Analysis

  • max time kernel
    146s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    27-12-2024 00:17

General

  • Target

    5e642e91516b72121ba30456c103234eaad7895a69929a3b35f0f540a6b8c6c5.exe

  • Size

    241KB

  • MD5

    671f622caaaad9137a2eb0663ca0ec70

  • SHA1

    f93256448a08355dccb1f3348e435f997a8a2319

  • SHA256

    5e642e91516b72121ba30456c103234eaad7895a69929a3b35f0f540a6b8c6c5

  • SHA512

    46d9dcd869d919e03c032ea152900f8463298a90cbf598b31c6eb2e6a60c006fd03a2e5114402e69abba84da1dda724226b207a86380746403f315302f394977

  • SSDEEP

    6144:rGix6Ah4a/KCdg5GfMF5PPTw1hTbqWDgCKz+/cIGdwxWa:N6S4a/5dxww1hCWDjCyG+n

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

se29

Decoy

aquabio.xyz

igocargotx.com

eddirasa-dzair.com

seguramenteseguros.com

chimitles.com

coinconnext.com

bjrndaehli.com

hbzxksw.com

blacksoilcompany.net

marcheluma.com

getsmartcars.com

optempoinnovation.com

r3412d7.cfd

mhamiltondesign.com

peak-competition.com

lashenji.com

rebfpsh.cfd

ugjbbop.cfd

binalongbaybeachhouse.com

lyndseypf.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook family
  • Formbook payload 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1204
    • C:\Users\Admin\AppData\Local\Temp\5e642e91516b72121ba30456c103234eaad7895a69929a3b35f0f540a6b8c6c5.exe
      "C:\Users\Admin\AppData\Local\Temp\5e642e91516b72121ba30456c103234eaad7895a69929a3b35f0f540a6b8c6c5.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2604
      • C:\Users\Admin\AppData\Local\Temp\lsyvak.exe
        C:\Users\Admin\AppData\Local\Temp\lsyvak.exe C:\Users\Admin\AppData\Local\Temp\viwmpw
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2904
        • C:\Users\Admin\AppData\Local\Temp\lsyvak.exe
          C:\Users\Admin\AppData\Local\Temp\lsyvak.exe C:\Users\Admin\AppData\Local\Temp\viwmpw
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2464
    • C:\Windows\SysWOW64\wlanext.exe
      "C:\Windows\SysWOW64\wlanext.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2948
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\lsyvak.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\5vdpg0tqdnax6

    Filesize

    210KB

    MD5

    256a6b52e7a5738716832f1a293648fc

    SHA1

    59a8727f230e9f68b296651726fe5befd30dbf85

    SHA256

    a2b67befb327e3bc10a202d73bbbb4d03187d880e2877b6d4f8869284f6e18e3

    SHA512

    0304b68fe55b5ec9fbb0d60f028e9b6c18f06e4a971437736a88dbb48a530363a85a4d2ad1d35b5e50662feec3861a0485bdb352f5b1d8f375c21c71cb15dc4f

  • C:\Users\Admin\AppData\Local\Temp\viwmpw

    Filesize

    4KB

    MD5

    ca134a4293baf2ed6147bd575ad0639b

    SHA1

    a3c93e966d2ab881d5f4e31da82f606b15225bc1

    SHA256

    1b92753015bae55b024807dff0657bcb41c4831ab44d1bd10972310ca181bd14

    SHA512

    958aa23b8ef63131390e9eb5f55244168aa49704f6f9d52554b9d898a80d88cebc2115df85ffea0752cd01232a6976332fc72ae5ffd1a0970d851b692ae5dc26

  • \Users\Admin\AppData\Local\Temp\lsyvak.exe

    Filesize

    5KB

    MD5

    665da445aa2fbecbaa1750cac3a263a4

    SHA1

    48b6e12c571d12c18f44516f74e0548f8289ade2

    SHA256

    1a41e1aec75c713684245dc5235fd61e70d221d01b44a1dd9dc065578bd21670

    SHA512

    722e11f030555c065124034f52d2ce1cf078996b8493d870caa67ff99d9a723fa4a7c9d0bdc6dbd026a38522fb4aefbcf6ec35ffc9bcd013ab357454eefc2169

  • memory/1204-22-0x00000000055C0000-0x000000000569D000-memory.dmp

    Filesize

    884KB

  • memory/1204-18-0x00000000055C0000-0x000000000569D000-memory.dmp

    Filesize

    884KB

  • memory/2464-17-0x0000000000150000-0x0000000000164000-memory.dmp

    Filesize

    80KB

  • memory/2464-14-0x0000000000910000-0x0000000000C13000-memory.dmp

    Filesize

    3.0MB

  • memory/2464-16-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2464-12-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2904-8-0x0000000000150000-0x0000000000152000-memory.dmp

    Filesize

    8KB

  • memory/2948-20-0x0000000000B80000-0x0000000000B96000-memory.dmp

    Filesize

    88KB

  • memory/2948-19-0x0000000000B80000-0x0000000000B96000-memory.dmp

    Filesize

    88KB

  • memory/2948-21-0x00000000000C0000-0x00000000000EF000-memory.dmp

    Filesize

    188KB