Overview

overview

10

Static

static

Invoice (3).exe

windows7_x64

10

Invoice (3).exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    04-05-2021 21:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Invoice (3).exe

  • Size

    674KB

  • MD5

    9fe12cde3aa06a540dd00ef6b182c5d0

  • SHA1

    5b71e9d19292cbd95d455ce778db5d5c86270ab0

  • SHA256

    6f6aa9aea231c8d01eddd78fa14d447202bb71c77512265ce9cc195c62ca1c65

  • SHA512

    b223de4772986e3c95c233d49711e538d566527ab7f8b2f0bdbcd75643587ddd6140815c29ff168ea4ab1bd8914053ea697913be81f4d7f37e5e3450a31be465

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.glittergalsboutique.com/8buc/

Decoy

affiliatetraining101.com

sun5new.com

localstuffunlimited.store

getmrn.com

nipandtucknurse.com

companycreater.com

painfullyperfect.com

3dmobilemammo.com

theredbeegroup.net

loochaan.com

alanoliveiramkt.com

lxwzsh.com

twobookramblers.com

cscardinalmalula.net

hanarzr.com

sabaicp.com

foodprocessmedia.com

tirongroup.com

dcentralizedcloud.com

xn--80abnkzb2a.xn--p1acf

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3092
    • C:\Users\Admin\AppData\Local\Temp\Invoice (3).exe
      "C:\Users\Admin\AppData\Local\Temp\Invoice (3).exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:656
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Invoice (3).exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3464
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\aNSuLti.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2604
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aNSuLti" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6FFC.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:2068
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\aNSuLti.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3984
      • C:\Users\Admin\AppData\Local\Temp\Invoice (3).exe
        "C:\Users\Admin\AppData\Local\Temp\Invoice (3).exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3980
    • C:\Windows\SysWOW64\ipconfig.exe
      "C:\Windows\SysWOW64\ipconfig.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Gathers network information
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1164
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Invoice (3).exe"
        3⤵
          PID:3108
      • C:\Windows\SysWOW64\autochk.exe
        "C:\Windows\SysWOW64\autochk.exe"
        2⤵
          PID:1584

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Command-Line Interface

      1
      T1059

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        MD5

        1c19c16e21c97ed42d5beabc93391fc5

        SHA1

        8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

        SHA256

        1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

        SHA512

        7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        MD5

        01fc7753bd61aabb2d40507ca3b2b521

        SHA1

        bb4c33f1870a21c333dd0ed927b65a408a9a36a9

        SHA256

        0e40ce6f98ded2e5a8396571dfcdc33af09ae90a46b9bbe1763f7e7af9a349af

        SHA512

        c001ae5f519848f8961e2c36b725c40d978be12d645699c86dad663b87b5ee821aeb5be14b434b4f8bea038a4b1381affc538f9c314e6bc2e9aeea9cec43d340

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        MD5

        5e3a7de19c3154bb4adff9fb6bbec29b

        SHA1

        8a86176d748ec997ccd8a82ee24ca7903370d7c7

        SHA256

        8459cc354cb967382058796c1401b23082731a79d61a7b0fbd3083aac634cd38

        SHA512

        2a6759507287d2f7858079aae81d49125e2d1ca672f308641e6217ee3825a0d65a5951a20db8016083d58c7b0347e2e3649d1e9311388cc30d9f59c6c471623a

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmp6FFC.tmp
        MD5

        c138621fc93d93f6c39824c18c5a49e3

        SHA1

        7d93e89642b1cdf1738ebf90f19006f943e5319a

        SHA256

        c001c8ebd52ec6560f3a2bc44003e8137b9be0e11ac009db9bbf28e156c60dd6

        SHA512

        d8200756a2350e0c79c98931e05a1213ef927a76fd862d73d9a5d914c36a709de380dd4792e33ac3dc77dcbfe7a730bc87c61b0372d33242993b8ec25984b8a2

        Download Submit
      • memory/656-122-0x00000000055E0000-0x00000000055EE000-memory.dmp
        Filesize

        56KB

        Download
      • memory/656-116-0x0000000005320000-0x0000000005321000-memory.dmp
        Filesize

        4KB

        Download
      • memory/656-121-0x0000000005600000-0x0000000005601000-memory.dmp
        Filesize

        4KB

        Download
      • memory/656-120-0x0000000005300000-0x0000000005301000-memory.dmp
        Filesize

        4KB

        Download
      • memory/656-123-0x00000000011D0000-0x0000000001249000-memory.dmp
        Filesize

        484KB

        Download
      • memory/656-124-0x0000000001250000-0x0000000001285000-memory.dmp
        Filesize

        212KB

        Download
      • memory/656-119-0x0000000005280000-0x000000000531C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/656-114-0x0000000000900000-0x0000000000901000-memory.dmp
        Filesize

        4KB

        Download
      • memory/656-117-0x00000000058C0000-0x00000000058C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/656-118-0x0000000005460000-0x0000000005461000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1164-179-0x0000000002D10000-0x0000000003030000-memory.dmp
        Filesize

        3.1MB

        Download
      • memory/1164-206-0x0000000002C40000-0x0000000002CD3000-memory.dmp
        Filesize

        588KB

        Download
      • memory/1164-172-0x0000000000000000-mapping.dmp
        Download
      • memory/1164-177-0x0000000000640000-0x000000000066E000-memory.dmp
        Filesize

        184KB

        Download
      • memory/1164-176-0x0000000000860000-0x000000000086B000-memory.dmp
        Filesize

        44KB

        Download
      • memory/2068-133-0x0000000000000000-mapping.dmp
        Download
      • memory/2604-146-0x0000000004640000-0x0000000004641000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2604-147-0x0000000004642000-0x0000000004643000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2604-129-0x0000000000000000-mapping.dmp
        Download
      • memory/2604-200-0x000000007E560000-0x000000007E561000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2604-204-0x0000000004643000-0x0000000004644000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2604-154-0x00000000077A0000-0x00000000077A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2604-157-0x0000000006FB0000-0x0000000006FB1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3092-149-0x0000000006230000-0x000000000637F000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/3092-207-0x0000000000A20000-0x0000000000AC3000-memory.dmp
        Filesize

        652KB

        Download
      • memory/3108-178-0x0000000000000000-mapping.dmp
        Download
      • memory/3464-128-0x0000000004750000-0x0000000004751000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3464-130-0x00000000047F0000-0x00000000047F1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3464-167-0x0000000007310000-0x0000000007311000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3464-169-0x0000000007EA0000-0x0000000007EA1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3464-160-0x0000000007340000-0x0000000007341000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3464-173-0x0000000008280000-0x0000000008281000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3464-163-0x0000000007A50000-0x0000000007A51000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3464-131-0x00000000047F2000-0x00000000047F3000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3464-125-0x0000000000000000-mapping.dmp
        Download
      • memory/3464-203-0x00000000047F3000-0x00000000047F4000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3464-132-0x0000000007420000-0x0000000007421000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3464-202-0x000000007F170000-0x000000007F171000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3980-141-0x000000000041ED80-mapping.dmp
        Download
      • memory/3980-148-0x0000000001990000-0x00000000019A4000-memory.dmp
        Filesize

        80KB

        Download
      • memory/3980-140-0x0000000000400000-0x000000000042E000-memory.dmp
        Filesize

        184KB

        Download
      • memory/3980-153-0x00000000019B0000-0x0000000001CD0000-memory.dmp
        Filesize

        3.1MB

        Download
      • memory/3984-152-0x0000000004832000-0x0000000004833000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3984-139-0x0000000000000000-mapping.dmp
        Download
      • memory/3984-205-0x0000000004833000-0x0000000004834000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3984-201-0x000000007F400000-0x000000007F401000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3984-151-0x0000000004830000-0x0000000004831000-memory.dmp
        Filesize

        4KB

        Download