Overview

overview

10

Static

static

Shipping Docs.exe

windows7_x64

10

Shipping Docs.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    21-04-2021 13:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Shipping Docs.exe

  • Size

    944KB

  • MD5

    1c7c7a3b0cfb41627125bb609863675a

  • SHA1

    83a9b9eec6dcc897b1406b7ca166e40c33f58d3d

  • SHA256

    3f37e123258dcf5b2a18a1ba8299f21ddb6fa585db1dac3a957022d7c763a184

  • SHA512

    d2b455fb31994cf79fe7d198917382822d772f95b00c913683ff539c351b36ae85c2545b163e934cca8282435650446d24e3614bc283486b9dfd49d7e636ec5b

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://w����5 �@q[*��S=���m

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 4 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3024
    • C:\Users\Admin\AppData\Local\Temp\Shipping Docs.exe
      "C:\Users\Admin\AppData\Local\Temp\Shipping Docs.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:900
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vLcIzJDan" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2893.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:3800
      • C:\Users\Admin\AppData\Local\Temp\Shipping Docs.exe
        "C:\Users\Admin\AppData\Local\Temp\Shipping Docs.exe"
        3⤵
          PID:1484
        • C:\Users\Admin\AppData\Local\Temp\Shipping Docs.exe
          "C:\Users\Admin\AppData\Local\Temp\Shipping Docs.exe"
          3⤵
            PID:2680
          • C:\Users\Admin\AppData\Local\Temp\Shipping Docs.exe
            "C:\Users\Admin\AppData\Local\Temp\Shipping Docs.exe"
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:2712
        • C:\Windows\SysWOW64\chkdsk.exe
          "C:\Windows\SysWOW64\chkdsk.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1304
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Users\Admin\AppData\Local\Temp\Shipping Docs.exe"
            3⤵
              PID:888

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Scheduled Task

        1
        T1053

        Persistence

        Scheduled Task

        1
        T1053

        Privilege Escalation

        Scheduled Task

        1
        T1053

        Defense Evasion

        Credential Access

        Discovery

        System Information Discovery

        2
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmp2893.tmp
          MD5

          8cb960d7c9d01cf8d1ac206ec0432607

          SHA1

          d9577ffa24f9d7135de5550baae29705917bc110

          SHA256

          01f60839eb3e68a29c1d562f98ad468180fc4308c4d7723c7e39c8484b469fdf

          SHA512

          dd3ed1434dcd2818c49930acc7e58a248a05fe50acfb09356d150eca64712363085d0a951d4ec91602bbb0c866480ef57d2f1751e7b0c6ebc5871c193a434cb5

          Download Submit
        • memory/888-126-0x0000000000000000-mapping.dmp
          Download
        • memory/900-114-0x0000000001310000-0x0000000001311000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1304-123-0x0000000000000000-mapping.dmp
          Download
        • memory/1304-128-0x0000000004E60000-0x0000000004EF3000-memory.dmp
          Filesize

          588KB

          Download
        • memory/1304-127-0x0000000004F90000-0x00000000052B0000-memory.dmp
          Filesize

          3.1MB

          Download
        • memory/1304-125-0x0000000000540000-0x000000000056E000-memory.dmp
          Filesize

          184KB

          Download
        • memory/1304-124-0x00000000008D0000-0x00000000008DA000-memory.dmp
          Filesize

          40KB

          Download
        • memory/2712-117-0x0000000000400000-0x000000000042E000-memory.dmp
          Filesize

          184KB

          Download
        • memory/2712-121-0x0000000000D00000-0x0000000000DAE000-memory.dmp
          Filesize

          696KB

          Download
        • memory/2712-120-0x00000000013B0000-0x00000000016D0000-memory.dmp
          Filesize

          3.1MB

          Download
        • memory/2712-118-0x000000000041EAC0-mapping.dmp
          Download
        • memory/3024-122-0x0000000004DA0000-0x0000000004EB3000-memory.dmp
          Filesize

          1.1MB

          Download
        • memory/3024-129-0x0000000005E30000-0x0000000005FA8000-memory.dmp
          Filesize

          1.5MB

          Download
        • memory/3800-115-0x0000000000000000-mapping.dmp
          Download