Overview

overview

10

Static

static

1

Requiremen...mm.exe

windows7_x64

10

Requiremen...mm.exe

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    26-02-2021 06:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Requirement of Sonic Tube 50 mm.exe

  • Size

    299KB

  • MD5

    5e51248701b8a456d39854abfe287c86

  • SHA1

    e4c46f8e5d7eceeaab88591c75fb55c8c52b963c

  • SHA256

    c1a40dbca9d28ac760447f501d812b82312be281ee699fdcc4a6a543077caa3d

  • SHA512

    f122ce0ee0daa496fc5714f8e7f0cdffa590877e16a3aba4980afbf9007942264b0ca71de16af81a188e089ffcb39f1ffaf75d0b635ac1b662ff424661f297ee

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.fun4gang.xyz/thg/

Decoy

retrospectphotographydesign.com

jafodraws.com

cigiwie.space

upgradecarehealth.com

12ts.xyz

111indianbend.com

qqchbakery.com

0831xx.com

supecret.com

ayfadopple.com

coldwateradvisors.com

forexgiftcard.com

actionconsultingchile.com

mpsconcrete.net

carmallc.com

b167888.com

simonking.xyz

elitedigitalperformance.com

essentialjanitorialservices.com

barcosocasionberga.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1196
    • C:\Users\Admin\AppData\Local\Temp\Requirement of Sonic Tube 50 mm.exe
      "C:\Users\Admin\AppData\Local\Temp\Requirement of Sonic Tube 50 mm.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1340
      • C:\Users\Admin\AppData\Local\Temp\Requirement of Sonic Tube 50 mm.exe
        "C:\Users\Admin\AppData\Local\Temp\Requirement of Sonic Tube 50 mm.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1980
    • C:\Windows\SysWOW64\msdt.exe
      "C:\Windows\SysWOW64\msdt.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:320
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Requirement of Sonic Tube 50 mm.exe"
        3⤵
        • Deletes itself
        PID:1628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nlpbha0c.dll
    MD5

    34d8148a0d0b33fdfe9f89c44c8707ec

    SHA1

    265339396a2cd3eaf6bf402b6efd71b26a53714b

    SHA256

    de162165c56d9255db512fe5be1231dd314be01601ffdd0b41c99999acfc1927

    SHA512

    19aa24537ceacd879c09147a3efa9a30fc54a1bcbe2b8ec7c06c8707fb74ebd7402fef5345f612672d7b1b9d24be66ae9eff844b1fa6538453124749b8ce5738

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nssAFEF.tmp\System.dll
    MD5

    fccff8cb7a1067e23fd2e2b63971a8e1

    SHA1

    30e2a9e137c1223a78a0f7b0bf96a1c361976d91

    SHA256

    6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

    SHA512

    f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

    Download Submit
  • memory/320-16-0x0000000000AA0000-0x0000000000B33000-memory.dmp
    Filesize

    588KB

    Download
  • memory/320-15-0x0000000002270000-0x0000000002573000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/320-10-0x0000000000000000-mapping.dmp
    Download
  • memory/320-12-0x0000000000D70000-0x0000000000E64000-memory.dmp
    Filesize

    976KB

    Download
  • memory/320-14-0x0000000000080000-0x00000000000AE000-memory.dmp
    Filesize

    184KB

    Download
  • memory/1196-17-0x0000000004140000-0x000000000425E000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1196-9-0x0000000006F20000-0x0000000007096000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1340-2-0x0000000076691000-0x0000000076693000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1628-13-0x0000000000000000-mapping.dmp
    Download
  • memory/1980-5-0x000000000041EAE0-mapping.dmp
    Download
  • memory/1980-6-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/1980-8-0x00000000002D0000-0x00000000002E4000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1980-7-0x0000000000820000-0x0000000000B23000-memory.dmp
    Filesize

    3.0MB

    Download