Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28-10-2024 13:55

General

  • Target

    Document.exe

  • Size

    1.0MB

  • MD5

    8128f92e759ef0399a73d001b78bf37e

  • SHA1

    64d435e7ca1c98ea6e1b5818d6cc8d0dad22db7d

  • SHA256

    2d1d21fefaccdde89b759234f18ed79ea0a8a631c15be4f93fe3106f7fe6abe6

  • SHA512

    5de12e936fc0be70ed771cb911e3cacec64a1ddd6e84124bd59b9a56117fd5eae655c79442cc33f971fe686ec8826484c196f04c5c6b85fb6864ac7b24faee30

  • SSDEEP

    24576:ffmMv6Ckr7Mny5QL2OTYtNaqimUy7RRtst35de:f3v+7/5QL2mTARReR5de

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

n04s

Decoy

imberstimedtinter.cfd

ttfr44solutionschesapeake.pro

kkas.xyz

sk-frby.xyz

ptowing.net

jzimq-community.xyz

ressoncrookencruller.cfd

amedana.click

ravamarketing.tech

udfa-speech.xyz

ose-bdbzsg.xyz

alsiuuarsiau.xyz

fgiopa.xyz

15501.pro

tart-ewlon.xyz

kjjf-company.xyz

araldschauer.shop

wet25.vip

armostfavorgaivn.cfd

ompa77.click

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook family
  • Formbook payload 3 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1212
    • C:\Users\Admin\AppData\Local\Temp\Document.exe
      "C:\Users\Admin\AppData\Local\Temp\Document.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2688
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\Document.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2844
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\SysWOW64\cmd.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2712
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\SysWOW64\svchost.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2856

Network

  • flag-us
    DNS
    www.trrttfjftw.top
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.trrttfjftw.top
    IN A
    Response
  • flag-us
    DNS
    www.fyigh-on.xyz
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.fyigh-on.xyz
    IN A
    Response
  • flag-us
    DNS
    www.tart-ewlon.xyz
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.tart-ewlon.xyz
    IN A
    Response
  • flag-us
    DNS
    www.15501.pro
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.15501.pro
    IN A
    Response
  • flag-us
    DNS
    www.oldplay.click
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.oldplay.click
    IN A
    Response
  • flag-us
    DNS
    www.espond-yvctq.xyz
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.espond-yvctq.xyz
    IN A
    Response
No results found
  • 8.8.8.8:53
    www.trrttfjftw.top
    dns
    Explorer.EXE
    64 B
    134 B
    1
    1

    DNS Request

    www.trrttfjftw.top

  • 8.8.8.8:53
    www.fyigh-on.xyz
    dns
    Explorer.EXE
    62 B
    127 B
    1
    1

    DNS Request

    www.fyigh-on.xyz

  • 8.8.8.8:53
    www.tart-ewlon.xyz
    dns
    Explorer.EXE
    64 B
    129 B
    1
    1

    DNS Request

    www.tart-ewlon.xyz

  • 8.8.8.8:53
    www.15501.pro
    dns
    Explorer.EXE
    59 B
    141 B
    1
    1

    DNS Request

    www.15501.pro

  • 8.8.8.8:53
    www.oldplay.click
    dns
    Explorer.EXE
    63 B
    128 B
    1
    1

    DNS Request

    www.oldplay.click

  • 8.8.8.8:53
    www.espond-yvctq.xyz
    dns
    Explorer.EXE
    66 B
    131 B
    1
    1

    DNS Request

    www.espond-yvctq.xyz

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1212-21-0x0000000004E80000-0x0000000004F60000-memory.dmp

    Filesize

    896KB

  • memory/1212-19-0x0000000004E80000-0x0000000004F60000-memory.dmp

    Filesize

    896KB

  • memory/1212-18-0x0000000004E80000-0x0000000004F60000-memory.dmp

    Filesize

    896KB

  • memory/1212-13-0x0000000004A90000-0x0000000004B59000-memory.dmp

    Filesize

    804KB

  • memory/1212-8-0x0000000004A90000-0x0000000004B59000-memory.dmp

    Filesize

    804KB

  • memory/2688-2-0x00000000033D0000-0x00000000035D0000-memory.dmp

    Filesize

    2.0MB

  • memory/2712-9-0x000000004A9F0000-0x000000004AA3C000-memory.dmp

    Filesize

    304KB

  • memory/2712-11-0x000000004A9F0000-0x000000004AA3C000-memory.dmp

    Filesize

    304KB

  • memory/2712-12-0x0000000000080000-0x00000000000AF000-memory.dmp

    Filesize

    188KB

  • memory/2844-6-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2844-7-0x0000000000180000-0x0000000000195000-memory.dmp

    Filesize

    84KB

  • memory/2844-4-0x0000000000910000-0x0000000000C13000-memory.dmp

    Filesize

    3.0MB

  • memory/2844-3-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.