Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    11-12-2024 02:50

General

  • Target

    79381309c066a4ff2476a0ac2801964f5a82c4f886b590f56e4cfc5ceb307040.exe

  • Size

    851KB

  • MD5

    95a22e4bce7bd0a47c94cb47cb7e2d3a

  • SHA1

    6d4efe018df36424c66b4a7337b2045fe2c8c03e

  • SHA256

    79381309c066a4ff2476a0ac2801964f5a82c4f886b590f56e4cfc5ceb307040

  • SHA512

    9b6e5b3ccca79f9847a4ebf27eb5eebeec5ba9988704ce863a30733fb5b7fb953d4769cb411f70bde387d89e7f75e7a9a2ca31c576a634c8a9b374ddbb7313bb

  • SSDEEP

    12288:rLkcoxg7v3qnC11ErwIhh0F4qwUgUny5QLJoEanOS/H0Rvg/oh8qv60n:ffmMv6Ckr7Mny5QLJoEYOS/URvg/oY6

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cl21

Decoy

0001.shop

earch-parttimejobs.today

are888.top

akanhaunthipped.shop

othing-heyu.xyz

cadvirsor.net

nclanalae.shop

lectric-cars-mexico.today

oxj-question.xyz

ersonalloanoffers.today

ersonalloans-fo54-fo37.click

verybody-ewfx.xyz

ercuremontauban.media

azilimdunyam.net

airs-clinicato.today

wiftsscend.click

ertainly-jbws.xyz

8xeng.app

damekadmitageable.cfd

ollapsedec.shop

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook family
  • Formbook payload 3 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1188
    • C:\Users\Admin\AppData\Local\Temp\79381309c066a4ff2476a0ac2801964f5a82c4f886b590f56e4cfc5ceb307040.exe
      "C:\Users\Admin\AppData\Local\Temp\79381309c066a4ff2476a0ac2801964f5a82c4f886b590f56e4cfc5ceb307040.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2076
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\79381309c066a4ff2476a0ac2801964f5a82c4f886b590f56e4cfc5ceb307040.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3068
    • C:\Windows\SysWOW64\colorcpl.exe
      "C:\Windows\SysWOW64\colorcpl.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1948
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\SysWOW64\svchost.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2508

Network

  • flag-us
    DNS
    www.nline-dating-be-10.today
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.nline-dating-be-10.today
    IN A
    Response
  • flag-us
    DNS
    www.ushyniceneobaza.cfd
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.ushyniceneobaza.cfd
    IN A
    Response
  • flag-us
    DNS
    www.ufdd-interesting.xyz
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.ufdd-interesting.xyz
    IN A
    Response
  • flag-us
    DNS
    www.earch-parttimejobs.today
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.earch-parttimejobs.today
    IN A
    Response
  • flag-us
    DNS
    www.ingledatings46.xyz
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.ingledatings46.xyz
    IN A
    Response
  • flag-us
    DNS
    www.evinedesignz11.net
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.evinedesignz11.net
    IN A
    Response
No results found
  • 8.8.8.8:53
    www.nline-dating-be-10.today
    dns
    Explorer.EXE
    74 B
    142 B
    1
    1

    DNS Request

    www.nline-dating-be-10.today

  • 8.8.8.8:53
    www.ushyniceneobaza.cfd
    dns
    Explorer.EXE
    69 B
    134 B
    1
    1

    DNS Request

    www.ushyniceneobaza.cfd

  • 8.8.8.8:53
    www.ufdd-interesting.xyz
    dns
    Explorer.EXE
    70 B
    135 B
    1
    1

    DNS Request

    www.ufdd-interesting.xyz

  • 8.8.8.8:53
    www.earch-parttimejobs.today
    dns
    Explorer.EXE
    74 B
    142 B
    1
    1

    DNS Request

    www.earch-parttimejobs.today

  • 8.8.8.8:53
    www.ingledatings46.xyz
    dns
    Explorer.EXE
    68 B
    133 B
    1
    1

    DNS Request

    www.ingledatings46.xyz

  • 8.8.8.8:53
    www.evinedesignz11.net
    dns
    Explorer.EXE
    68 B
    141 B
    1
    1

    DNS Request

    www.evinedesignz11.net

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1188-11-0x0000000004ED0000-0x0000000004FB8000-memory.dmp

    Filesize

    928KB

  • memory/1188-24-0x0000000007AC0000-0x0000000007C1D000-memory.dmp

    Filesize

    1.4MB

  • memory/1188-22-0x0000000007AC0000-0x0000000007C1D000-memory.dmp

    Filesize

    1.4MB

  • memory/1188-21-0x0000000007AC0000-0x0000000007C1D000-memory.dmp

    Filesize

    1.4MB

  • memory/1188-15-0x0000000004ED0000-0x0000000004FB8000-memory.dmp

    Filesize

    928KB

  • memory/1948-12-0x0000000000880000-0x0000000000898000-memory.dmp

    Filesize

    96KB

  • memory/1948-13-0x0000000000880000-0x0000000000898000-memory.dmp

    Filesize

    96KB

  • memory/1948-14-0x0000000000080000-0x00000000000AF000-memory.dmp

    Filesize

    188KB

  • memory/2076-5-0x00000000003F0000-0x00000000003F4000-memory.dmp

    Filesize

    16KB

  • memory/3068-9-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3068-10-0x0000000000140000-0x0000000000154000-memory.dmp

    Filesize

    80KB

  • memory/3068-7-0x00000000009E0000-0x0000000000CE3000-memory.dmp

    Filesize

    3.0MB

  • memory/3068-6-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.