Overview

overview

10

Static

static

3

INV-7182234 PDF.exe

windows7-x64

10

INV-7182234 PDF.exe

windows10-2004-x64

10

Purchase o...an.lnk

windows7-x64

6

Purchase o...an.lnk

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    29-12-2024 05:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    INV-7182234 PDF.exe

  • Size

    713KB

  • MD5

    62ff7b0794ea1490f930958e19d6a26b

  • SHA1

    6af133db25d9f2183877f7b094fcda32828b30d3

  • SHA256

    167bf768c164ac7181b18d6ce91cd51f7d3cd40470a8c8f67bb4a8e2bf00b65b

  • SHA512

    4e923724d2890cdaa5f652d5fa12d31713f8e9dca9e18eb07e76c6679b1498c513b86b0f2d81a2a0c1905779f068655c889333252d4ac9714222aee42130d126

  • SSDEEP

    12288:uXqgHEGTXTI86bB7o5qwTW7py12qk4h7zJdpDj2UnrbSmnCFdfZtL/wgGgOUBZqQ:uXqyE8s7tck6xP2UrbadZtp

Score
10/10
formbookgc9discoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gc9

Decoy

mahiroglunakliyat.xyz

zhonghemao.com

luxunwrapped.store

dchealthsolutions.com

smoothcupofjoe.com

lavmeantikuman.com

tryvlviscal.com

barefootwildbakery.com

anticoronapreventionshop.com

transactionreview.info

pierdapesoyganeplata.com

stella-tgsei-df-01.com

jagarnat.com

dadadongy.asia

streamload.xyz

lehighvalleytubing.com

happywife101.com

bitcominformatics.com

profxbenefits.com

djskitchenevents.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 4 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Users\Admin\AppData\Local\Temp\INV-7182234 PDF.exe
      "C:\Users\Admin\AppData\Local\Temp\INV-7182234 PDF.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1272
      • C:\Users\Admin\AppData\Local\Temp\INV-7182234 PDF.exe
        "{path}"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2808
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      2⤵
        PID:3008
      • C:\Windows\SysWOW64\autofmt.exe
        "C:\Windows\SysWOW64\autofmt.exe"
        2⤵
          PID:2696
        • C:\Windows\SysWOW64\autofmt.exe
          "C:\Windows\SysWOW64\autofmt.exe"
          2⤵
            PID:2704
          • C:\Windows\SysWOW64\autofmt.exe
            "C:\Windows\SysWOW64\autofmt.exe"
            2⤵
              PID:2712
            • C:\Windows\SysWOW64\autofmt.exe
              "C:\Windows\SysWOW64\autofmt.exe"
              2⤵
                PID:2724
              • C:\Windows\SysWOW64\autofmt.exe
                "C:\Windows\SysWOW64\autofmt.exe"
                2⤵
                  PID:2756
                • C:\Windows\SysWOW64\autofmt.exe
                  "C:\Windows\SysWOW64\autofmt.exe"
                  2⤵
                    PID:2768
                  • C:\Windows\SysWOW64\autofmt.exe
                    "C:\Windows\SysWOW64\autofmt.exe"
                    2⤵
                      PID:1936
                    • C:\Windows\SysWOW64\autofmt.exe
                      "C:\Windows\SysWOW64\autofmt.exe"
                      2⤵
                        PID:2528
                      • C:\Windows\SysWOW64\autofmt.exe
                        "C:\Windows\SysWOW64\autofmt.exe"
                        2⤵
                          PID:2580
                        • C:\Windows\SysWOW64\autofmt.exe
                          "C:\Windows\SysWOW64\autofmt.exe"
                          2⤵
                            PID:3016
                          • C:\Windows\SysWOW64\autofmt.exe
                            "C:\Windows\SysWOW64\autofmt.exe"
                            2⤵
                              PID:2536
                            • C:\Windows\SysWOW64\autofmt.exe
                              "C:\Windows\SysWOW64\autofmt.exe"
                              2⤵
                                PID:2176
                              • C:\Windows\SysWOW64\autofmt.exe
                                "C:\Windows\SysWOW64\autofmt.exe"
                                2⤵
                                  PID:2308
                                • C:\Windows\SysWOW64\autofmt.exe
                                  "C:\Windows\SysWOW64\autofmt.exe"
                                  2⤵
                                    PID:1924
                                  • C:\Windows\SysWOW64\autofmt.exe
                                    "C:\Windows\SysWOW64\autofmt.exe"
                                    2⤵
                                      PID:1476
                                    • C:\Windows\SysWOW64\autofmt.exe
                                      "C:\Windows\SysWOW64\autofmt.exe"
                                      2⤵
                                        PID:1784
                                      • C:\Windows\SysWOW64\autofmt.exe
                                        "C:\Windows\SysWOW64\autofmt.exe"
                                        2⤵
                                          PID:844
                                        • C:\Windows\SysWOW64\autofmt.exe
                                          "C:\Windows\SysWOW64\autofmt.exe"
                                          2⤵
                                            PID:784
                                          • C:\Windows\SysWOW64\autofmt.exe
                                            "C:\Windows\SysWOW64\autofmt.exe"
                                            2⤵
                                              PID:628
                                            • C:\Windows\SysWOW64\autofmt.exe
                                              "C:\Windows\SysWOW64\autofmt.exe"
                                              2⤵
                                                PID:1144
                                              • C:\Windows\SysWOW64\autofmt.exe
                                                "C:\Windows\SysWOW64\autofmt.exe"
                                                2⤵
                                                  PID:2876
                                                • C:\Windows\SysWOW64\autofmt.exe
                                                  "C:\Windows\SysWOW64\autofmt.exe"
                                                  2⤵
                                                    PID:2792
                                                  • C:\Windows\SysWOW64\autofmt.exe
                                                    "C:\Windows\SysWOW64\autofmt.exe"
                                                    2⤵
                                                      PID:2952
                                                    • C:\Windows\SysWOW64\autofmt.exe
                                                      "C:\Windows\SysWOW64\autofmt.exe"
                                                      2⤵
                                                        PID:2596
                                                      • C:\Windows\SysWOW64\cmstp.exe
                                                        "C:\Windows\SysWOW64\cmstp.exe"
                                                        2⤵
                                                        • Suspicious use of SetThreadContext
                                                        • System Location Discovery: System Language Discovery
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious behavior: MapViewOfSection
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        • Suspicious use of WriteProcessMemory
                                                        PID:1152
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          /c del "C:\Users\Admin\AppData\Local\Temp\INV-7182234 PDF.exe"
                                                          3⤵
                                                          • Deletes itself
                                                          • System Location Discovery: System Language Discovery
                                                          PID:1708

