Overview

overview

10

Static

static

4.exe

windows7_x64

10

4.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    23-04-2021 09:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4.exe

  • Size

    643KB

  • MD5

    9c8c50b10343843f860fff79ac4511af

  • SHA1

    c6f52f87914312e817655fc0492815b86d053e90

  • SHA256

    ba06bef45227ff0ac912a66434014b848348f6be9780e8d86de0ffcc8c5c2c12

  • SHA512

    9e6380d41e80a312f2f0e0b588381e57519b50203e436587ab936344787cb54aac7b85c739e048996d729ecc297d6e09ec4a72a7a7e948d554d131ef9647c350

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.ostecosarcomamd.com/gmn/

Decoy

phulieutockemnghiaanhtuyet.com

shortbarrelspirits.com

livestreamreport.com

shopthemuze.com

fmtourist.com

competitionlaw.info

saint-elmos.club

foxcar.net

automatedwoodworks.com

abenillc.net

sfccservices.com

vegeteur.com

bitinnovo.com

in-home-theater.com

yakinikugenki.com

zeednee.com

hospiceinpomona.com

techservicesreviews.com

silkandhoney.store

sport-stars.online

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 4 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2988
    • C:\Users\Admin\AppData\Local\Temp\4.exe
      "C:\Users\Admin\AppData\Local\Temp\4.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:624
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vGDImNjzE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF3E6.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:4000
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2120
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\SysWOW64\wscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:660
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
          PID:3916

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpF3E6.tmp
      MD5

      9c08f3971bfa64d04df4e731db961f83

      SHA1

      12feb6794ab9f013132995f32b3970cb1fc69ef8

      SHA256

      5a38ba9766265b6715e1165bf88b77c10b9a4bf8cee7b2b75acd67a733d003c8

      SHA512

      63bc13f61b6aec5188587b4e1621c9c1e21d6c99ee6fd987f92e095c527a7378b50d39a2a208448a150651b7f53892dc98680b06d890ed8c2180b9b3b03d44a9

      Download Submit
    • memory/624-120-0x00000000054C0000-0x00000000059BE000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/624-118-0x00000000056A0000-0x00000000056A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/624-117-0x0000000005560000-0x0000000005561000-memory.dmp
      Filesize

      4KB

      Download
    • memory/624-119-0x0000000005600000-0x0000000005601000-memory.dmp
      Filesize

      4KB

      Download
    • memory/624-114-0x0000000000C90000-0x0000000000C91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/624-121-0x0000000005850000-0x000000000585D000-memory.dmp
      Filesize

      52KB

      Download
    • memory/624-122-0x00000000014C0000-0x0000000001549000-memory.dmp
      Filesize

      548KB

      Download
    • memory/624-123-0x0000000006040000-0x0000000006084000-memory.dmp
      Filesize

      272KB

      Download
    • memory/624-116-0x00000000059C0000-0x00000000059C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/660-137-0x00000000050C0000-0x0000000005153000-memory.dmp
      Filesize

      588KB

      Download
    • memory/660-136-0x0000000005260000-0x0000000005580000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/660-134-0x0000000001340000-0x0000000001367000-memory.dmp
      Filesize

      156KB

      Download
    • memory/660-132-0x0000000000000000-mapping.dmp
      Download
    • memory/660-135-0x0000000001110000-0x000000000113E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/2120-127-0x000000000041EB20-mapping.dmp
      Download
    • memory/2120-126-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/2120-129-0x0000000001150000-0x0000000001470000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/2120-130-0x0000000000C20000-0x0000000000D6A000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2988-138-0x0000000002A20000-0x0000000002AF9000-memory.dmp
      Filesize

      868KB

      Download
    • memory/2988-131-0x00000000060F0000-0x00000000061F7000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/3916-133-0x0000000000000000-mapping.dmp
      Download
    • memory/4000-124-0x0000000000000000-mapping.dmp
      Download