Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
30-12-2024 23:38
General
-
Target
0CT2020PI.exe
-
Size
449KB
-
MD5
0323276cec08509c8e789d02a72e91f6
-
SHA1
42e777f48b451e11bdc6a94966402318c30e1e18
-
SHA256
42e9c8cb3f59920b9ba876d6ada4d7a23c4feea3bfd5d93e6758da2ab1d470c5
-
SHA512
6e2d59de9016ef9e37ae76d1d94091c95a0b523c113d3b346b523ec788b4d0c596130c4ba76cab1729e50302cb25845d47be7d76b033c39b1b88f5bda3f25b0d
-
SSDEEP
6144:SqoZ0sHMGbBUkuetgzBgj8XG4p4Ir8ZOCfdaDe2ji7qK1GPxL1+zfZCpPnpmwuFs:SqoOT94IrQ5dFWif1GpL4UaSZNL
Malware Config
Extracted
formbook
4.1
wt6
mdjbjsc.com
twosparrowslsbusiness.com
captipe.info
spirtofafrica.com
teacher4today.com
d9masks.com
americanveteransparks.com
originvinylvermont.com
lifeguardboat.net
neynunescuritiba.com
4activelife.xyz
tiniytie.com
schirmenworld.com
nogbeter.com
bikerm.com
higherpurposeproject.com
melloband.com
cremgrs.com
chengyuanwai.com
multiplewealthsecrets.com
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Formbook payload 2 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Windows security modification 2 TTPs 2 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Program Files directory 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Suspicious behavior: EnumeratesProcesses 36 IoCs
-
Suspicious behavior: MapViewOfSection 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\0CT2020PI.exe"C:\Users\Admin\AppData\Local\Temp\0CT2020PI.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Windows security modification
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\0CT2020PI.exe"C:\Users\Admin\AppData\Local\Temp\0CT2020PI.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\0CT2020PI.exe"3⤵
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
2Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
184KB
-
Filesize
3.3MB
-
Filesize
80KB
-
Filesize
184KB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
344KB
-
Filesize
216KB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
624KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
472KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
40KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
7.7MB
-
Filesize
200KB
-
Filesize
652KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
408KB
-
Filesize
600KB
-
Filesize
68KB
-
Filesize
56KB
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
6.2MB
-
Filesize
7.7MB
-
Filesize
216KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
7.7MB