                                                    Network

                                                    MITRE ATT&CK Enterprise v15

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • memory/1152-27-0x0000000000090000-0x00000000000BE000-memory.dmp

                                                      Filesize

                                                      184KB

                                                      Download

                                                    • memory/1152-26-0x0000000000C80000-0x0000000000C98000-memory.dmp

                                                      Filesize

                                                      96KB

                                                      Download

                                                    • memory/1152-24-0x0000000000C80000-0x0000000000C98000-memory.dmp

                                                      Filesize

                                                      96KB

                                                      Download

                                                    • memory/1200-18-0x0000000004EF0000-0x0000000005029000-memory.dmp

                                                      Filesize

                                                      1.2MB

                                                      Download

                                                    • memory/1200-28-0x0000000006760000-0x0000000006869000-memory.dmp

                                                      Filesize

                                                      1.0MB

                                                      Download

                                                    • memory/1200-23-0x0000000006760000-0x0000000006869000-memory.dmp

                                                      Filesize

                                                      1.0MB

                                                      Download

                                                    • memory/1200-22-0x0000000004EF0000-0x0000000005029000-memory.dmp

                                                      Filesize

                                                      1.2MB

                                                      Download

                                                    • memory/1272-6-0x0000000005340000-0x00000000053C6000-memory.dmp

                                                      Filesize

                                                      536KB

                                                      Download

                                                    • memory/1272-0-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/1272-1-0x0000000001210000-0x00000000012C8000-memory.dmp

                                                      Filesize

                                                      736KB

                                                      Download

                                                    • memory/1272-2-0x0000000074B80000-0x000000007526E000-memory.dmp

                                                      Filesize

                                                      6.9MB

                                                      Download

                                                    • memory/1272-3-0x0000000000220000-0x000000000022A000-memory.dmp

                                                      Filesize

                                                      40KB

                                                      Download

                                                    • memory/1272-13-0x0000000074B80000-0x000000007526E000-memory.dmp

                                                      Filesize

                                                      6.9MB

                                                      Download

                                                    • memory/1272-4-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/1272-7-0x00000000046D0000-0x000000000473E000-memory.dmp

                                                      Filesize

                                                      440KB

                                                      Download

                                                    • memory/1272-5-0x0000000074B80000-0x000000007526E000-memory.dmp

                                                      Filesize

                                                      6.9MB

                                                      Download

                                                    • memory/2808-16-0x0000000000400000-0x000000000042E000-memory.dmp

                                                      Filesize

                                                      184KB

                                                      Download

                                                    • memory/2808-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/2808-17-0x0000000000290000-0x00000000002A4000-memory.dmp

                                                      Filesize

                                                      80KB

                                                      Download

                                                    • memory/2808-21-0x00000000003D0000-0x00000000003E4000-memory.dmp

                                                      Filesize

                                                      80KB

                                                      Download

                                                    • memory/2808-20-0x0000000000400000-0x000000000042E000-memory.dmp

                                                      Filesize

                                                      184KB

                                                      Download

                                                    • memory/2808-14-0x0000000000950000-0x0000000000C53000-memory.dmp

                                                      Filesize

                                                      3.0MB

                                                      Download

                                                    • memory/2808-8-0x0000000000400000-0x000000000042E000-memory.dmp

                                                      Filesize

                                                      184KB

                                                      Download

                                                    • memory/2808-9-0x0000000000400000-0x000000000042E000-memory.dmp

                                                      Filesize

                                                      184KB

                                                      Download

                                                    • memory/2808-12-0x0000000000400000-0x000000000042E000-memory.dmp

                                                      Filesize

                                                      184KB

                                                      Download