e26d942f9765e2a589eae

  • SHA512

    0088f6a5cae353de2d418d942b0f16d82883bdd55af64af433f4d10a1b29b044c8892c246fa3cc4b70b364b213be4ec05b4874bcccd316d9d475b52981ff98b6

  • SSDEEP

    12288:eb+YVK+orv7oWukJFoimuR6W5lzi7Cq82cXEC1ki2rpEWdzFTTLyh:V1+jMBmu3zCxcj1kdEcF

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sp26

Decoy

co37.top

00050525.xyz

gucci-official.asia

xb1111.vip

brandignitemarketing.com

smqhr.vip

neuroenergetichealing.com

huskyrecords.com

bt365962.com

sonicmfers.com

bytoi.xyz

52725.xyz

tantargobank.com

quantumsolutionsblr.com

webzlp.xyz

euroelitegear.store

xyffaa.com

pickleballtvchampionship.com

hyrdomist.com

dgaaa.click

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8bd0c48813f5c2578c3932b60ef84e4d62f7620f4f7e26d942f9765e2a589eae.exe
    "C:\Users\Admin\AppData\Local\Temp\8bd0c48813f5c2578c3932b60ef84e4d62f7620f4f7e26d942f9765e2a589eae.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\8bd0c48813f5c2578c3932b60ef84e4d62f7620f4f7e26d942f9765e2a589eae.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2828
    • C:\Users\Admin\AppData\Local\Temp\8bd0c48813f5c2578c3932b60ef84e4d62f7620f4f7e26d942f9765e2a589eae.exe
      "C:\Users\Admin\AppData\Local\Temp\8bd0c48813f5c2578c3932b60ef84e4d62f7620f4f7e26d942f9765e2a589eae.exe"
      2⤵
        PID:2960
      • C:\Users\Admin\AppData\Local\Temp\8bd0c48813f5c2578c3932b60ef84e4d62f7620f4f7e26d942f9765e2a589eae.exe
        "C:\Users\Admin\AppData\Local\Temp\8bd0c48813f5c2578c3932b60ef84e4d62f7620f4f7e26d942f9765e2a589eae.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2168

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2156-0-0x00000000743CE000-0x00000000743CF000-memory.dmp

      Filesize

      4KB

    • memory/2156-1-0x0000000000100000-0x00000000001A0000-memory.dmp

      Filesize

      640KB

    • memory/2156-2-0x00000000743C0000-0x0000000074AAE000-memory.dmp

      Filesize

      6.9MB

    • memory/2156-3-0x0000000001DA0000-0x0000000001DB0000-memory.dmp

      Filesize

      64KB

    • memory/2156-4-0x0000000001DC0000-0x0000000001DCE000-memory.dmp

      Filesize

      56KB

    • memory/2156-5-0x0000000004390000-0x0000000004406000-memory.dmp

      Filesize

      472KB

    • memory/2156-11-0x00000000743C0000-0x0000000074AAE000-memory.dmp

      Filesize

      6.9MB

    • memory/2168-6-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2168-10-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2168-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/2168-7-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2168-12-0x0000000000B60000-0x0000000000E63000-memory.dmp

      Filesize

      3.0MB