Analysis
-
max time kernel
147s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
29-12-2024 02:44
General
-
Target
PO # 45347212.exe
-
Size
429KB
-
MD5
9d83142b0bdb6f149eca4a5724574c0f
-
SHA1
126271e8e9084d595bdd9ca65a2de20d0568ba7f
-
SHA256
97349abd1ac7763287f0d08aab708bb4fe8d02989d5454a5f09f68d62b0995e6
-
SHA512
100ed5689bca3f17fedc3471e9d4802ca3ca7c71a82f46afc46fea8c1818bc6c344f2372ab80b43cc4b23bbbb95cc2ddd5d883eb57ee11f976b15a554e25870f
-
SSDEEP
12288:XYtsFABgFW4wxoUmzV8O5b3kRc+4OHhInYXm2Pcg:XEBugxoHzVDb3YDMnmcg
Malware Config
Extracted
formbook
4.1
cx0
avtnywveba.club
championmanifesto.com
fuehren.net
smallbusinesshelps.com
langshun168.com
maxonone.com
2commasummit.com
feat.gallery
rgsbc.com
gamefa88vn.pro
dandeliondesignart.com
mksso-real.com
shroomsconnect.com
boscoandthebees.com
payday-loans.space
maryaab-lpc.com
vaaccidentdoctorsnearme.info
ensley1961.com
viilaa.com
paraboliclight.com
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Formbook payload 3 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Windows security modification 2 TTPs 2 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 39 IoCs
-
Suspicious behavior: MapViewOfSection 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO # 45347212.exe"C:\Users\Admin\AppData\Local\Temp\PO # 45347212.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Windows security modification
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RQmiqTiKa" /XML "C:\Users\Admin\AppData\Local\Temp\tmp69A2.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\PO # 45347212.exe"C:\Users\Admin\AppData\Local\Temp\PO # 45347212.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\PO # 45347212.exe"C:\Users\Admin\AppData\Local\Temp\PO # 45347212.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
-
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PO # 45347212.exe"3⤵
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
2Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5d48fdadf452655ff3ddd387b056daf0b
SHA107fd6d81fb7abb9f502eaedb4730fc399df27310
SHA2566d707202ed42f4c8678719d7a43cf30da908fc49176f591e92cfb5276c7a8e27
SHA5122bf84935a870a5624b17986da6ee1aac03d2e2d6ee1881199e6049ea3640cdf8f8d18cee1276996b4342c8be8017f83fe045a83595dbcc24448276430b6d6c73
-
Filesize
7.7MB
-
Filesize
32KB
-
Filesize
7.7MB
-
Filesize
104KB
-
Filesize
120KB
-
Filesize
80KB
-
Filesize
56KB
-
Filesize
68KB
-
Filesize
600KB
-
Filesize
40KB
-
Filesize
104KB
-
Filesize
216KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
6.2MB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
6.5MB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
652KB
-
Filesize
7.7MB
-
Filesize
136KB
-
Filesize
156KB
-
Filesize
7.7MB
-
Filesize
216KB
-
Filesize
456KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
624KB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
3.3MB
-
Filesize
80KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
1.2MB
-
Filesize
704KB
-
Filesize
1.2MB