Overview

overview

10

Static

static

lH9gneQxxLcSOHF.exe

windows7_x64

10

lH9gneQxxLcSOHF.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    30-04-2021 19:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    lH9gneQxxLcSOHF.exe

  • Size

    1.1MB

  • MD5

    d336f736a9c84ce0b1e253c52f1643b3

  • SHA1

    b9d79e4168b0e2bf89457ed7fc4b3fd83540d1c3

  • SHA256

    8ed07c91dc9c7015a41b341c574e797402cecbaa097e0a12559fbb848420a11c

  • SHA512

    42f7764c7c652bd8e9a91cefdd51a1a8dd45e535b10a98b9b144f8f7dc2143868c79b0da2b22348f6811fbcb0466b60037e04e6959b980fcc989bfe255da9016

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.royalelectricvehicle.com/m8uk/

Decoy

blackcountryteshirts.com

pioneergeoscience.com

calacciwedding.com

theelegantdoorbow.com

graciosera.com

kwikversity.com

izita.xyz

drivewiththebest.co.uk

kakback.xyz

sachascott.net

lifeenterprisesystems.com

interimgirl.com

myviralplatform.com

spainmatrimony.com

supergenx.com

leglehla.icu

otlhswdok.icu

1stfdsqnre.com

xxxcentral.net

movimentare.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1292
    • C:\Users\Admin\AppData\Local\Temp\lH9gneQxxLcSOHF.exe
      "C:\Users\Admin\AppData\Local\Temp\lH9gneQxxLcSOHF.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1116
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jVtLppC" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC11D.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:320
      • C:\Users\Admin\AppData\Local\Temp\lH9gneQxxLcSOHF.exe
        "C:\Users\Admin\AppData\Local\Temp\lH9gneQxxLcSOHF.exe"
        3⤵
          PID:1412
        • C:\Users\Admin\AppData\Local\Temp\lH9gneQxxLcSOHF.exe
          "C:\Users\Admin\AppData\Local\Temp\lH9gneQxxLcSOHF.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:744
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\SysWOW64\cmd.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:972
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\lH9gneQxxLcSOHF.exe"
          3⤵
          • Deletes itself
          PID:1476

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpC11D.tmp
      MD5

      fe06d7e2991be78368341f50f515e8d0

      SHA1

      b57f4384f718606ff107ffb22308af0452b2adba

      SHA256

      af43350cf84b30c72f868e73d2d0a895dd2f2aa295a28c4b3f549c82744404c5

      SHA512

      c17c573a529a5dec3c68c7d002df657a76547450150c0ecdd17fd55e5e6e1520bd0ae8bfab6a99e08328f220f0a64c490ab2aaa4fd3cf99cdac02a0fe5b6f6a4

      Download Submit
    • memory/320-66-0x0000000000000000-mapping.dmp
      Download
    • memory/744-72-0x0000000000360000-0x0000000000374000-memory.dmp
      Filesize

      80KB

      Download
    • memory/744-71-0x0000000000950000-0x0000000000C53000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/744-69-0x000000000041ED10-mapping.dmp
      Download
    • memory/744-68-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/972-74-0x0000000000000000-mapping.dmp
      Download
    • memory/972-75-0x000000004A4F0000-0x000000004A53C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/972-76-0x0000000001F60000-0x0000000002263000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/972-77-0x00000000001D0000-0x00000000001FE000-memory.dmp
      Filesize

      184KB

      Download
    • memory/972-79-0x00000000005A0000-0x0000000000633000-memory.dmp
      Filesize

      588KB

      Download
    • memory/1116-65-0x00000000011F0000-0x0000000001225000-memory.dmp
      Filesize

      212KB

      Download
    • memory/1116-64-0x0000000007C70000-0x0000000007CED000-memory.dmp
      Filesize

      500KB

      Download
    • memory/1116-63-0x0000000000A80000-0x0000000000A8D000-memory.dmp
      Filesize

      52KB

      Download
    • memory/1116-62-0x00000000072E0000-0x00000000072E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1116-60-0x0000000001330000-0x0000000001331000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1292-73-0x0000000004740000-0x0000000004801000-memory.dmp
      Filesize

      772KB

      Download
    • memory/1292-80-0x0000000006CE0000-0x0000000006E30000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1476-78-0x0000000000000000-mapping.dmp
      Download