Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
24-12-2024 03:03
General
-
Target
OtKlDrIky.exe
-
Size
1.2MB
-
MD5
4dd9b0d139a7c9618fa5344e6b1387f8
-
SHA1
53138f14140eb1c253e7985b8385e3853e5a5ac8
-
SHA256
73820e9bd81ce740a0a3ec45fe10749a64034aab5efbeb12adec9ebf46c0f2ba
-
SHA512
754b31faed9881071816f2f6a1cd1ae71cae4c0b0590dc22e44211fc2c33d436e62e0b9ac28881284f1e176bdc8ec414db165776391dfa7ba238baa301465ed3
-
SSDEEP
24576:tdbfh8PGaONqv3Dp2E4xGREkcMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM+MMMMK:vyPGaOgNfREkcMMMMMMMMMMMMMMMMMM+
Malware Config
Extracted
formbook
4.1
cmd
marksmanrealestate.com
weeiter.com
dimody.com
tufftech.pro
romber.info
2theothercurb.com
maskibeauty.com
kreativedough.com
adanacatering.com
wordzninja.com
testxyy.xyz
lifeafterbobby.com
sunsageherbs.com
dentoncountyattorneys.media
18176732933.com
fjhgllnrz.icu
cryptobankcustody.com
theinternetproducer.com
motinik.com
getcatickets.com
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook family
-
Formbook payload 2 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 50 IoCs
-
Suspicious behavior: MapViewOfSection 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\OtKlDrIky.exe"C:\Users\Admin\AppData\Local\Temp\OtKlDrIky.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OtKlDrIky" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6F11.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD513acc8f6bd5ba8fe2280ff5fc51aaa12
SHA1b195b220ba469628d9c74d6f1f07819bcb601cfa
SHA256a1ef01188b4dcabccd82418ac9fc57e0af8c904209d4660b233cf4680015372a
SHA512ed44439b73ba60b1acb7d26e34a84f022de5cb9e2c9d9d050e295dbc63ebf1e83a38ce00b77d74511ffb4c5f11997f6fa6eb10cbac3277c054a28aa1983b44f9
-
Filesize
184KB
-
Filesize
80KB
-
Filesize
3.3MB
-
Filesize
184KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
376KB
-
Filesize
280KB
-
Filesize
408KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
624KB
-
Filesize
584KB
-
Filesize
1.2MB
-
Filesize
5.6MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB