Overview

overview

10

Static

static

Invoice (3).exe

windows7_x64

10

Invoice (3).exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    110s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    04-05-2021 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Invoice (3).exe

  • Size

    674KB

  • MD5

    9fe12cde3aa06a540dd00ef6b182c5d0

  • SHA1

    5b71e9d19292cbd95d455ce778db5d5c86270ab0

  • SHA256

    6f6aa9aea231c8d01eddd78fa14d447202bb71c77512265ce9cc195c62ca1c65

  • SHA512

    b223de4772986e3c95c233d49711e538d566527ab7f8b2f0bdbcd75643587ddd6140815c29ff168ea4ab1bd8914053ea697913be81f4d7f37e5e3450a31be465

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.glittergalsboutique.com/8buc/

Decoy

affiliatetraining101.com

sun5new.com

localstuffunlimited.store

getmrn.com

nipandtucknurse.com

companycreater.com

painfullyperfect.com

3dmobilemammo.com

theredbeegroup.net

loochaan.com

alanoliveiramkt.com

lxwzsh.com

twobookramblers.com

cscardinalmalula.net

hanarzr.com

sabaicp.com

foodprocessmedia.com

tirongroup.com

dcentralizedcloud.com

xn--80abnkzb2a.xn--p1acf

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3024
    • C:\Users\Admin\AppData\Local\Temp\Invoice (3).exe
      "C:\Users\Admin\AppData\Local\Temp\Invoice (3).exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:796
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Invoice (3).exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:712
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\aNSuLti.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2080
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aNSuLti" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6E46.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:3872
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\aNSuLti.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2272
      • C:\Users\Admin\AppData\Local\Temp\Invoice (3).exe
        "C:\Users\Admin\AppData\Local\Temp\Invoice (3).exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:4004
    • C:\Windows\SysWOW64\help.exe
      "C:\Windows\SysWOW64\help.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:424
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Invoice (3).exe"
        3⤵
          PID:3600

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      MD5

      1c19c16e21c97ed42d5beabc93391fc5

      SHA1

      8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

      SHA256

      1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

      SHA512

      7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      MD5

      7466cd2a1b531ecaec922383021fbea8

      SHA1

      1c03222204d3552e186a0a4fac6b8114bb24e1e0

      SHA256

      9036d1df11053c05c50b9be6600036ab14d5bb5b452899bbd98097a7faae5930

      SHA512

      6e4a0688182de82d9d36a346a98ee0687dd925211c713e656d864f4abb9636dcb1544f7daba5c749bbee3a2dc769a42990861f3ac3e3a73653e29668f00e4a63

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      MD5

      7466cd2a1b531ecaec922383021fbea8

      SHA1

      1c03222204d3552e186a0a4fac6b8114bb24e1e0

      SHA256

      9036d1df11053c05c50b9be6600036ab14d5bb5b452899bbd98097a7faae5930

      SHA512

      6e4a0688182de82d9d36a346a98ee0687dd925211c713e656d864f4abb9636dcb1544f7daba5c749bbee3a2dc769a42990861f3ac3e3a73653e29668f00e4a63

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmp6E46.tmp
      MD5

      c138621fc93d93f6c39824c18c5a49e3

      SHA1

      7d93e89642b1cdf1738ebf90f19006f943e5319a

      SHA256

      c001c8ebd52ec6560f3a2bc44003e8137b9be0e11ac009db9bbf28e156c60dd6

      SHA512

      d8200756a2350e0c79c98931e05a1213ef927a76fd862d73d9a5d914c36a709de380dd4792e33ac3dc77dcbfe7a730bc87c61b0372d33242993b8ec25984b8a2

      Download Submit
    • memory/424-206-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/424-205-0x00000000010F0000-0x00000000010F7000-memory.dmp
      Filesize

      28KB

      Download
    • memory/424-211-0x0000000000A20000-0x0000000000AB3000-memory.dmp
      Filesize

