Analysis
-
max time kernel
147s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
30-12-2024 17:36
General
-
Target
SHIPPING DOCUMENTS.exe
-
Size
286KB
-
MD5
3bfed708b8b2bb2218e5aaea51af6c87
-
SHA1
89f8ddd855e13bbfadd3bc0fabba8f92242eb6b7
-
SHA256
c05bf234f0a814069b3cd844d38944e8e704bff80981657d549041b84c905da0
-
SHA512
bdc3657efb44736c96857c3a63d53b9ed4bd71c4c022fbd87f18f59aa46fda87f8ff0e4be735efbee7e06dc2e1dd2010996e51d0c06a7bcbf09c40e0960da46e
-
SSDEEP
6144:6Qqes0a6E1950u0f96+A9VIbpY26NIctdRPvB:816sPlZkpAIctfPvB
Malware Config
Extracted
formbook
4.1
ngvm
justiceforashleymoore.com
tyqbfe.com
zydonghua.com
crossfootwear.com
mysticlight-shop.com
digitaldefenseacademy.com
joyfulgoodies.com
blog-kotori-haru.com
atelierlinneakunstoghelse.com
destinyonlineacademy.com
series.onl
bellizzo.com
totalscalpsolutions.com
musicrowstudiorecording.com
digitalgamerentals.com
princecreativehk.com
bitchesofzion.com
imodalmarine.com
chilly-sauce.com
studionikolla.com
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook family
-
Formbook payload 4 IoCs
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
-
Suspicious behavior: MapViewOfSection 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe"C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe"C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe"3⤵
- Suspicious use of SetThreadContext
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
752KB
-
Filesize
752KB
-
Filesize
8KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
184KB