Overview

overview

10

Static

static

ba01df16e4...df.exe

windows7_x64

10

ba01df16e4...df.exe

windows10_x64

10

Analysis

  • max time kernel
    135s
  • max time network
    115s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    04-05-2021 16:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ba01df16e4c876e078348fd4479a8fdf.exe

  • Size

    717KB

  • MD5

    ba01df16e4c876e078348fd4479a8fdf

  • SHA1

    6c7f20976d3e7d9bf9f8a410cbc54962d1ef52bb

  • SHA256

    8353e30c6566795da3e5aa38a22b4707ee895cfa115ffa399cfbe7d57d00f91d

  • SHA512

    7d828277f9dfd39755b015cb25ee713159c2cf9d812ea938b408e0c21b9004b72d9efa21def95dfa307838db56558fd8e507ad10b887e1ed7ca1219a53e8747c

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.kelurahanpatikidul.xyz/op9s/

Decoy

playsystems-j.one

exchange.digital

usaleadsretrieval.com

mervegulistanaydin.com

heavythreadclothing.com

attorneyperu.com

lamuerteesdulce.com

catxirulo.com

willowrunconnemaras.com

laospecial.com

anchotrading.com

mycreditebook.com

jiujiu.plus

juniperconsulting.site

millionairsmindset.com

coronaviruscuredrugs.com

services-office.com

escanaim.com

20svip.com

pistonpounder.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ba01df16e4c876e078348fd4479a8fdf.exe
    "C:\Users\Admin\AppData\Local\Temp\ba01df16e4c876e078348fd4479a8fdf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4044
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ba01df16e4c876e078348fd4479a8fdf.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1480
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\zFVxYeAVOjnwuB.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3180
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zFVxYeAVOjnwuB" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB56.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3176
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\zFVxYeAVOjnwuB.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2688
    • C:\Users\Admin\AppData\Local\Temp\ba01df16e4c876e078348fd4479a8fdf.exe
      "C:\Users\Admin\AppData\Local\Temp\ba01df16e4c876e078348fd4479a8fdf.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    MD5

    1c19c16e21c97ed42d5beabc93391fc5

    SHA1

    8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

    SHA256

    1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

    SHA512

    7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    c55abb9930f2ee8985a4da6018116d23

    SHA1

    f0ea843487be519c88421f0816521ce45bf4b7c9

    SHA256

    8a5867c224bf9d3b07b05dc2c58c036984e807d4f8c2e92ed677a43114d26db0

    SHA512

    f0a02aee6cd4a2cb8ba7292d9130168e6c34ce60a16cd76f7da09c32cea2e17fb318ae3031763b7fc1f1610490a5a503e368b3bb3c629345b2e0c1168a822590

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    c55abb9930f2ee8985a4da6018116d23

    SHA1

    f0ea843487be519c88421f0816521ce45bf4b7c9

    SHA256

    8a5867c224bf9d3b07b05dc2c58c036984e807d4f8c2e92ed677a43114d26db0

    SHA512

    f0a02aee6cd4a2cb8ba7292d9130168e6c34ce60a16cd76f7da09c32cea2e17fb318ae3031763b7fc1f1610490a5a503e368b3bb3c629345b2e0c1168a822590

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpB56.tmp
    MD5

    c8db3746834c5d8abb96963bed37fba4

    SHA1

    80f6aa1d88c38c40b673ba3ba37d3b3ace035352

    SHA256

    cd46d3f32eb37cbd742aa7ae87593a834321b3f9be4ab69859236cc30b68ffa0

    SHA512

    9ad284ee758402d89eebb2ece5c93b524651d51b75fbb845949086ffc00e4cb81fbccbe3fee34936d6ebc241963cad990c93d834529a40c89f9bf1df50fe6a9d

    Download Submit
  • memory/1480-164-0x0000000008430000-0x0000000008431000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1480-135-0x0000000007650000-0x0000000007651000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1480-146-0x0000000007012000-0x0000000007013000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1480-161-0x0000000008020000-0x0000000008021000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1480-167-0x0000000008760000-0x0000000008761000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1480-196-0x0000000007013000-0x0000000007014000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1480-125-0x0000000000000000-mapping.dmp
    Download
  • memory/1480-141-0x0000000007010000-0x0000000007011000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1480-195-0x000000007E7C0000-0x000000007E7C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1480-132-0x0000000006F90000-0x0000000006F91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2688-148-0x0000000004362000-0x0000000004363000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2688-152-0x0000000006CF0000-0x0000000006CF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2688-137-0x0000000000000000-mapping.dmp
    Download
  • memory/2688-170-0x0000000007E60000-0x0000000007E61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2688-193-0x000000007E0E0000-0x000000007E0E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2688-145-0x0000000004360000-0x0000000004361000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2688-198-0x0000000004363000-0x0000000004364000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2716-138-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/2716-139-0x000000000041ED70-mapping.dmp
    Download
  • memory/2716-149-0x0000000001A00000-0x0000000001D20000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/3176-127-0x0000000000000000-mapping.dmp
    Download
  • memory/3180-126-0x0000000000000000-mapping.dmp
    Download
  • memory/3180-150-0x0000000006572000-0x0000000006573000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3180-155-0x00000000072F0000-0x00000000072F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3180-158-0x00000000073D0000-0x00000000073D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3180-194-0x000000007F2B0000-0x000000007F2B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3180-143-0x0000000006570000-0x0000000006571000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3180-197-0x0000000006573000-0x0000000006574000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4044-119-0x00000000053A0000-0x00000000053A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4044-114-0x00000000008C0000-0x00000000008C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4044-117-0x00000000057C0000-0x00000000057C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4044-120-0x0000000005470000-0x0000000005471000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4044-124-0x0000000008470000-0x00000000084A5000-memory.dmp
    Filesize

    212KB

    Download
  • memory/4044-123-0x0000000001180000-0x00000000011FD000-memory.dmp
    Filesize

    500KB

    Download
  • memory/4044-122-0x00000000056A0000-0x00000000056AE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/4044-118-0x00000000052C0000-0x00000000052C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4044-121-0x00000000052C0000-0x00000000057BE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/4044-116-0x0000000005220000-0x0000000005221000-memory.dmp
    Filesize

    4KB

    Download