Analysis

  • max time kernel
    147s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-07-2024 13:33

General

  • Target

    Abu Dhabi Police Offenders Publishing Images WSAbuDhabi.exe

  • Size

    1.0MB

  • MD5

    c64808bee3cbc24910d4a426d4123cce

  • SHA1

    eeff1a128b756e5d4eaabbca3db35c765f7f03f8

  • SHA256

    9039d85eec99722427577d83cfcf5464fa26d64ca5a40682ba3be7942a3e7155

  • SHA512

    372e126b49c5a7c1081c92b73a010d84a89f6e7f3ac5c9b6dc0668ca6e6f8390c495f0ef28d31f8460145693d3cb342b81be40fa2fa920ef2ed17460944bad99

  • SSDEEP

    24576:ntb20pkaCqT5TBWgNQ7a/zdBNeZXGraTPv6A:kVg5tQ7a/zdONGrab5

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gb29

Decoy

deecentshop.xyz

agcpros.com

bzbbkmmf.xyz

marketprofissional.com

891237.com

hwqcoiu.xyz

ultimabet.store

nirikide.shop

rsstationary.com

sareease.com

genaidefense.com

mbn254.shop

92fwq.com

buses.life

zbcgf.shop

cheickfatoumata.com

jkendricksmusic.com

dokalopsia.digital

wr70.top

horebconstructioncorp.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 3 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3536
    • C:\Users\Admin\AppData\Local\Temp\Abu Dhabi Police Offenders Publishing Images WSAbuDhabi.exe
      "C:\Users\Admin\AppData\Local\Temp\Abu Dhabi Police Offenders Publishing Images WSAbuDhabi.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3068
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\Abu Dhabi Police Offenders Publishing Images WSAbuDhabi.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:5072
    • C:\Windows\SysWOW64\WWAHost.exe
      "C:\Windows\SysWOW64\WWAHost.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:724
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\SysWOW64\svchost.exe"
        3⤵
          PID:3752

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/724-17-0x0000000000290000-0x000000000036C000-memory.dmp

      Filesize

      880KB

    • memory/724-20-0x00000000008E0000-0x000000000090F000-memory.dmp

      Filesize

      188KB

    • memory/724-19-0x0000000000290000-0x000000000036C000-memory.dmp

      Filesize

      880KB

    • memory/3068-10-0x00000000014C0000-0x00000000014C4000-memory.dmp

      Filesize

      16KB

    • memory/3536-22-0x0000000008F50000-0x000000000908C000-memory.dmp

      Filesize

      1.2MB

    • memory/3536-16-0x0000000008F50000-0x000000000908C000-memory.dmp

      Filesize

      1.2MB

    • memory/3536-25-0x00000000077E0000-0x00000000078BA000-memory.dmp

      Filesize

      872KB

    • memory/3536-26-0x00000000077E0000-0x00000000078BA000-memory.dmp

      Filesize

      872KB

    • memory/3536-29-0x00000000077E0000-0x00000000078BA000-memory.dmp

      Filesize

      872KB

    • memory/5072-14-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/5072-15-0x0000000001FB0000-0x0000000001FC4000-memory.dmp

      Filesize

      80KB

    • memory/5072-12-0x0000000001B00000-0x0000000001E4A000-memory.dmp

      Filesize

      3.3MB

    • memory/5072-11-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB