Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
21-11-2024 20:22
General
-
Target
nbeggsncal.exe
-
Size
131KB
-
MD5
669c2269eea6c11fd71038f0918193fb
-
SHA1
b2da793470b99bd215fbd9b3c7396ac402b068e9
-
SHA256
ba605ae9b548c05ffa985ddad9217cbdd99c1aecc83ce6e7cf36a162cb69938e
-
SHA512
0759ebe446901ab0974ff7cdac1b5517a7a739890a20858da93aaec94bd06bc4e6cb697b706864d78df044c41211990185b4bd9c00a24c616ce6004f371bc91c
-
SSDEEP
3072:BwL4Lf/x2dKZb/m4bhAPfUZMCn5OnUORrOhm1CsrTzx8iB10V:ikdpR/mm0c2RrhFrh8m0V
Malware Config
Extracted
formbook
nrln
IG7zJSm49UqTTuu/N/oTCIg=
CVLdAPgw0CRSMuZnRRU=
PiA5Z3umP2NyX81VGQhjWyS59nFYhXiG
5i6p4GeQqtBgNRfGNQ==
5984keYswxh8mGZHz4ipAHtQ
VNJaK4Gh0CrOvHpW/p353A==
71rEtrL2icToyKGhcWrTxjsFU5T98zeO
r3q1sy1iZaL+2XIUAob7yw==
9+83Qkrk/vV/jVXsDvoTCIg=
aMFAgYF1prov8/UErH/Y1A==
Alqtx/0rxwEbCLdudftl
ImCbnglBSUHF0mv2tTSP40bPeYao
s4DFNvAJ4GIJ+g==
phOa6mtS8QQICuZnRRU=
7TSu5vqRtB45EZtf4WDSTBHPeYao
ImPWqwUUIVWMQLyMbUab7tmspvNCcT8=
HF7jKjbGox2SAffTPw==
yAM3mOQot5l+cD0ikR5MGp8=
UYzW0/8z70JcQenVLidu1kLPeYao
OoCznp5UWz+hT9OBFXbfVhXPeYao
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
-
Suspicious behavior: MapViewOfSection 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nbeggsncal.exe"C:\Users\Admin\AppData\Local\Temp\nbeggsncal.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nbeggsncal.exe"C:\Users\Admin\AppData\Local\Temp\nbeggsncal.exe"3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
440KB
MD55d874a46532117f82095481976117fa1
SHA10a33fdef5084db25e24451dbde80238b487fbe78
SHA256d6ccab1423559c6cf50202bc81a4576f969aa9c275eaaeb9a2ac2c827cd60447
SHA512f0624277f3b4839c836291e1d1eb03cda875ba192243427afa967819b213f0cdade02f22e20b786b4680e4faaef20c045ad0a456d5f85fc04d3ab2e081ff4c61
-
Filesize
841KB
MD55fc6cd5d5ca1489d2a3c361717359a95
SHA15c630e232cd5761e7a611e41515be4afa3e7a141
SHA25685c8b8a648c56cf5f063912e0e26ecebb90e0caf2f442fd5cdd8287301fe7e81
SHA5125f9124a721f6b463d4f980920e87925098aa753b0fa2a59a3ff48b48d2b1a45d760fd46445414d84fb66321181cd2c82a4194361811114c15e35b42f838ab792
-
Filesize
980KB
-
Filesize
1.6MB
-
Filesize
1024KB
-
Filesize
1.6MB
-
Filesize
980KB
-
Filesize
980KB
-
Filesize
2.0MB
-
Filesize
180KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
764KB
-
Filesize
8KB
-
Filesize
188KB
-
Filesize
184KB
-
Filesize
188KB
-
Filesize
184KB