Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-11-2024 09:40

General

  • Target

    a1cafe0d39cc17c0e36db2afdb4f640e3e81da7b2302c01e03c96348723ffdc9.exe

  • Size

    1.0MB

  • MD5

    7d8165e194302250d880425b1608e307

  • SHA1

    2688c9a6a3946fd7d93fd861c5f94c0dd67ae593

  • SHA256

    a1cafe0d39cc17c0e36db2afdb4f640e3e81da7b2302c01e03c96348723ffdc9

  • SHA512

    eb1c4dd9095dcd6a82616f7d4260e45ee686e4c80c0f046639fdae08fd5c70ead604be0d4cce09d01466b239726c93ec4de579222eb755c6cdf641fd902c415f

  • SSDEEP

    24576:hN/BUBb+tYjBFHNhM6FI9Dh7S95UqJXRX1zJ54D+q0lPBzkFd:jpUlRhPMn2owXRX1zJ5w+JPBAd

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

o52o

Decoy

ckroom.xyz

apanstock.online

6dtd8.vip

phone-in-installment-kz.today

ichaellee.info

mpresamkt38.online

ivein.today

78cx465vo.autos

avannahholcomb.shop

eochen008.top

rcraft.net

eth-saaae.buzz

ifxz.info

flegendarycap50.online

reon-network.xyz

ee.zone

ameralife.net

5en4.shop

eal-delivery-34026.bond

anion.app

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook family
  • Formbook payload 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3540
    • C:\Users\Admin\AppData\Local\Temp\a1cafe0d39cc17c0e36db2afdb4f640e3e81da7b2302c01e03c96348723ffdc9.exe
      "C:\Users\Admin\AppData\Local\Temp\a1cafe0d39cc17c0e36db2afdb4f640e3e81da7b2302c01e03c96348723ffdc9.exe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2448
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\wnrs.vbe"
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1900
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c ipconfig /release
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4996
          • C:\Windows\SysWOW64\ipconfig.exe
            ipconfig /release
            5⤵
            • System Location Discovery: System Language Discovery
            • Gathers network information
            PID:4584
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c oxhvi.msc bvqmcwxut.docx
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4236
          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\oxhvi.msc
            oxhvi.msc bvqmcwxut.docx
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1704
            • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
              "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
              6⤵
              • Executes dropped EXE
              PID:2000
            • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
              "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              PID:2392
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c ipconfig /renew
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1808
          • C:\Windows\SysWOW64\ipconfig.exe
            ipconfig /renew
            5⤵
            • System Location Discovery: System Language Discovery
            • Gathers network information
            PID:1672
    • C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\SysWOW64\netsh.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2948
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1108

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\ahpskwthu.docx

    Filesize

    526B

    MD5

    56ae97a5897d70a0c7fade5f29767a43

    SHA1

    e6ed9186ab3b3211092508f8e4fbe46e058839f7

    SHA256

    96f922028e5673af15f9af520ba2f01496fefb7d6017b82b29946d2e09351704

    SHA512

    7cffa2028fdf0cb5f659c644f666a426aded46d06020faf6da8cf768f80960b6db02cdfa958ee6f746466f426d7420520980e34f33a0cfa07950edc1735016a8

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\aiccixqlw.exe

    Filesize

    578B

    MD5

    68925419289f46d376b8d0de41a64c99

    SHA1

    9c876267e22acb8881c7fcfc9006d97813822c95

    SHA256

    1449b0aefab21761cd54949134b02ffb7042ed3fb91e36032991922199722ec7

    SHA512

    e6e5a5498ada1e845ad2907fe040ed69cdac03f43702f21c8e11a666cbb4d9845ad8d6e7cfc078d2fc54b0190d261b90a580338279c94cc9b79da4751727edf2

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\amfmrpfqdh.msc

    Filesize

    34KB

    MD5

    c6d01ccb8a3f8c8a09db6445df46228c

    SHA1

    09163a20fe6c09e510a68087f5d3038458629226

    SHA256

    5c38856418567a83a31d0eeee38087be1047a7a98e79b02cba43907a1f0aee27

    SHA512

    602f96394261b554d5988815dd8e75e6040808c6d0acd1e0c66cd6b6756fa208bc1272a0834cdb4ad49816858b03e11a6923afd45f14aa173f84898706c6aff7

