Analysis

  • max time kernel
    148s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    16-07-2024 15:35

General

  • Target

    DHL_UOC2_240708172813545.pdf.exe

  • Size

    1.0MB

  • MD5

    2465ce9d09372c4daf8a9d6d36c11915

  • SHA1

    08e205473e1bf912fe01e7183cc4e7f880f0e86c

  • SHA256

    fa9ea4e8935d55eb5ef1846b525f02572e147be07c11588e55475e1d7a173676

  • SHA512

    137e60039c82e7ace769a7914050b0dd7152a57780f4dcb7e6df0ad818fe38f45b2fc0e1ff4eb0d2f0d86cbc6fb0b1cdb74aafb224709755c390a2c390f5fed4

  • SSDEEP

    24576:EAHnh+eWsN3skA4RV1Hom2KXMmHa4N1hfjVEc5:Th+ZkldoPK8Ya4NvbVX

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

rn94

Decoy

st68v.xyz

conciergenotary.net

qwechaotk.top

rtpdonatoto29.xyz

8ad.xyz

powermove.top

cameras-30514.bond

vanguardcoffee.shop

umoe53fxc1bsujv.buzz

consultoriamax.net

hplxx.com

ndu.wtf

yzh478c.xyz

bigbrown999.site

xiake07.asia

resdai.xyz

the35678.shop

ba6rf.rest

ceo688.com

phimxhot.xyz

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 3 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1164
    • C:\Users\Admin\AppData\Local\Temp\DHL_UOC2_240708172813545.pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\DHL_UOC2_240708172813545.pdf.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2636
      • C:\Users\Admin\AppData\Local\directory\name.exe
        "C:\Users\Admin\AppData\Local\Temp\DHL_UOC2_240708172813545.pdf.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2888
        • C:\Windows\SysWOW64\svchost.exe
          "C:\Users\Admin\AppData\Local\Temp\DHL_UOC2_240708172813545.pdf.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2548
    • C:\Windows\SysWOW64\autoconv.exe
      "C:\Windows\SysWOW64\autoconv.exe"
      2⤵
        PID:2572
      • C:\Windows\SysWOW64\colorcpl.exe
        "C:\Windows\SysWOW64\colorcpl.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2544
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Windows\SysWOW64\svchost.exe"
          3⤵
            PID:3016

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\anaboly

        Filesize

        185KB

        MD5

        1c95c1e5415911bbac633536ebceabda

        SHA1

        2c71566ac288b115b4b94d4b0facfad2f5643483

        SHA256

        475a0354d1eae20ebbdb55e8ba86a4eef341b22246cf202ec834c4af03980a3a

        SHA512

        e606df44ff8871d14ff84ebb0781b15884c2df36100ecd3b7dc9c7407761494a7ab3e9f1ddc8eeecf79d051416ece07fe54a9735738f04bf3a1b8d4be38c43e3

      • C:\Users\Admin\AppData\Local\Temp\unnervousness

        Filesize

        28KB

        MD5

        8de38e7797a6470be9995a7f809b0ce1

        SHA1

        663e73bb07e0aa3927fdab180dbc970f3372d190

        SHA256

        e53119a0212391d5aa8a43826a8a166b46f001ecdff29b4f9f25f231dcaea54d

        SHA512

        c9f7293ead1816f44132daf867ee18fcc744754dac83d4eb2101ff00e2c3a096ade79d766e7a45e12989e13ec93a8a469f82dd8f0b850870bf16cf702756e7eb

      • \Users\Admin\AppData\Local\directory\name.exe

        Filesize

        1.0MB

        MD5

        2465ce9d09372c4daf8a9d6d36c11915

        SHA1

        08e205473e1bf912fe01e7183cc4e7f880f0e86c

        SHA256

        fa9ea4e8935d55eb5ef1846b525f02572e147be07c11588e55475e1d7a173676

        SHA512

        137e60039c82e7ace769a7914050b0dd7152a57780f4dcb7e6df0ad818fe38f45b2fc0e1ff4eb0d2f0d86cbc6fb0b1cdb74aafb224709755c390a2c390f5fed4

      • memory/1164-35-0x0000000005040000-0x0000000005155000-memory.dmp

        Filesize

        1.1MB

      • memory/1164-41-0x0000000005040000-0x0000000005155000-memory.dmp

        Filesize

        1.1MB

      • memory/2544-36-0x0000000000920000-0x0000000000938000-memory.dmp

        Filesize

        96KB

      • memory/2544-37-0x0000000000920000-0x0000000000938000-memory.dmp

        Filesize

        96KB

      • memory/2544-38-0x0000000000080000-0x00000000000AF000-memory.dmp

        Filesize

        188KB

      • memory/2548-34-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/2548-33-0x0000000000270000-0x0000000000285000-memory.dmp

        Filesize

        84KB

      • memory/2548-32-0x00000000008F0000-0x0000000000BF3000-memory.dmp

        Filesize

        3.0MB

      • memory/2548-30-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/2636-10-0x0000000000370000-0x0000000000374000-memory.dmp

        Filesize

        16KB