Analysis

  • max time kernel
    149s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    14-07-2024 08:09

General

  • Target

    FedEx Invoice_7447707012.exe

  • Size

    1.1MB

  • MD5

    e8b684a181e745c7e80acaa0dfa96193

  • SHA1

    cf5c3059ac345cb5fd3d943e3a5a27642ad2da0f

  • SHA256

    412f36cadb0568c43f0738c6a832f9096fa5692c8271b1e322b570152084dc31

  • SHA512

    69f505d8bcc98a657b847ebc7a30e33c2f80394cc92dc7dca2fc2af7566678f4929324ffa73d5fc42a7bd8e17940ebcf108b6b75eca10cb3e196b104c8fdcc2c

  • SSDEEP

    24576:ypwQaLmSnf3XrxwPr/Od/wLq7Mm9OCH8MIRi4Kq2:ypimentiWd7PX4R2

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dk07

Decoy

reclam.xyz

parchmentmediaadd.com

gaolibai.site

menage-exclusif.com

ceremoniesbyjade.com

5663876.com

take3.xyz

environmentaladvocacygroup.com

fp38z.rest

elektro-vlasic.com

bollybytestv.com

udfunsd.cloud

studiomiraiarq.com

e-commercebrasil.shop

sansiddhiedu.com

draaronroughan.net

24angel.com

rjh-equestrian.com

22db3rgdg6a73pea7.vip

mintygreen-wellnessportal.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1252
    • C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe
      "C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:828
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2892
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uGpLwm.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2640
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uGpLwm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2462.tmp"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2796
      • C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe
        "C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3048
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\SysWOW64\svchost.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2532
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe"
        3⤵
        • Deletes itself
        PID:2488

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp2462.tmp

    Filesize

    1KB

    MD5

    8080a9bd7c6bca4e9fffc820338f99d9

    SHA1

    7725a69b2f509f1a97138d77ef6dac4100faf7ac

    SHA256

    fd1406ecfa13544e82ffb61987747f6fed8f0715df925b5086b0df8b1c061437

    SHA512

    c0735da3be1c84e9e286c4b17b261dab80b50d29edd0986572350e0eca7e47a24765ac26b50326b499bb06ac8eb0f89add294a6c216d2b11962956b662230a6f

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    9ef02dd9863536dc4a4f0b3f89294d6d

    SHA1

    b06fb3d309b6f27017cfa935ac09aefcf8c5d7ca

    SHA256

    914743f09ae4f4517616edbafca2fa78bb08659b590abef57bb376423115c677

    SHA512

    cf524d72d8dbd2067baf063b1e7d967b495071ac49793401e37b571d52f9e646672428df97619dbfdbc8b6261d5d34c5a4a5afe3b66cf669b8525fc6ee5f9081

  • memory/828-4-0x00000000004F0000-0x0000000000500000-memory.dmp

    Filesize

    64KB

  • memory/828-25-0x0000000074850000-0x0000000074F3E000-memory.dmp

    Filesize

    6.9MB

  • memory/828-0-0x000000007485E000-0x000000007485F000-memory.dmp

    Filesize

    4KB

  • memory/828-5-0x00000000007C0000-0x00000000007CE000-memory.dmp

    Filesize

    56KB

  • memory/828-6-0x0000000000BB0000-0x0000000000C26000-memory.dmp

    Filesize

    472KB

  • memory/828-2-0x0000000074850000-0x0000000074F3E000-memory.dmp

    Filesize

    6.9MB

  • memory/828-1-0x0000000000E40000-0x0000000000F6A000-memory.dmp

    Filesize

    1.2MB

  • memory/828-3-0x0000000000A90000-0x0000000000B1A000-memory.dmp

    Filesize

    552KB

  • memory/1252-27-0x0000000003B60000-0x0000000003D60000-memory.dmp

    Filesize

    2.0MB

  • memory/2532-29-0x00000000000D0000-0x00000000000FF000-memory.dmp

    Filesize

    188KB

  • memory/2532-28-0x00000000005F0000-0x00000000005F8000-memory.dmp

    Filesize

    32KB

  • memory/3048-20-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3048-21-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3048-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/3048-24-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB