Resubmissions

11-12-2024 15:32

241211-sy44nssrdm 10

09-08-2024 21:57

240809-1t1vfs1cpm 10

06-08-2024 13:01

240806-p9f97szdlm 10

06-08-2024 12:52

240806-p3672stdkg 10

06-08-2024 12:29

240806-ppa8fsygqr 10

06-08-2024 12:26

240806-pmc92ashlh 10

Analysis

  • max time kernel
    146s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    06-08-2024 12:26

General

  • Target

    1/d58780d1d574bfe77c6f9cfad1cf4b51522231b2699081befd5bbd15f7309aa0.exe

  • Size

    691KB

  • MD5

    c2ae4fdb661a151be4876289ed7f8261

  • SHA1

    f8fbb8b8ddb55aacc20449ff2bd5d671e4cbb9fa

  • SHA256

    d58780d1d574bfe77c6f9cfad1cf4b51522231b2699081befd5bbd15f7309aa0

  • SHA512

    2642eac12e6a42fbd503621871802da278e0c68a4678675ddbe71f66d7a2b7d0ed8a22640c13d153ea63bcb33f7f13ae32eaa3e444fc451c64a1839d8cc91c89

  • SSDEEP

    12288:luCDWx2PQfnESfZ0nl+xD4u1JW31MlxwXY5oMY3tQMmVHMe3+L4Ull0l8fkR:/awMnESR0nl+Z9OSXwXuoaVse3+sCie6

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

45er

Decoy

depotpulsa.com

k2bilbao.online

bb4uoficial.com

rwc666.club

us-pservice.cyou

tricegottreats.com

zsystems.pro

qudouyin6.com

sfumaturedamore.net

pcetyy.icu

notbokin.online

beqprod.tech

flipbuilding.com

errormitigationzoo.com

zj5u603.xyz

jezzatravel.com

zmdniavysyi.shop

quinnsteele.com

522334.com

outdoorshopping.net

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1208
      • C:\Users\Admin\AppData\Local\Temp\1\d58780d1d574bfe77c6f9cfad1cf4b51522231b2699081befd5bbd15f7309aa0.exe
        "C:\Users\Admin\AppData\Local\Temp\1\d58780d1d574bfe77c6f9cfad1cf4b51522231b2699081befd5bbd15f7309aa0.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2704
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sXqUfHySpG.exe"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2784
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sXqUfHySpG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9389.tmp"
          3⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2696
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2592
          • C:\Windows\SysWOW64\wlanext.exe
            "C:\Windows\SysWOW64\wlanext.exe"
            4⤵
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:908
            • C:\Windows\SysWOW64\cmd.exe
              /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3032

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp9389.tmp

      Filesize

      1KB

      MD5

      8b6dace8bd24e4ea19d3b83d08a8b4f9

      SHA1

      78d2803aa8b96944e05c3b8dc41b5cf5cc1614a4

      SHA256

      f0f441c4ef97349c7f62c2f0e66ed1f832b196a38b44499209f98a1f63be2ec0

      SHA512

      3a4d0034946933e3a2b9a72f75b101d2cf312dd6b201504afb8609e60e329acdbfc73dd30004401f4febadac7e966072caec09d349f3297d79c5a53bdad1bb00

    • memory/908-24-0x0000000000080000-0x00000000000AF000-memory.dmp

      Filesize

      188KB

    • memory/908-23-0x0000000000D20000-0x0000000000D36000-memory.dmp

      Filesize

      88KB

    • memory/1208-25-0x00000000065E0000-0x000000000672E000-memory.dmp

      Filesize

      1.3MB

    • memory/1208-21-0x0000000003AB0000-0x0000000003BB0000-memory.dmp

      Filesize

      1024KB

    • memory/2592-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/2592-18-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2592-15-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2592-13-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2592-22-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2704-5-0x0000000004BE0000-0x0000000004C56000-memory.dmp

      Filesize

      472KB

    • memory/2704-0-0x0000000074BBE000-0x0000000074BBF000-memory.dmp

      Filesize

      4KB

    • memory/2704-19-0x0000000074BB0000-0x000000007529E000-memory.dmp

      Filesize

      6.9MB

    • memory/2704-4-0x00000000005C0000-0x00000000005CE000-memory.dmp

      Filesize

      56KB

    • memory/2704-3-0x0000000000480000-0x000000000049A000-memory.dmp

      Filesize

      104KB

    • memory/2704-2-0x0000000074BB0000-0x000000007529E000-memory.dmp

      Filesize

      6.9MB

    • memory/2704-1-0x00000000000B0000-0x000000000015E000-memory.dmp

      Filesize

      696KB