Analysis

  • max time kernel
    117s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15-01-2025 03:07

General

  • Target

    a3af3dcfd89b655982b6e044b681b140dcefbe0606d69b0b7839b8cda28ccc91.exe

  • Size

    650KB

  • MD5

    1b507df9a13477b647da450a1b79b2e7

  • SHA1

    b0de85855b3462fe0b37c79831b391eeb044e437

  • SHA256

    a3af3dcfd89b655982b6e044b681b140dcefbe0606d69b0b7839b8cda28ccc91

  • SHA512

    37dcc8dd92a84009f81ebf394001de49bcf75818227bdbe135578f8f1dc57f4119c4cb6efd91ec70fe12202854ca472ec7435d3c0f713bf770f09967d61fe6a7

  • SSDEEP

    12288:kYRxA4Y5lyA/BxSPC3NMl2v/wXb5DDH6dcW6f8HtdJqT6B2zJxWVqHU:bRB2XM5UN60STUAJE

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

a01d

Decoy

eniorshousing05.shop

rywisevas.biz

4726.pizza

itchen-design-42093.bond

3456.tech

4825.plus

nlinecraps.xyz

itamins-52836.bond

nfluencer-marketing-40442.bond

nline-advertising-58573.bond

rautogroups.net

limbtrip.net

oftware-download-14501.bond

nline-advertising-66733.bond

erity.xyz

xknrksi.icu

x-ist.club

yber-security-26409.bond

oincatch.xyz

onitoring-devices-34077.bond

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook family
  • Formbook payload 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1204
      • C:\Users\Admin\AppData\Local\Temp\a3af3dcfd89b655982b6e044b681b140dcefbe0606d69b0b7839b8cda28ccc91.exe
        "C:\Users\Admin\AppData\Local\Temp\a3af3dcfd89b655982b6e044b681b140dcefbe0606d69b0b7839b8cda28ccc91.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1056
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a3af3dcfd89b655982b6e044b681b140dcefbe0606d69b0b7839b8cda28ccc91.exe"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2700
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DjsaCPLWOz.exe"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2696
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DjsaCPLWOz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp166E.tmp"
          3⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2676
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2656

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp166E.tmp

      Filesize

      1KB

      MD5

      1f293de77ffdf6876715ed40519fd288

      SHA1

      aa837544c6d8d38db4e387e4adcca03ee17fc12f

      SHA256

      bea7334fbb21fabb3ea71877a093c7178ea114dbc9fad11990384cf5a8f46deb

      SHA512

      c139382dec6b67bda421b1110656de23d15d2f67a719793b42407e12f34eed2bfef4b439cdebf5c96622f5b56c767f2e7e3ff1063c896de4bc22f5908726222d

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

      Filesize

      7KB

      MD5

      54517a1db839d1d82d2d8289c18d8998

      SHA1

      857f5980ff0da5632e305002e45b02fbf475c8c0

      SHA256

      2befac9a178b0c34bbcfa02f9fb32e419a695b977b4d5234d87857b6840fd7bb

      SHA512

      054bb74aafe028fbc7dbc7bdaa1d1c4091a277513a890f60334eb33cec23cc626b9422eb43c5172f6b07d1f93d5eb065a592222a4f7b73ab08a09068d54e6033

    • memory/1056-6-0x0000000004480000-0x00000000044FA000-memory.dmp

      Filesize

      488KB

    • memory/1056-3-0x0000000000520000-0x000000000053A000-memory.dmp

      Filesize

      104KB

    • memory/1056-4-0x00000000740EE000-0x00000000740EF000-memory.dmp

      Filesize

      4KB

    • memory/1056-5-0x00000000740E0000-0x00000000747CE000-memory.dmp

      Filesize

      6.9MB

    • memory/1056-0-0x00000000740EE000-0x00000000740EF000-memory.dmp

      Filesize

      4KB

    • memory/1056-2-0x00000000740E0000-0x00000000747CE000-memory.dmp

      Filesize

      6.9MB

    • memory/1056-1-0x0000000000110000-0x00000000001B8000-memory.dmp

      Filesize

      672KB

    • memory/1056-25-0x00000000740E0000-0x00000000747CE000-memory.dmp

      Filesize

      6.9MB

    • memory/2656-24-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2656-23-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

      Filesize

      4KB

    • memory/2656-19-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2656-21-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2656-27-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB