Overview

overview

10

Static

static

ba01df16e4...df.exe

windows7_x64

10

ba01df16e4...df.exe

windows10_x64

10

Analysis

  • max time kernel
    139s
  • max time network
    68s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    04-05-2021 15:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ba01df16e4c876e078348fd4479a8fdf.exe

  • Size

    717KB

  • MD5

    ba01df16e4c876e078348fd4479a8fdf

  • SHA1

    6c7f20976d3e7d9bf9f8a410cbc54962d1ef52bb

  • SHA256

    8353e30c6566795da3e5aa38a22b4707ee895cfa115ffa399cfbe7d57d00f91d

  • SHA512

    7d828277f9dfd39755b015cb25ee713159c2cf9d812ea938b408e0c21b9004b72d9efa21def95dfa307838db56558fd8e507ad10b887e1ed7ca1219a53e8747c

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.kelurahanpatikidul.xyz/op9s/

Decoy

playsystems-j.one

exchange.digital

usaleadsretrieval.com

mervegulistanaydin.com

heavythreadclothing.com

attorneyperu.com

lamuerteesdulce.com

catxirulo.com

willowrunconnemaras.com

laospecial.com

anchotrading.com

mycreditebook.com

jiujiu.plus

juniperconsulting.site

millionairsmindset.com

coronaviruscuredrugs.com

services-office.com

escanaim.com

20svip.com

pistonpounder.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ba01df16e4c876e078348fd4479a8fdf.exe
    "C:\Users\Admin\AppData\Local\Temp\ba01df16e4c876e078348fd4479a8fdf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:740
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ba01df16e4c876e078348fd4479a8fdf.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2172
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\zFVxYeAVOjnwuB.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2128
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zFVxYeAVOjnwuB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp46E8.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:808
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\zFVxYeAVOjnwuB.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3856
    • C:\Users\Admin\AppData\Local\Temp\ba01df16e4c876e078348fd4479a8fdf.exe
      "C:\Users\Admin\AppData\Local\Temp\ba01df16e4c876e078348fd4479a8fdf.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3204

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    MD5

    1c19c16e21c97ed42d5beabc93391fc5

    SHA1

    8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

    SHA256

    1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

    SHA512

    7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    c605314b02eb6f0bde625ae1895218c2

    SHA1

    8093fc5d05e7436ebf99708e17d825a5a8f6ce7f

    SHA256

    9585714ecb92fe039a8ac9d247df9d20826830b11fd7234c74c0c81234a3ba7a

    SHA512

    223d85b46730a371d26b207fcc09523e8de47ddd87488f6bdf7ab65c71579854425a6ca363c3f689a2d466d09a0ac69814c9618c8ba3a739132209c8e433b68d

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    c605314b02eb6f0bde625ae1895218c2

    SHA1

    8093fc5d05e7436ebf99708e17d825a5a8f6ce7f

    SHA256

    9585714ecb92fe039a8ac9d247df9d20826830b11fd7234c74c0c81234a3ba7a

    SHA512

    223d85b46730a371d26b207fcc09523e8de47ddd87488f6bdf7ab65c71579854425a6ca363c3f689a2d466d09a0ac69814c9618c8ba3a739132209c8e433b68d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp46E8.tmp
    MD5

    c8db3746834c5d8abb96963bed37fba4

    SHA1

    80f6aa1d88c38c40b673ba3ba37d3b3ace035352

    SHA256

    cd46d3f32eb37cbd742aa7ae87593a834321b3f9be4ab69859236cc30b68ffa0

    SHA512

    9ad284ee758402d89eebb2ece5c93b524651d51b75fbb845949086ffc00e4cb81fbccbe3fee34936d6ebc241963cad990c93d834529a40c89f9bf1df50fe6a9d

    Download Submit
  • memory/740-121-0x0000000002F10000-0x0000000002FAC000-memory.dmp
    Filesize

    624KB

    Download
  • memory/740-118-0x0000000005570000-0x0000000005571000-memory.dmp
    Filesize

    4KB

    Download
  • memory/740-116-0x0000000005430000-0x0000000005431000-memory.dmp
    Filesize

    4KB

    Download
  • memory/740-122-0x00000000059A0000-0x00000000059AE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/740-123-0x0000000001470000-0x00000000014ED000-memory.dmp
    Filesize

    500KB

    Download
  • memory/740-124-0x0000000001530000-0x0000000001565000-memory.dmp
    Filesize

    212KB

    Download
  • memory/740-114-0x0000000000A10000-0x0000000000A11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/740-117-0x00000000059D0000-0x00000000059D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/740-119-0x00000000054D0000-0x00000000054D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/740-120-0x00000000056D0000-0x00000000056D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/808-130-0x0000000000000000-mapping.dmp
    Download
  • memory/2128-128-0x0000000000000000-mapping.dmp
    Download
  • memory/2128-152-0x0000000006E62000-0x0000000006E63000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2128-196-0x0000000006E63000-0x0000000006E64000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2128-193-0x000000007EF50000-0x000000007EF51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2128-142-0x0000000007310000-0x0000000007311000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2128-170-0x0000000008390000-0x0000000008391000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2128-167-0x0000000008200000-0x0000000008201000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2128-164-0x0000000007C80000-0x0000000007C81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2128-148-0x0000000006E60000-0x0000000006E61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2172-125-0x0000000000000000-mapping.dmp
    Download
  • memory/2172-197-0x0000000007233000-0x0000000007234000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2172-153-0x0000000007FE0000-0x0000000007FE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2172-151-0x0000000007F70000-0x0000000007F71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2172-129-0x00000000071A0000-0x00000000071A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2172-158-0x00000000081C0000-0x00000000081C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2172-147-0x0000000007232000-0x0000000007233000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2172-131-0x0000000007870000-0x0000000007871000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2172-144-0x0000000007230000-0x0000000007231000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2172-194-0x000000007E2E0000-0x000000007E2E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3204-139-0x000000000041ED70-mapping.dmp
    Download
  • memory/3204-138-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/3204-155-0x0000000001A80000-0x0000000001DA0000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/3856-195-0x000000007E5A0000-0x000000007E5A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3856-198-0x00000000043D3000-0x00000000043D4000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3856-137-0x0000000000000000-mapping.dmp
    Download
  • memory/3856-146-0x00000000043D0000-0x00000000043D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3856-150-0x00000000043D2000-0x00000000043D3000-memory.dmp
    Filesize

    4KB

    Download