      588KB

      Download
    • memory/424-207-0x0000000000C10000-0x0000000000F30000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/424-203-0x0000000000000000-mapping.dmp
      Download
    • memory/712-128-0x0000000004BD0000-0x0000000004BD1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/712-125-0x0000000000000000-mapping.dmp
      Download
    • memory/712-202-0x0000000004BD3000-0x0000000004BD4000-memory.dmp
      Filesize

      4KB

      Download
    • memory/712-129-0x0000000004AD0000-0x0000000004AD1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/712-130-0x0000000007590000-0x0000000007591000-memory.dmp
      Filesize

      4KB

      Download
    • memory/712-151-0x0000000007510000-0x0000000007511000-memory.dmp
      Filesize

      4KB

      Download
    • memory/712-198-0x000000007F1C0000-0x000000007F1C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/712-172-0x0000000008590000-0x0000000008591000-memory.dmp
      Filesize

      4KB

      Download
    • memory/712-144-0x0000000004BD2000-0x0000000004BD3000-memory.dmp
      Filesize

      4KB

      Download
    • memory/796-116-0x0000000005170000-0x0000000005171000-memory.dmp
      Filesize

      4KB

      Download
    • memory/796-123-0x00000000010B0000-0x0000000001129000-memory.dmp
      Filesize

      484KB

      Download
    • memory/796-121-0x00000000053A0000-0x00000000053A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/796-122-0x0000000005380000-0x000000000538E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/796-117-0x0000000005710000-0x0000000005711000-memory.dmp
      Filesize

      4KB

      Download
    • memory/796-118-0x0000000005210000-0x0000000005211000-memory.dmp
      Filesize

      4KB

      Download
    • memory/796-119-0x0000000005060000-0x00000000050FC000-memory.dmp
      Filesize

      624KB

      Download
    • memory/796-120-0x0000000005090000-0x0000000005091000-memory.dmp
      Filesize

      4KB

      Download
    • memory/796-114-0x00000000007E0000-0x00000000007E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/796-124-0x00000000083C0000-0x00000000083F5000-memory.dmp
      Filesize

      212KB

      Download
    • memory/2080-131-0x0000000000000000-mapping.dmp
      Download
    • memory/2080-147-0x0000000007142000-0x0000000007143000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2080-200-0x0000000007143000-0x0000000007144000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2080-199-0x000000007E7A0000-0x000000007E7A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2080-166-0x0000000008360000-0x0000000008361000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2080-145-0x0000000007140000-0x0000000007141000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2272-154-0x0000000008100000-0x0000000008101000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2272-149-0x0000000007210000-0x0000000007211000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2272-138-0x0000000000000000-mapping.dmp
      Download
    • memory/2272-169-0x0000000008980000-0x0000000008981000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2272-197-0x000000007EC80000-0x000000007EC81000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2272-150-0x0000000007212000-0x0000000007213000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2272-201-0x0000000007213000-0x0000000007214000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2272-157-0x0000000007F20000-0x0000000007F21000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2272-161-0x00000000081B0000-0x00000000081B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3024-165-0x0000000004DA0000-0x0000000004EE2000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3024-182-0x0000000002610000-0x00000000026ED000-memory.dmp
      Filesize

      884KB

      Download
    • memory/3024-212-0x0000000005CB0000-0x0000000005D66000-memory.dmp
      Filesize

      728KB

      Download
    • memory/3600-204-0x0000000000000000-mapping.dmp
      Download
    • memory/3872-132-0x0000000000000000-mapping.dmp
      Download
    • memory/4004-160-0x00000000012A0000-0x00000000015C0000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/4004-164-0x0000000000E10000-0x0000000000E24000-memory.dmp
      Filesize

      80KB

      Download
    • memory/4004-142-0x000000000041ED80-mapping.dmp
      Download
    • memory/4004-141-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/4004-181-0x0000000000E50000-0x0000000000F9A000-memory.dmp
      Filesize

      1.3MB

      Download