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\amfmrpfqdh.msc

    Filesize

    34KB

    MD5

    f8ec3a47a92f1c45b9f6582f7cf621c1

    SHA1

    452fb70c325ba60247ecf3eb7c05c188e576cc60

    SHA256

    771db32e8bdd02be6ac90f3d0902d08163c3f49cbf21f46b069bd8da32ed0c74

    SHA512

    dba6d256838dcd1a30e68c35bbc5e11b51b6aa05bfecc437ef70b67b8b89a05b9865f92c90aebc51f76832f8137ef28c4a11bdaa112519bd0419d18699937764

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\bhbdl.dll

    Filesize

    579B

    MD5

    f3372b55e755a70e9d39941a8af77bd7

    SHA1

    164a9d56bde91bf883f9a97d4203689c4ec13d5e

    SHA256

    fbfd9cd1320c29a7ad37207a415d1503f686185f901299ea0870420b8a4a66ae

    SHA512

    7cb1031aede051eb28be6e72bad4c66a5caea5c089bb73c2d2268f9d3db8b1412c15383e8a68760f1afe276b0b0a0901a4ed07a1da1c0a04943ca5dcd7de3ca6

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\btieiqt.wxc

    Filesize

    351KB

    MD5

    fae6ee35c0f5ac2dc4885c0de8e88032

    SHA1

    587bf6f4105d4420762c463ba33e9e3ba677e85f

    SHA256

    4db090b6f1cd2501c929b31c2e29d4d0a4ddf1e81be6800e763d8c45bea8744d

    SHA512

    1ce62d900017dd4545023acc3ca32daee7eb454a6144c99958d57e88838402013854f410b8be1fb5d607819c48ba72fefecc11d2c78a81408855bf3899e04b38

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\bwscnblc.msc

    Filesize

    598B

    MD5

    42872a8299c923636de82f9b8c4a9fd5

    SHA1

    34e35498029d6939bf99f3e67357fd8428383fb7

    SHA256

    cb7308beda6f9ff1679bf8adb0b0ab44dc160d20fabdd51a4ea47c1f3fefe17c

    SHA512

    8bd61efd02df1f69be68a7497f590d90b08f611d9b1503ec66a2f40c31258d0b1fc2cdf10df53a83f1cf6557f6866e9240b28382acd16f092082a51aa84e69a8

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\cahoackms.mp3

    Filesize

    603B

    MD5

    f9ebc2eb91660ba2f590171be17de8d7

    SHA1

    4c8184f056fafc7399dd772a8ff4098bc4d35145

    SHA256

    8e98a40279558b8377345897621d7e715614f02359fcf38c498643b103bdcc08

    SHA512

    cfb031109d1b759aba4fbf08497b5c9c2c2771dbaf1d11fa6dce839a84b867605cd6d17d207833172d7432b6e67ede6c77cfdab5af3bf729cf6dbee3004f66c3

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\ceacdbp.pdf

    Filesize

    536B

    MD5

    46dcd7f3dc237b4507eb4899c1591cb3

    SHA1

    522503e702f8d76e31b2b24af1ffb1c39b28170b

    SHA256

    12cac5f80badc0292c5ded44cf86d69f016ff8a26702c48162dd8fd3fcf30189

    SHA512

    f9967b456c70e0fcd1405a544dc79de7aed339ddfa055fb774510dbf2bf09d0023e8e9a957b3ecc85762236dd16e751516d406a877c2ce59187d68dce7ef6e08

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\cmjr.msc

    Filesize

    591B

    MD5

    bcf3c4465032f6ee4c69baa6d9bd9290

    SHA1

    826e59fb2f690d3f30c915ddf4b14dfd9c68fe55

    SHA256

    41bdb0fab57c8147ad9f09c4f0d898b6dd43ef1cabb26f9122552b6e948500e5

    SHA512

    35fac351abcb29c2174d025a61804fed71ac9dca43130a6156736ab47280b729df0e2bc1b5f4d1d7272d49738b70b2012faddd6d76d86b1242b7f70b0050649c

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\coeheprrr.xl

    Filesize

    504B

    MD5

    97a1ae97f1350d07cadf8e0a010b216a

    SHA1

    3b5555139b866aecef0a2565ab47d7e555f7b097

    SHA256

    951dbcbeb27d6d73d66e6ec4ba14538a7c37c5b439cb02c114e891a9db9a34fc

    SHA512

    b4cf9489aa0a8c1e98c0ec326ccf75d7944e982eb46bb049da5034e1751261c987530a41485c593fe4acea7abe402a3f26d1a9db8af89347a59ca243eddc75be

