Analysis

  • max time kernel
    147s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-12-2024 00:34

General

  • Target

    3cc61e3b10971812969457d5c2f23ddaffd81ba130c8b0a13614e81988891261.exe

  • Size

    919KB

  • MD5

    fef7047ab5a223c930108b5b61e332bd

  • SHA1

    25f25911db849bc152a097ecc3a5e46e5a4aa3d1

  • SHA256

    3cc61e3b10971812969457d5c2f23ddaffd81ba130c8b0a13614e81988891261

  • SHA512

    73ef3ff8bc916155b467de260dcd0f4484f1771dcfc2035bf5f80f855ce073b6e5b57c28810d7da0535c700579ce6bcc8cf3a22d983d7e22e7667dbd33b78f3b

  • SSDEEP

    12288:fPDc9F3nC0Py3gAhmioPFg/Krib63eLojTLKvdgtaFs9Ab9h+tT1Oy3fRWCLWkbY:fQiQ1roS3XYdsYs9A63R7L4

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

odse

Decoy

braedlifestyle.com

morganjohnsondesign.online

surup-v48.club

diypoolpaint.sydney

v-b7026-ghhh.space

vetyvar.com

lollydaisy.com

campsitesurvival.com

autocalibre.com

fusiontech3d.com

xn--udkog0cvez259c82sa.xyz

eccentricartist.com

jc-zg.com

wacwin.com

livehealthychoice.com

visijuara.com

phigsa.com

sabayawork.com

afcerd.com

joeyshousesessions.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook family
  • Formbook payload 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 47 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3428
    • C:\Users\Admin\AppData\Local\Temp\3cc61e3b10971812969457d5c2f23ddaffd81ba130c8b0a13614e81988891261.exe
      "C:\Users\Admin\AppData\Local\Temp\3cc61e3b10971812969457d5c2f23ddaffd81ba130c8b0a13614e81988891261.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1544
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ExIBogwV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp73A4.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:3376
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3392
    • C:\Windows\SysWOW64\NETSTAT.EXE
      "C:\Windows\SysWOW64\NETSTAT.EXE"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Gathers network information
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2084
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5008

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp73A4.tmp

    Filesize

    1KB

    MD5

    bd2755dd3be6ce1e1a922573b6d853e0

    SHA1

    bf3a02d307b614d16696f3a2ae4ca1e806ca50df

    SHA256

    ef1aa800a3231b3490f5b340a208cfd9b5323b75a29ed8fdb105db3c78bb144c

    SHA512

    7a2096aea1af7a746324c63d9f3dd9af1babae1248834dfc2febac148127c252a184be69b8205f3f70e95152be2787d1d10f44cb699098c678335f242c88903a

  • memory/1544-19-0x0000000074CA0000-0x0000000075450000-memory.dmp

    Filesize

    7.7MB

  • memory/1544-8-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

    Filesize

    4KB

  • memory/1544-3-0x0000000005090000-0x0000000005122000-memory.dmp

    Filesize

    584KB

  • memory/1544-4-0x0000000005050000-0x000000000505A000-memory.dmp

    Filesize

    40KB

  • memory/1544-5-0x0000000074CA0000-0x0000000075450000-memory.dmp

    Filesize

    7.7MB

  • memory/1544-6-0x00000000051F0000-0x000000000528C000-memory.dmp

    Filesize

    624KB

  • memory/1544-7-0x0000000005130000-0x0000000005148000-memory.dmp

    Filesize

    96KB

  • memory/1544-2-0x0000000005640000-0x0000000005BE4000-memory.dmp

    Filesize

    5.6MB

  • memory/1544-9-0x0000000074CA0000-0x0000000075450000-memory.dmp

    Filesize

    7.7MB

  • memory/1544-10-0x0000000006140000-0x00000000061F8000-memory.dmp

    Filesize

    736KB

  • memory/1544-11-0x0000000005EC0000-0x0000000005F0A000-memory.dmp

    Filesize

    296KB

  • memory/1544-1-0x0000000000570000-0x000000000065C000-memory.dmp

    Filesize

    944KB

  • memory/1544-0-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

    Filesize

    4KB

  • memory/2084-31-0x0000000000F80000-0x0000000000F8B000-memory.dmp

    Filesize

    44KB

  • memory/2084-30-0x0000000000F80000-0x0000000000F8B000-memory.dmp

    Filesize

    44KB

  • memory/3392-27-0x0000000003710000-0x0000000003724000-memory.dmp

    Filesize

    80KB

  • memory/3392-23-0x0000000001C60000-0x0000000001C74000-memory.dmp

    Filesize

    80KB

  • memory/3392-20-0x00000000018F0000-0x0000000001C3A000-memory.dmp

    Filesize

    3.3MB

  • memory/3392-22-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/3392-26-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/3392-17-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/3428-24-0x0000000008850000-0x00000000089D8000-memory.dmp

    Filesize

    1.5MB

  • memory/3428-29-0x0000000008850000-0x00000000089D8000-memory.dmp

    Filesize

    1.5MB

  • memory/3428-28-0x0000000002B60000-0x0000000002C4E000-memory.dmp

    Filesize

    952KB

  • memory/3428-35-0x0000000008A90000-0x0000000008BEC000-memory.dmp

    Filesize

    1.4MB

  • memory/3428-32-0x0000000002B60000-0x0000000002C4E000-memory.dmp

    Filesize

    952KB

  • memory/3428-38-0x0000000008A90000-0x0000000008BEC000-memory.dmp

    Filesize

    1.4MB

  • memory/3428-37-0x0000000008A90000-0x0000000008BEC000-memory.dmp

    Filesize

    1.4MB