Analysis

  • max time kernel
    150s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-09-2024 01:26

General

  • Target

    DRAWING SINCOAUTOMATIOM86757786Ref6777POSINCOAUTOMATIOM86757786Ref6777.exe

  • Size

    1.2MB

  • MD5

    1876c101ef20d1d02f23014425ac06e1

  • SHA1

    28abc61712aa81fe8f0838f1588cbd556d923e89

  • SHA256

    1f4b2861d0fcd9241dfd17b5ae99741e712f0297ca5fb4f3858340ce3cbb91d0

  • SHA512

    87e7838b5ef65a0c84c40e6d881f44a8af2a43354a1b7a9d301a3180ac2df77cfc4aac04aa4042e187959373b2c95d9ae62570a6c6e29bc982bfd5a5cb67398b

  • SSDEEP

    24576:GqDEvCTbMWu7rQYlBQcBiT6rprG8an98M8HQXeYeun1033:GTvC/MTQYxsWR7an98M8wXi6

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ot96

Decoy

yclingbear.studio

sxuio.xyz

eon-official-bk-o57v.buzz

teel.management

rusjitu.sbs

ighwald-holdings.info

ummitfinancal.vip

layvalleyconstruction.online

pp-games-efficsecuspon.xyz

ouh.shop

mgltd.services

gshsjwhgsg.fun

eidotijolo.online

yifg.sbs

nline-gaming-ox-mx.xyz

ux-money.info

inergiputraborneo.dev

panish-classes-67016.bond

reightrading.info

23bet.xyz

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 4 IoCs
  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1212
    • C:\Users\Admin\AppData\Local\Temp\DRAWING SINCOAUTOMATIOM86757786Ref6777POSINCOAUTOMATIOM86757786Ref6777.exe
      "C:\Users\Admin\AppData\Local\Temp\DRAWING SINCOAUTOMATIOM86757786Ref6777POSINCOAUTOMATIOM86757786Ref6777.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1976
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\DRAWING SINCOAUTOMATIOM86757786Ref6777POSINCOAUTOMATIOM86757786Ref6777.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2336
    • C:\Windows\SysWOW64\chkdsk.exe
      "C:\Windows\SysWOW64\chkdsk.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2484
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\SysWOW64\svchost.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2284

Network

  • flag-us
    DNS
    www.etirementconundrum.live
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.etirementconundrum.live
    IN A
    Response
  • flag-us
    DNS
    www.ercedesemrotomotiv.shop
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.ercedesemrotomotiv.shop
    IN A
    Response
  • flag-us
    DNS
    www.ercedesemrotomotiv.shop
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.ercedesemrotomotiv.shop
    IN A
    Response
  • flag-us
    DNS
    www.mazoncarbon.shop
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.mazoncarbon.shop
    IN A
    Response
  • flag-us
    DNS
    www.99577-sj.top
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.99577-sj.top
    IN A
    Response
  • flag-us
    DNS
    www.99577-sj.top
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.99577-sj.top
    IN A
    Response
  • flag-us
    DNS
    www.99577-sj.top
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.99577-sj.top
    IN A
  • flag-us
    DNS
    www.inergiputraborneo.dev
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.inergiputraborneo.dev
    IN A
    Response
No results found
  • 8.8.8.8:53
    www.etirementconundrum.live
    dns
    Explorer.EXE
    73 B
    141 B
    1
    1

    DNS Request

    www.etirementconundrum.live

  • 8.8.8.8:53
    www.ercedesemrotomotiv.shop
    dns
    Explorer.EXE
    146 B
    260 B
    2
    2

    DNS Request

    www.ercedesemrotomotiv.shop

    DNS Request

    www.ercedesemrotomotiv.shop

  • 8.8.8.8:53
    www.mazoncarbon.shop
    dns
    Explorer.EXE
    66 B
    123 B
    1
    1

    DNS Request

    www.mazoncarbon.shop

  • 8.8.8.8:53
    www.99577-sj.top
    dns
    Explorer.EXE
    186 B
    264 B
    3
    2

    DNS Request

    www.99577-sj.top

    DNS Request

    www.99577-sj.top

    DNS Request

    www.99577-sj.top

  • 8.8.8.8:53
    www.inergiputraborneo.dev
    dns
    Explorer.EXE
    71 B
    169 B
    1
    1

    DNS Request

    www.inergiputraborneo.dev

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1212-16-0x0000000005090000-0x00000000051B2000-memory.dmp

    Filesize

    1.1MB

  • memory/1212-29-0x0000000006770000-0x0000000006859000-memory.dmp

    Filesize

    932KB

  • memory/1212-28-0x0000000006770000-0x0000000006859000-memory.dmp

    Filesize

    932KB

  • memory/1212-12-0x0000000005090000-0x00000000051B2000-memory.dmp

    Filesize

    1.1MB

  • memory/1212-26-0x0000000006770000-0x0000000006859000-memory.dmp

    Filesize

    932KB

  • memory/1212-21-0x00000000051C0000-0x00000000052B2000-memory.dmp

    Filesize

    968KB

  • memory/1212-17-0x00000000051C0000-0x00000000052B2000-memory.dmp

    Filesize

    968KB

  • memory/1976-7-0x0000000001300000-0x0000000001433000-memory.dmp

    Filesize

    1.2MB

  • memory/1976-5-0x0000000001300000-0x0000000001433000-memory.dmp

    Filesize

    1.2MB

  • memory/2336-14-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2336-15-0x0000000000340000-0x0000000000355000-memory.dmp

    Filesize

    84KB

  • memory/2336-10-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2336-11-0x0000000000220000-0x0000000000235000-memory.dmp

    Filesize

    84KB

  • memory/2336-8-0x00000000009F0000-0x0000000000CF3000-memory.dmp

    Filesize

    3.0MB

  • memory/2336-6-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2484-18-0x00000000001E0000-0x00000000001E7000-memory.dmp

    Filesize

    28KB

  • memory/2484-19-0x00000000001E0000-0x00000000001E7000-memory.dmp

    Filesize

    28KB

  • memory/2484-20-0x0000000000080000-0x00000000000AF000-memory.dmp

    Filesize

    188KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.