Overview

overview

10

Static

static

8

5A47B6ECD9...D0.msi

windows7_x64

10

5A47B6ECD9...D0.msi

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    05-05-2021 10:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5A47B6ECD963805410D996573CA00DD0.msi

  • Size

    256KB

  • MD5

    5a47b6ecd963805410d996573ca00dd0

  • SHA1

    2440e9a1a76573d9506b752d31b10a788d82b215

  • SHA256

    cd5cf89c75b6639053a9f493d611b7b575c0ce09d5388a7fdb0e5e92ea05a3c2

  • SHA512

    4e350b16e212435373343662d3b1636861f5fb704f7bc40e84b8c7cc47c2419c37edb6851da87482566a744f84f3e1459e60094971ee24ff2c4838d02b003cad

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.craftsman-vail.com/cca/

Decoy

whenpigsflyhigh.com

artistiklounge.com

tinytrendstique.com

projektpartner-ag.com

charvelevh.com

easycompliances.net

zengheqiye.com

professionalmallorca.com

bonzerstudio.com

nelivo.com

yangxeric.com

aredntech.com

twincitieshousingmarket.com

allshadesunscreen.com

xiang-life.net

qmcp00011.com

lindsayeandmarkv.com

fbcsbvsbvsjbvjs.com

saveonthrivelife.com

newdpo.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 6 IoCs
    installer
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3024
    • C:\Windows\system32\msiexec.exe
      msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\5A47B6ECD963805410D996573CA00DD0.msi
      2⤵
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:800
    • C:\Windows\SysWOW64\colorcpl.exe
      "C:\Windows\SysWOW64\colorcpl.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3848
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Installer\MSIE92F.tmp"
        3⤵
          PID:3860
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Enumerates connected drives
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3932
      • C:\Windows\system32\srtasks.exe
        C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2236
      • C:\Windows\Installer\MSIE92F.tmp
        "C:\Windows\Installer\MSIE92F.tmp"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:3964
        • C:\Windows\Installer\MSIE92F.tmp
          "C:\Windows\Installer\MSIE92F.tmp"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2204
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:644
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
      1⤵
      • Checks SCSI registry key(s)
      • Modifies data under HKEY_USERS
      PID:4064

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    Peripheral Device Discovery

    2
    T1120

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Installer\MSIE92F.tmp
      MD5

      c77e06cc36913e3fe6aee24cc84a602a

      SHA1

      44f58a4362deb256d5e8fa215f7590d1cef7c28e

      SHA256

      3cae7292cd45fd776f787ea3530f4630bcfdc18a0aa0ec29f276f1de931f4cd4

      SHA512

      d4f596613dfb5a1f3d5b5b154a28532ade260c6b3d3d65a1acba3dcf9daa1e2efa3c0c810ce979ef5ab7e741480e4a937854d61f9831e22f4ac38e6370c385b1

      Download Submit
    • C:\Windows\Installer\MSIE92F.tmp
      MD5

      c77e06cc36913e3fe6aee24cc84a602a

      SHA1

      44f58a4362deb256d5e8fa215f7590d1cef7c28e

      SHA256

      3cae7292cd45fd776f787ea3530f4630bcfdc18a0aa0ec29f276f1de931f4cd4

      SHA512

      d4f596613dfb5a1f3d5b5b154a28532ade260c6b3d3d65a1acba3dcf9daa1e2efa3c0c810ce979ef5ab7e741480e4a937854d61f9831e22f4ac38e6370c385b1

      Download Submit
    • C:\Windows\Installer\MSIE92F.tmp
      MD5

      c77e06cc36913e3fe6aee24cc84a602a

      SHA1

      44f58a4362deb256d5e8fa215f7590d1cef7c28e

      SHA256

      3cae7292cd45fd776f787ea3530f4630bcfdc18a0aa0ec29f276f1de931f4cd4

      SHA512

      d4f596613dfb5a1f3d5b5b154a28532ade260c6b3d3d65a1acba3dcf9daa1e2efa3c0c810ce979ef5ab7e741480e4a937854d61f9831e22f4ac38e6370c385b1

      Download Submit
    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      MD5

      e8458a5ebb8934c8f1abc3ec07d5afcb

      SHA1

      a7dc760abdc59d50a79872a8060121ab41c2a6d9

      SHA256

      3e852d377972b8927c99e7510a5abd19ffdcf0f9c803f83fc9c7a8d1e666e84c

      SHA512

      41e6687d7d6befebb7ab2cec23530b6314cabb41444a6452cbe6fb28cc04d1f64033298f35c4846f88b6c9f4244e1966c60dc707fab07ded657cafc328332f2d

      Download Submit
    • \??\Volume{d05cfc4a-0000-0000-0000-500600000000}\System Volume Information\SPP\OnlineMetadataCache\{4863e59e-a0da-49ac-ab33-e677d09c4cd1}_OnDiskSnapshotProp
      MD5

      d977496821e15b39ccb11e4642c79f87

      SHA1

      e63cdf3a13f8c1e403a24a77eacf516744dfb52a

      SHA256

      67a83eb1198cc623149e5ae92cbb281cc3516940d79a9b62bb121b22c1d3dc4d

      SHA512

      85e3eb033db85672a7e13f58479b737f887c1d6b0c32693407e07e8cb1f9e0a48a77c7fb3b0a0ad6e7d28b646cdeb9f2a30ab83ac2cbdd6c1b215e24222c9381

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nsvEC7B.tmp\venh5.dll
      MD5

      c00528a6302c18a9f864430711bdd4fb

      SHA1

      f3bc9a67f9526bec14953713299c886417de6b47

      SHA256

      0fe4f7c5b0bee4f32d84db8cc6acdcb202f00e396bbda7770d3faafe066cb367

      SHA512

      354ed5ba7b654fefb339542e6f48088f1a2a9d73b4b2274684b9ff158c1d804ebd262e25592affbe626995718336c1132f9e7cbb305d62bac97a6f21249be643

      Download Submit
    • memory/2204-127-0x0000000000A40000-0x0000000000D60000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/2204-123-0x000000000041EB70-mapping.dmp
      Download
    • memory/2204-126-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/2204-128-0x0000000000500000-0x000000000064A000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2236-118-0x0000000000000000-mapping.dmp
      Download
    • memory/3024-129-0x0000000002610000-0x00000000026C8000-memory.dmp
      Filesize

      736KB

      Download
    • memory/3024-138-0x0000000004760000-0x00000000047FF000-memory.dmp
      Filesize

      636KB

      Download
    • memory/3848-130-0x0000000000000000-mapping.dmp
      Download
    • memory/3848-133-0x0000000000BB0000-0x0000000000BDE000-memory.dmp
      Filesize

      184KB

      Download
    • memory/3848-132-0x0000000001150000-0x0000000001169000-memory.dmp
      Filesize

      100KB

      Download
    • memory/3848-134-0x0000000004D80000-0x00000000050A0000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/3848-137-0x0000000004BE0000-0x0000000004C73000-memory.dmp
      Filesize

      588KB

      Download
    • memory/3860-131-0x0000000000000000-mapping.dmp
      Download
    • memory/3964-125-0x0000000000AC0000-0x0000000000AC2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3964-119-0x0000000000000000-mapping.dmp
      Download