Analysis
-
max time kernel
147s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22-12-2024 09:34
General
-
Target
gecikmis bakiye.exe
-
Size
213KB
-
MD5
2374db6853cf78b15f31892c43180857
-
SHA1
5eddc78b5d56fdac3e42af18cf1b5cada38368f5
-
SHA256
92c5014b109cf6b18dbd0466a0b2ce20bb3900d667747c069a367d98651f419a
-
SHA512
021b1f2d467729ee479f25c6be7a5417ecf889ac86d3d340c9cb5fbb741278a6cb3d30921b18ed2d359e16630acfb22abe26240f94f7214d1e3b1d1347d3d24e
-
SSDEEP
6144:HNeZmDuFbUmUCYmtm8X9UiZ5KQzgg4pWI:HNlD4beF4ZzZ5tqH
Malware Config
Extracted
formbook
4.1
d23n
keralalotteryresults.com
cosnerreview.com
tilcompanies.com
tokomakmurjaya.xyz
twmarketz.com
spytfyre.com
eyerafitnessapp.com
faswebs.com
hotcinfin.com
modifidecars.com
xn--rhqwesct95oo2g0ro.com
fruitfulgreenhousefacility.com
pomidor.biz
volondamasterclass.com
latexbbs.com
kkh222.com
ratted.xyz
littlejohnsinc.com
vacationdealscorp.website
bitcoinbil3arabi.com
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook family
-
Formbook payload 3 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
-
Suspicious behavior: MapViewOfSection 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gecikmis bakiye.exe"C:\Users\Admin\AppData\Local\Temp\gecikmis bakiye.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jnkbb.exeC:\Users\Admin\AppData\Local\Temp\jnkbb.exe C:\Users\Admin\AppData\Local\Temp\vocoxc3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jnkbb.exeC:\Users\Admin\AppData\Local\Temp\jnkbb.exe C:\Users\Admin\AppData\Local\Temp\vocoxc4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\jnkbb.exe"3⤵
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
184KB
MD5bcb5d52ddc64d21055e3e2e24b685d30
SHA11d8ebad7e6565f551ec472ebfcfebbb348166e19
SHA25652a683fb786dd4bdee1b9507a4a43ca57e4bfd3441f8884f5a275686220ab961
SHA512ae1bd1bf99d68c933273c2d8183f18962b8ea31ac53a12726c103cef4ef37824e914abd2f8b379d2be44f125a94ef9929b64ce19983a45e7a58bde290f16ff32
-
Filesize
5KB
MD54164b3fc5d4fe4efb82020c68d870877
SHA1e9c0faac746dbc5e86cd4acd9f447ce9900fc56e
SHA2560fd13e41a4eb916d6a3098b16ca3402569cddfc5095d8db6ce235d93956440f0
SHA512a4898ace453e8e08ca92be645af521b2d41e7e189fc0bdcd7792607d37f2b3fc300431e309d9b2bc0ad4d6c067bfd7d3b7d951dccc1fb706bf71b19b76d15a64
-
Filesize
4KB
MD5513ec601b4cd4e5b3453805337b08116
SHA11494f6490d448ec0d5a16817b4e02b9c093f93c2
SHA256ca770e8d07d951e267ad1a84d247a0ca50376b92f0f022bfb8920c620ea71a06
SHA5123b367b6af540b150a0b8f833379c3a9328d0a58342affd4b56afa66fabbb608146bf67e8d72748ee9b56bc39caf256e0a4716934a57bf96376905e403da75f1f
-
Filesize
2.0MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
108KB
-
Filesize
108KB
-
Filesize
188KB
-
Filesize
8KB
-
Filesize
188KB
-
Filesize
188KB