Overview

overview

10

Static

static

10

formbook.exe

windows7-x64

7

formbook.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 18:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    formbook.exe

  • Size

    181KB

  • MD5

    ab063fa349f25116b15276ad1e2251d7

  • SHA1

    ddcdf4314f2c187d04a066380d97959e62c34dbd

  • SHA256

    dc769e89feccc886334377b01f29dfe4b36c3266c2df8c88ca704919d0b1b938

  • SHA512

    98abbe10c466b8798093963a479fd8bffcc8027feb2be361a092a98ea32f4960a1dc0e14bbd606752db3950fdb84b17763c81db6911390c88c91fbbacb56687c

  • SSDEEP

    3072:/qpUoiXhkew9hCgu9gbxNkqqh7vIu+fiL2+TLmym/yyA2jh:Dxtw6gOuxaqqh7+aKsCymqHwh

Score
7/10
discovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1212
    • C:\Users\Admin\AppData\Local\Temp\formbook.exe
      "C:\Users\Admin\AppData\Local\Temp\formbook.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      PID:1740
    • C:\Windows\SysWOW64\autoconv.exe
      "C:\Windows\SysWOW64\autoconv.exe"
      2⤵
        PID:2456
      • C:\Windows\SysWOW64\autoconv.exe
        "C:\Windows\SysWOW64\autoconv.exe"
        2⤵
          PID:1412
        • C:\Windows\SysWOW64\autoconv.exe
          "C:\Windows\SysWOW64\autoconv.exe"
          2⤵
            PID:2248
          • C:\Windows\SysWOW64\autoconv.exe
            "C:\Windows\SysWOW64\autoconv.exe"
            2⤵
              PID:2152
            • C:\Windows\SysWOW64\autoconv.exe
              "C:\Windows\SysWOW64\autoconv.exe"
              2⤵
                PID:1704
              • C:\Windows\SysWOW64\autoconv.exe
                "C:\Windows\SysWOW64\autoconv.exe"
                2⤵
                  PID:2452
                • C:\Windows\SysWOW64\autoconv.exe
                  "C:\Windows\SysWOW64\autoconv.exe"
                  2⤵
                    PID:2468
                  • C:\Windows\SysWOW64\autoconv.exe
                    "C:\Windows\SysWOW64\autoconv.exe"
                    2⤵
                      PID:2476
                    • C:\Windows\SysWOW64\autoconv.exe
                      "C:\Windows\SysWOW64\autoconv.exe"
                      2⤵
                        PID:2188
                      • C:\Windows\SysWOW64\autoconv.exe
                        "C:\Windows\SysWOW64\autoconv.exe"
                        2⤵
                          PID:2724
                        • C:\Windows\SysWOW64\autoconv.exe
                          "C:\Windows\SysWOW64\autoconv.exe"
                          2⤵
                            PID:2816
                          • C:\Windows\SysWOW64\autoconv.exe
                            "C:\Windows\SysWOW64\autoconv.exe"
                            2⤵
                              PID:2628
                            • C:\Windows\SysWOW64\autoconv.exe
                              "C:\Windows\SysWOW64\autoconv.exe"
                              2⤵
                                PID:2128
                              • C:\Windows\SysWOW64\autoconv.exe
                                "C:\Windows\SysWOW64\autoconv.exe"
                                2⤵
                                  PID:2284
                                • C:\Windows\SysWOW64\autoconv.exe
                                  "C:\Windows\SysWOW64\autoconv.exe"
                                  2⤵
                                    PID:876
                                  • C:\Windows\SysWOW64\autoconv.exe
                                    "C:\Windows\SysWOW64\autoconv.exe"
                                    2⤵
                                      PID:2412
                                    • C:\Windows\SysWOW64\autoconv.exe
                                      "C:\Windows\SysWOW64\autoconv.exe"
                                      2⤵
                                        PID:2672
                                      • C:\Windows\SysWOW64\autoconv.exe
                                        "C:\Windows\SysWOW64\autoconv.exe"
                                        2⤵
                                          PID:2660
                                        • C:\Windows\SysWOW64\autoconv.exe
                                          "C:\Windows\SysWOW64\autoconv.exe"
                                          2⤵
                                            PID:2748
                                          • C:\Windows\SysWOW64\autoconv.exe
                                            "C:\Windows\SysWOW64\autoconv.exe"
                                            2⤵
                                              PID:2780
                                            • C:\Windows\SysWOW64\autoconv.exe
                                              "C:\Windows\SysWOW64\autoconv.exe"
                                              2⤵
                                                PID:2752
                                              • C:\Windows\SysWOW64\cmd.exe
                                                "C:\Windows\SysWOW64\cmd.exe"
                                                2⤵
                                                • Suspicious use of SetThreadContext
                                                • System Location Discovery: System Language Discovery
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious behavior: MapViewOfSection
                                                • Suspicious use of AdjustPrivilegeToken
                                                • Suspicious use of WriteProcessMemory
                                                PID:2736
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  /c del "C:\Users\Admin\AppData\Local\Temp\formbook.exe"
                                                  3⤵
                                                  • Deletes itself
                                                  • System Location Discovery: System Language Discovery
                                                  PID:2056

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • memory/1212-3-0x0000000007110000-0x000000000726A000-memory.dmp

                                              Filesize

                                              1.4MB

                                              Download

                                            • memory/1212-7-0x0000000007110000-0x000000000726A000-memory.dmp

                                              Filesize

                                              1.4MB

                                              Download

                                            • memory/1740-1-0x0000000000170000-0x0000000000184000-memory.dmp

                                              Filesize

                                              80KB

                                              Download

                                            • memory/1740-2-0x0000000000DBE000-0x0000000000DBF000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/1740-0-0x00000000008F0000-0x0000000000BF3000-memory.dmp

                                              Filesize

                                              3.0MB

                                              Download

                                            • memory/2736-6-0x0000000049EC0000-0x0000000049F0C000-memory.dmp

                                              Filesize

                                              304KB

                                              Download

                                            • memory/2736-4-0x0000000049EC0000-0x0000000049F0C000-memory.dmp

                                              Filesize

                                              304KB

                                              Download