Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
25-12-2024 21:15
General
-
Target
FORMBOOK.exe
-
Size
1.4MB
-
MD5
f2b788dd73b7ead8f3721782f2034fe4
-
SHA1
f6dc7ba2b002c430f5693efdc79123f7e519bcb8
-
SHA256
3c011d08f75514a4f4bcdd02314b903c546ad8f16186541f8f79661744100e5b
-
SHA512
a6c0ace122fdc9897666a5520934b22523a53a2d2d0e1f586b3b8600a695d7f2f4327243e030934c126717b12cea534123d1cea47f9507c4241d1c2e31a16bc5
-
SSDEEP
24576:ugZYp/WKU61KnS/IHqjQt6LBknxzqx2e4ZTq+9TrLZ7BO+m/7gnM:uQY5bdIJH6Umkx0kZR9y+q7gnM
Malware Config
Extracted
formbook
3.7
ol
strucewe.info
woodenboxescompany.com
advertisingstreaming.com
deyimeng.com
brightestcolorimaginable.com
magnusmaterial.net
juicyflights.co.uk
xtraincome4you.com
atxiao.net
iscreenuscream.com
mytmaps.com
kursbhp.online
dapurbundakreatif.com
beheartratemonitoringkey.live
vfullmovie.info
sueredman.com
protonpoetic.win
chungcusamsora-premier.com
wpexpert.store
edition62.com
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook family
-
UAC bypass 3 TTPs 1 IoCs
-
Formbook payload 4 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable 18 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext 4 IoCs
-
UPX packed file 20 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
NTFS ADS 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 58 IoCs
-
System policy modification 1 TTPs 4 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\FORMBOOK.exe"C:\Users\Admin\AppData\Local\Temp\FORMBOOK.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "NDODRC\NDODRC" /XML "C:\Users\Admin\AppData\Roaming\NDODRC\aYYYYY.xml"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\UUKAL.exe"C:\Users\Admin\AppData\Local\Temp\UUKAL.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh firewall add allowedprogram program = STcONaURjstoJeQ(uMqeEfSfaGeNmho("yJmAEIBBXdvRXSFRGegUiJnA")) name = STcONaURjstoJeQ(uMqeEfSfaGeNmho("XQ0V1bwVGZ0FQZ==")) mode = ENABLE4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program = STcONaURjstoJeQ(uMqeEfSfaGeNmho("yJmAEIBBXdvRXSFRGegUiJnA")) name = STcONaURjstoJeQ(uMqeEfSfaGeNmho("XQ0V1bwVGZ0FQZ==")) mode = ENABLE5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\log\pass.exe all4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /k systeminfo4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo5⤵
- System Location Discovery: System Language Discovery
- Gathers system information
-
-
-
C:\Users\Admin\AppData\Roaming\log\AutoUpdate.exeC:\Users\Admin\AppData\Roaming\log\AutoUpdate.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /k HOSTNAME5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\HOSTNAME.EXEHOSTNAME6⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Gathers network information
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\svchost.exe"3⤵
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5830e1a7f3c8f8aa94f7fe9916f115268
SHA17eba587b185a74a287e1f5f9f0a63915cc7879c8
SHA2568aa4955799ed9b6da3577e8d36833cf145c5b3dfe952aa830192b14444e5abdb
SHA512e03326aac51fb9d1ca073c2bc9115248efe3ebee1afd7d936e39ad71ff0f33394d112f7a763911f55038427ec359ab03edf6be5216fd28e0cbb0752d440ccd90
-
Filesize
425KB
MD546721a3efbf419d488a9edb6d7455fc4
SHA1953b089d25e49c49a60bd55b9932cb4f9692c3b9
SHA256ec42ab441118c6e250c8599d0657c0cf4b4c0f12e0a1b007c238d6c912000b60
SHA5122733463300a9fc2bbad76b4375f14cf228d65242f8b62bd759352ec6d6b35703b29c149846574f3a9de244fca6a645b0cc462c9b92e093b3618cf6988fa221eb
-
Filesize
2KB
MD5ecea0758b3c430ddd1d090cc2243b104
SHA1f3204dbe39e58969e2c2306975dea7ba49d41ded
SHA2565a347fc3ac8124198234bea1b47019b573dde168ec3cbf61106fa1d730479997
SHA512fbff9afbf804544818e33a27f0f0ad6045eb078ead0d729f7025019d851720a0a42bf2072972ffef5f45da528f3d4c35d0ae9daaf774bf1fc166bacee0767ee3
-
Filesize
809KB
MD5331540893e6ac4aee88da129642c4297
SHA150a2352759dffccc2aa62a514208d87562c939a4
SHA2569ca3bb17941fb4b27a1d05db3a4e4c1c2d445482e04886af940fe6b39c937800
SHA512ce8251f35c5ca226f764f0213220e22fa9de8337d72e2c48769f3eec3984f86d37ba59741f6de599ed20aebe32e260785bece205637602dbe3ed72bbeecfdc9c
-
Filesize
1.2MB
-
Filesize
1.5MB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
3.0MB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB