Overview

overview

10

Static

static

3

INCENTIVE.exe

windows7-x64

10

INCENTIVE.exe

windows10-2004-x64

7

$PLUGINSDI...gm.dll

windows7-x64

3

$PLUGINSDI...gm.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    146s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30-12-2024 01:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    INCENTIVE.exe

  • Size

    435KB

  • MD5

    a8dd9be8f05730b0b3da0aa0524d4041

  • SHA1

    585ce6f6c047ae07daf2754cdd9f011f8bb8343b

  • SHA256

    d30c25033a8cd080bc76463ad1ef591f61b66b5bf36aae6557d9664714908614

  • SHA512

    7a584d294a8702f03ee91f6047c08a9e1ed56742f1a1d19ff9a99778ea5b1270b44d67cf0450fd5e98b75df7d47208e6259efec3c486dfe39e1d5ccd62713dc1

  • SSDEEP

    12288:UbLr/1vBE8A8gJ+7rWMtE2bbOu8Nsw+Qw7n/C8c:UTNRWw77tE23Ol+n/C8c

Score
10/10
formbookn62sdiscoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

n62s

Decoy

renabic.com

thesanaservice.xyz

lifemadegood.com

lovedowlin.com

dobro46.online

birotoafyon.com

haztol.xyz

917mainstreet.com

letshelpourselves.website

mysticalbloodmoon.com

legallyblondeattorney.com

metagoldenstate.com

ylhsklzjs.com

thejupitercraft.com

josephineclaimhelp.com

flowstorellc.com

eyeofthegate.com

asahi1500.com

ochumare.com

hieslerpark.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1216
    • C:\Users\Admin\AppData\Local\Temp\INCENTIVE.exe
      "C:\Users\Admin\AppData\Local\Temp\INCENTIVE.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2100
      • C:\Users\Admin\AppData\Local\Temp\INCENTIVE.exe
        "C:\Users\Admin\AppData\Local\Temp\INCENTIVE.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2512
    • C:\Windows\SysWOW64\NETSTAT.EXE
      "C:\Windows\SysWOW64\NETSTAT.EXE"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Gathers network information
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1344
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\INCENTIVE.exe"
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2208

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsyA767.tmp\wslelgm.dll
    Filesize

    303KB

    MD5

    7c38758347c69368b8bdff2f7a5ba99c

    SHA1

    70c318991c2515844ecc96714f5ad777d2e7e6a7

    SHA256

    fcb8bd3b27beffa5255fbc8b485b038b321043eecd77fc21cf4798446c21a971

    SHA512

    5d04876c8b1dd9a2d691d832471ad650ac85b95503c02aacde848f3b4f6f9f99c861b5a5f8e3e401145e6bbd78f59b8dddc8f24207a52d57afa3efe8940ecdac

    Download Submit

  • memory/1216-14-0x0000000005030000-0x0000000005157000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1216-20-0x0000000005030000-0x0000000005157000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1344-17-0x0000000000980000-0x0000000000989000-memory.dmp

    Filesize

    36KB

    Download

  • memory/1344-18-0x0000000000980000-0x0000000000989000-memory.dmp

    Filesize

    36KB

    Download

  • memory/1344-19-0x00000000000C0000-0x00000000000EF000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2100-10-0x0000000000090000-0x0000000000190000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2512-11-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2512-13-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download