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\cuumqdvjk.exe

    Filesize

    602B

    MD5

    382fb868bf2c280f0a67b8055efb9928

    SHA1

    c740ceb7a49fb1f77ec225529df364dd133d3675

    SHA256

    97f52eadd90e55427d8350f2e5585d9c15b8e00ba82cea1fd09ff95445d957d7

    SHA512

    1bb8bb9379e8ecfd3f7d90e2aa910825b91f6e29f9cc0d6aff3266d351acd3060497d2f8b59b4a285bb015cb893feb4920e79ef23f7e7139011c4dce4bc06805

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhnmu.das

    Filesize

    509B

    MD5

    c4b81747b551cf4fccc5c0e552252649

    SHA1

    8c6c293777a93b8752450437cba667b05c9e23f6

    SHA256

    b4b21fba0d3dba4ae00c9eb45e2e193e273547fa86b1e4c77c47a58dc80231ba

    SHA512

    49e5dc0e9a2dfc7f729a1f8f757fa7ecdc7bbce3c20b17dcffc45f04a14943da30758f55b43bd5a1270e07a8ccd848044834d05c89e65f2487117b8c810f6937

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\fljca.xl

    Filesize

    648B

    MD5

    fb7bc1e54a3a13c46abefb4b5894eafb

    SHA1

    6e1eb3df791408db1cd6428582f5f057c755b3e8

    SHA256

    1f5b7c71ad67bdfb5598d77f70cb9a7cafc02ab47af0140722da2a75f21de972

    SHA512

    9657589c71af1ca199e45a5b1f3a8bf225a12288d642ba476ae022c3d69cef30d29d8c797bba4f8fef0effa8262723e289417de394cb90c21c79231410c9acaf

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\jnfubqkpck.das

    Filesize

    686B

    MD5

    ad648c8818a74800cea50ca6d7afb649

    SHA1

    f146194d6b62fd61bb37b2a9a7df64f5bd6d7bb0

    SHA256

    c32b59e53fe7283d8fd4bbb2ba8fb9b68d27683fc4f773b7025aebd4e71e654b

    SHA512

    9885e22ff1b1666916bbdda72b8f40d8ed8cc7015ce6529ce552102f0c379d8352cb7f65176b9a55ad1d857fa50211b220cbbd2c81730e9297c8e03597ed083b

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\jrnfvrdb.pdf

    Filesize

    534B

    MD5

    44bccc48aea68f6c7601b4c28e13dffe

    SHA1

    2f6de537dfc7be56a1dde34817428effc89d09ad

    SHA256

    12df5c527a4fa33c11945127cae2b627fc904f903b3d5e1fa790fa5e93526dcf

    SHA512

    b36429d395d36654781659b544adfe26c99dfe0fbb579c24c6907287b7807bdb25967e06908779ee6f6ff324c863faf7a6c9162040c1d4cccc6649a7ecb5ad38

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\luscgxin.3gp

    Filesize

    508B

    MD5

    95ed1612d4995a1339883f3c2da20bed

    SHA1

    bba7feabf0182aaf1bf2b48314be515c9326a686

    SHA256

    b2ffd14ee25ffeace578f6fd512fc49005aff59fd057607d0fa2c600dafed696

    SHA512

    3b3ea03399c734a2c927ef41ffd971306504f672e4b5fa8ab7897cd54c5986ff2ec0bab0825860746ad262d8f89d59d0797ee5b13628e40b45f83f8256c4a266

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\mjupm.docx

    Filesize

    572B

    MD5

    fc495c99e26c918cccafe8a212355ee9

    SHA1

    15a87b4265da49fb5d9edade69111d49ba55b8da

    SHA256

    010e35603796229a5eea475725e2f191dfefcb0ae06306e8502045a84fca335f

    SHA512

    80ab91ee659bfc895f8aae514d63da5dd8f3f53cb2c16b91a24f0cbfd83d604026c18c5ff0237e8e8754242a96c74655cab215548fdea894eb56cb7c0fc8922b

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\mummtms.icm

    Filesize

    616B

    MD5

    95e90d53b6dd6501967d8e2d9bf0ef8b

    SHA1

    eb28d3148c97be0f2650972f6772e8ce84d86d51

    SHA256

    846e94f46d1201e4afdf32f0374c90ad4d1e23e89b5000c96ea124c80c8524da

    SHA512

    b2ea6242f7f2754f4d3d9b478ee97713d8f635393c681164a07ac5c475b623495f9ae0bc243964a591cfe540fddd4cd195323bb918a63e761ac23e0c4aded046

