Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
21-12-2024 17:10
General
-
Target
Shiment PL.exe
-
Size
834KB
-
MD5
1f154fdeb1f182e8e2d4bc203b5ff1f2
-
SHA1
1950bff0632ad10bd951e0fd5d307b58874cfe9a
-
SHA256
aa95f30da548dae9304cea73e276f87fdab530186aec142eb83022f1f31f5cb6
-
SHA512
97dc6d4e23f3928f8895ea63fd1a62eb86e655f537a15876f398db9e392e6f786bbcbd042cdb3a2792bc289521b374bb7d31b858f90dd8b422a1f24c938136f6
-
SSDEEP
12288:4t6HU8+sP4RbSvdVU0ClncgtmQJrx0T5ssFrHIcEooF3ArxMf4XxQ:c83PmSvdV9Cc2m1NlboBAfXxQ
Malware Config
Extracted
formbook
4.1
tw7
prestige-reps.com
nhakhoaquoctesmile.com
sicumplex.com
in36972.com
hikoosbyheidi.com
rayinthecity.com
mjwestwoodphotography.com
radiopeek.com
attisit.com
hdcpos.com
xn--halise-1ua.com
bossroyale.com
blstd.com
wniversitet.com
bethumb.pro
romber.info
bergundy.com
kingscoop.com
antiquefactory.net
loiseaudejade.com
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook family
-
Formbook payload 2 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
-
Suspicious behavior: MapViewOfSection 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Shiment PL.exe"C:\Users\Admin\AppData\Local\Temp\Shiment PL.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Shiment PL.exe"C:\Users\Admin\AppData\Local\Temp\Shiment PL.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Shiment PL.exe"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
184KB
-
Filesize
4KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
80KB
-
Filesize
3.0MB
-
Filesize
184KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
208KB
-
Filesize
856KB
-
Filesize
6.9MB
-
Filesize
432KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
64KB