Analysis

  • max time kernel
    148s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-01-2025 02:44

General

  • Target

    422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf.exe

  • Size

    678KB

  • MD5

    9b6ddf7049adfbefacd1dbdfe4350061

  • SHA1

    e9451cd4cae7a1d50ae0cdc17156dc685b5158f7

  • SHA256

    422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf

  • SHA512

    fcf96b148e9a5369a264f138621a67eb8d3c79b3a39587e5b225aad94dd103fa67b9020b7559d41212019b4c168e9dfd7b7633c6e82a8248261cb5d1cccfd5a8

  • SSDEEP

    12288:G59aYwdc1sW7/sVfmPc/VZHkcAG8Vf+0Zhaewy8UQxTJDC38Sy:tYP1L70oc9ZEcA1L6I8UUr

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

a02d

Decoy

coplus.market

oofing-jobs-74429.bond

healchemists.xyz

oofcarpenternearme-jp.xyz

enewebsolutions.online

harepoint.legal

88977.club

omptables.xyz

eat-pumps-31610.bond

endown.graphics

amsexgirls.website

ovevibes.xyz

u-thiensu.online

yblinds.xyz

rumpchiefofstaff.store

erzog.fun

rrm.lat

agiclime.pro

agaviet59.shop

lbdoanhnhan.net

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook family
  • Formbook payload 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1204
    • C:\Users\Admin\AppData\Local\Temp\422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf.exe
      "C:\Users\Admin\AppData\Local\Temp\422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2460
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2228
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rVjdis.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2924
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rVjdis" /XML "C:\Users\Admin\AppData\Local\Temp\tmp15C2.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2816
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
          PID:2592
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2656
      • C:\Windows\SysWOW64\cmmon32.exe
        "C:\Windows\SysWOW64\cmmon32.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2004
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2524

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp15C2.tmp

      Filesize

      1KB

      MD5

      652fa31b8760caf890b613bbf6c6eb90

      SHA1

      7b685fa3fa14d0ff85ec86f4809074b74a8d9326

      SHA256

      93e0f619a28773ed0c1724f7392458c34f6ea93793f18ff7f0f936e0a001bead

      SHA512

      3b69f10b5422918b692e7104260d161c60117fdaa608721e8b304912b905f99fb4708d4f088aee6f2b7fbd7f6940ad3fd89958d971e51343ddfe2902e3f78585

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

      Filesize

      7KB

      MD5

      845a37df25c379a9b5feeaace7a53544

      SHA1

      fc3b2f53e66296fb7cbd3f1a677d2a5ba370bce7

      SHA256

      be5a3ffb021b5570a623138a34ed2e5dda3a9b447c5d3b0f2f7b1305f2b56eac

      SHA512

      31cf08886f8bb5e62a890584253f52e5b30582c013f747ba9645314f9be60beeaf4a6b80e168baa92ba51d85755390343de5bd353ea01af5641eac426e4a1902

    • memory/1204-29-0x0000000004F60000-0x00000000050BE000-memory.dmp

      Filesize

      1.4MB

    • memory/2004-31-0x0000000000080000-0x00000000000AF000-memory.dmp

      Filesize

      188KB

    • memory/2004-30-0x0000000000BD0000-0x0000000000BDD000-memory.dmp

      Filesize

      52KB

    • memory/2460-4-0x0000000004210000-0x0000000004236000-memory.dmp

      Filesize

      152KB

    • memory/2460-26-0x00000000740E0000-0x00000000747CE000-memory.dmp

      Filesize

      6.9MB

    • memory/2460-7-0x0000000000950000-0x00000000009CA000-memory.dmp

      Filesize

      488KB

    • memory/2460-5-0x00000000740EE000-0x00000000740EF000-memory.dmp

      Filesize

      4KB

    • memory/2460-0-0x00000000740EE000-0x00000000740EF000-memory.dmp

      Filesize

      4KB

    • memory/2460-1-0x0000000000BE0000-0x0000000000C8E000-memory.dmp

      Filesize

      696KB

    • memory/2460-2-0x00000000740E0000-0x00000000747CE000-memory.dmp

      Filesize

      6.9MB

    • memory/2460-6-0x00000000740E0000-0x00000000747CE000-memory.dmp

      Filesize

      6.9MB

    • memory/2460-3-0x00000000054E0000-0x000000000558E000-memory.dmp

      Filesize

      696KB

    • memory/2656-25-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2656-28-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2656-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/2656-20-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2656-22-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB