Overview

overview

10

Static

static

1

Shipment D...pg.exe

windows7_x64

10

Shipment D...pg.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    142s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    20-04-2021 14:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Shipment Document BL,INV and packing list.jpg.exe

  • Size

    231KB

  • MD5

    50456fb9b8f0806b76ffd072a5bb70f2

  • SHA1

    ec8e584acd7b5153cf50d9c338b002666e7f85d8

  • SHA256

    aca4e7d8bc5a58300b0945187c084f6c2c44418133ffb36adfb08e25d285de82

  • SHA512

    42c006d277fb4526f56523fb8fb415f7f00e66fe165cbedac2af399a9cabd01c572b76a3706daac292dc5b64e0abcfe8d6f6a5744cba5295f1abc7d3eda00fe9

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.localmarketingaiagency.com/pgr/

Decoy

rhymewitnessnews.com

z1seven.com

quaidon.com

spruiodes.com

leanderpumpkinpatch.com

starfood-eg.com

americanrestorationreport.net

myonyxfoundation.com

adcvea.com

theassociationconsultant.com

snaparama.com

ukajp.com

guarfianlife.com

e-dourouss.com

beflybmx.com

ceoesalamanca.com

myoxx.com

maxwatertreatment.com

maskelicious.com

aditridental.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2996
    • C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and packing list.jpg.exe
      "C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and packing list.jpg.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:636
      • C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and packing list.jpg.exe
        "C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and packing list.jpg.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3612
    • C:\Windows\SysWOW64\autoconv.exe
      "C:\Windows\SysWOW64\autoconv.exe"
      2⤵
        PID:496
      • C:\Windows\SysWOW64\help.exe
        "C:\Windows\SysWOW64\help.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:404
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and packing list.jpg.exe"
          3⤵
            PID:2672

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • \Users\Admin\AppData\Local\Temp\nsgBCFE.tmp\juukqoeba.dll
        MD5

        c96e0db05235eda2de5a1bb8b15c22e5

        SHA1

        41cd64af5c4da417b6acdc6e0bf6af432085c6b8

        SHA256

        2802bba60b65fae0c3d480971e8e03adc8a97bacc4688f9d3943073592fc2b8f

        SHA512

        bede0119c47e15c4dfc9c4d0d27496d2f72fe2a160cf403002644e1fb000e57bee28fe303fdbfa40ee08cb21407c292628dbb14ce190e05a291f6f1aada9b75f

        Download Submit
      • memory/404-124-0x0000000003410000-0x0000000003730000-memory.dmp
        Filesize

        3.1MB

        Download
      • memory/404-127-0x0000000003170000-0x0000000003203000-memory.dmp
        Filesize

        588KB

        Download
      • memory/404-125-0x0000000000970000-0x000000000099E000-memory.dmp
        Filesize

        184KB

        Download
      • memory/404-123-0x0000000000AB0000-0x0000000000AB7000-memory.dmp
        Filesize

        28KB

        Download
      • memory/404-122-0x0000000000000000-mapping.dmp
        Download
      • memory/636-115-0x0000000003140000-0x0000000003141000-memory.dmp
        Filesize

        4KB

        Download
      • memory/636-116-0x0000000003141000-0x0000000003143000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2672-126-0x0000000000000000-mapping.dmp
        Download
      • memory/2996-121-0x0000000006CF0000-0x0000000006E69000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/2996-128-0x0000000006E70000-0x0000000006FCB000-memory.dmp
        Filesize

        1.4MB

        Download
      • memory/3612-119-0x00000000009E0000-0x0000000000D00000-memory.dmp
        Filesize

        3.1MB

        Download
      • memory/3612-120-0x0000000000EA0000-0x0000000000EB4000-memory.dmp
        Filesize

        80KB

        Download
      • memory/3612-118-0x0000000000400000-0x000000000042E000-memory.dmp
        Filesize

        184KB

        Download
      • memory/3612-117-0x000000000041EBA0-mapping.dmp
        Download