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\nfwlowj.mp3

    Filesize

    564B

    MD5

    bc4084b5a1c6b6d70d37a0d4d657fb84

    SHA1

    3011bc2e36349df995cc0440b9579829e4628402

    SHA256

    1581f7fd0889c340453e9a34846a61b899671fc59e8b2e67c98f628c290968a2

    SHA512

    004e366ac7b64d083e329d9ef91c0ebecd9e966f52d93b94c2293ef30cdfa793a6d18e73074fd3148fedd2fd4ef7e382046050503f1fee83e20856b9b8da64d4

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\ojaqhh.exe

    Filesize

    569B

    MD5

    7399ad2ed1976a8af8fd293039757336

    SHA1

    1b60bb127972d76f4243310b05849c2937e4be76

    SHA256

    06e60d78dd1402360ed52dd46a1f09787b52cbc4cef80676f5600ca49ccbbb23

    SHA512

    446fa89e11d2d3ee7ece303273c573d37ae6a7d490f70101b8a174ae6f3fae859f51f0fc8d52588b6c6c00fe98c2943556fc8ba9a33d8324cbaa2f649371449b

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\oxhvi.msc

    Filesize

    925KB

    MD5

    0adb9b817f1df7807576c2d7068dd931

    SHA1

    4a1b94a9a5113106f40cd8ea724703734d15f118

    SHA256

    98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

    SHA512

    883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\ukphwj.xl

    Filesize

    504B

    MD5

    35470d47483607bf2de0fdc542efd0a6

    SHA1

    c2085cf4a1a687201dcb2af61d7f2bb28473f664

    SHA256

    e72bf5652c4e6e6fccb590bfcb2e6081c4c6f540d61abde5ff168ba641d34c6f

    SHA512

    d95ffcc8458d3db253388cffc61db76331008aa0d9223e91b8acb2e1c60ad0c19501720fc67f5207b82b191ecfd8bc75e479c3f37ffba83493cac61b11680a36

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\wihpoq.mp2

    Filesize

    533B

    MD5

    18b3ca792233b183954d86380d53baf2

    SHA1

    fe7d78e2ef67b2b37bf608b7d8d2d9820a483322

    SHA256

    4e8d26fbd55bda61f1cbda0326439663f32b735d8b70b52d531150aacbe236c8

    SHA512

    6ce4a5adbb3f9c48c5b35a03188dd0ea9218d2d4a0e79ad19ddfc77ff882a5b39bc57e62c8ec7a4f289e8127e5520e9ff1465fc0502057d43eb61f100522e562

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\wlsraclfv.mp3

    Filesize

    578B

    MD5

    4c33ac9510e5f22aea359252392e7dc6

    SHA1

    d8f0d8c95a43043f68c1794ff7cef803ccdcb969

    SHA256

    5603cb963f200915eb60aceb7837edb35cb1be8ccff16fba9dd1eaf26272de06

    SHA512

    96610ac9ceb1040cf1f063d701148848289ed51e7a1a6c235dd684b4a75073fb7ba092686edd97afdeeaef8df390be88220633215c42325bffb141c03d0a98bf

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\wnrs.vbe

    Filesize

    73KB

    MD5

    e35fff73aee2e4616a02721a2bb87382

    SHA1

    493fb9ee1be78ee56afdaaa41b0c96470a20f491

    SHA256

    27bbc7baed22b649f4f9e5c8f07b46de15d18ab0d98ea38ff8b28d9690bf553c

    SHA512

    76a901a66e701c7c937aabef2d5b4f8e488e25d89c683da61e28b6419aaa75c322a9e5f66c9951388f876e89b485bcbc0ab2108f6fb58882205503e3fb08f4be

  • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

    Filesize

    44KB

    MD5

    9d352bc46709f0cb5ec974633a0c3c94

    SHA1

    1969771b2f022f9a86d77ac4d4d239becdf08d07

    SHA256

    2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

    SHA512

    13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

  • memory/2392-154-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2948-159-0x00000000013B0000-0x00000000013CE000-memory.dmp

    Filesize

    120KB

  • memory/2948-160-0x00000000013B0000-0x00000000013CE000-memory.dmp

    Filesize

    120KB

  • memory/2948-164-0x0000000000A20000-0x0000000000A4F000-memory.dmp

    Filesize

    188KB

  • memory/3540-166-0x0000000009770000-0x00000000098AF000-memory.dmp

    Filesize

    1.2MB