Analysis

  • max time kernel
    148s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    14-07-2024 08:09

General

  • Target

    FedEx Invoice_7447707012.exe

  • Size

    1.1MB

  • MD5

    e8b684a181e745c7e80acaa0dfa96193

  • SHA1

    cf5c3059ac345cb5fd3d943e3a5a27642ad2da0f

  • SHA256

    412f36cadb0568c43f0738c6a832f9096fa5692c8271b1e322b570152084dc31

  • SHA512

    69f505d8bcc98a657b847ebc7a30e33c2f80394cc92dc7dca2fc2af7566678f4929324ffa73d5fc42a7bd8e17940ebcf108b6b75eca10cb3e196b104c8fdcc2c

  • SSDEEP

    24576:ypwQaLmSnf3XrxwPr/Od/wLq7Mm9OCH8MIRi4Kq2:ypimentiWd7PX4R2

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dk07

Decoy

reclam.xyz

parchmentmediaadd.com

gaolibai.site

menage-exclusif.com

ceremoniesbyjade.com

5663876.com

take3.xyz

environmentaladvocacygroup.com

fp38z.rest

elektro-vlasic.com

bollybytestv.com

udfunsd.cloud

studiomiraiarq.com

e-commercebrasil.shop

sansiddhiedu.com

draaronroughan.net

24angel.com

rjh-equestrian.com

22db3rgdg6a73pea7.vip

mintygreen-wellnessportal.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1220
    • C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe
      "C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1984
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2176
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uGpLwm.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2980
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uGpLwm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1EF6.tmp"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2848
      • C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe
        "C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2572
    • C:\Windows\SysWOW64\mstsc.exe
      "C:\Windows\SysWOW64\mstsc.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2544
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe"
        3⤵
        • Deletes itself
        PID:568

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp1EF6.tmp

    Filesize

    1KB

    MD5

    2108242f0829132d655d828721f3001a

    SHA1

    31176384fa8f58648319ba10725a5a19069bd4ce

    SHA256

    5c2795c3c352ffb5c16fd3e613a480e885fcc07baec2b5a864e1aeca93a5b035

    SHA512

    20c7367bdabbd70a6cbb0c001f39a504bc563f97600ce0e8662ae06bfc85d13dd1b41bca3f61ae9ea0b16447c85c758e52443468f395fc61cc3ba5b54ab4baf7

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    49f4710688dd0368cea232b908716af7

    SHA1

    96fe9763398af27c4d55cb0760dcd095bdb3ba1c

    SHA256

    eb4b25493d0cc8abb7f4cba445e07421d06b137f7720823f75407991d1d033ea

    SHA512

    34c1bc00560cfe9b8b5e5328a843afb416afab25f1df5cac7332d0310204cecf2d14cab4d7922fb19669a5fa9372331c62b66a320f93f6d5bdfa7e3c9139352a

  • memory/1984-4-0x00000000006D0000-0x00000000006E0000-memory.dmp

    Filesize

    64KB

  • memory/1984-26-0x0000000074C40000-0x000000007532E000-memory.dmp

    Filesize

    6.9MB

  • memory/1984-0-0x0000000074C4E000-0x0000000074C4F000-memory.dmp

    Filesize

    4KB

  • memory/1984-5-0x0000000000AB0000-0x0000000000ABE000-memory.dmp

    Filesize

    56KB

  • memory/1984-6-0x0000000004370000-0x00000000043E6000-memory.dmp

    Filesize

    472KB

  • memory/1984-2-0x0000000074C40000-0x000000007532E000-memory.dmp

    Filesize

    6.9MB

  • memory/1984-1-0x0000000000880000-0x00000000009AA000-memory.dmp

    Filesize

    1.2MB

  • memory/1984-3-0x0000000006D30000-0x0000000006DBA000-memory.dmp

    Filesize

    552KB

  • memory/2544-28-0x00000000000D0000-0x00000000000FF000-memory.dmp

    Filesize

    188KB

  • memory/2544-27-0x0000000000410000-0x0000000000514000-memory.dmp

    Filesize

    1.0MB

  • memory/2572-19-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2572-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2572-24-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2572-21-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB