Overview

overview

10

Static

static

[RFQ] New ...on.exe

windows7_x64

10

[RFQ] New ...on.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    10-05-2021 12:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    [RFQ] New Project Items 7519 Quotation.exe

  • Size

    631KB

  • MD5

    d4e1ec4ec4ca6e4807739df8d64f4943

  • SHA1

    de5e4589ed7c9b727ae72abdcd80f8c3afa5e051

  • SHA256

    6f30586ae0f10f48d85d4c59c351756df1754de806b4aa52078bde8d792437ea

  • SHA512

    7d4c3f09108f5519c4c4d054ff0ea31f9cf3dedeffbad698ead6dd5afb94191527d329e4645f02f1d96a4a6910974c0d09468b290eeb111780bc5d93cf3d7bad

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.royalelectricvehicle.com/m8uk/

Decoy

blackcountryteshirts.com

pioneergeoscience.com

calacciwedding.com

theelegantdoorbow.com

graciosera.com

kwikversity.com

izita.xyz

drivewiththebest.co.uk

kakback.xyz

sachascott.net

lifeenterprisesystems.com

interimgirl.com

myviralplatform.com

spainmatrimony.com

supergenx.com

leglehla.icu

otlhswdok.icu

1stfdsqnre.com

xxxcentral.net

movimentare.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1208
    • C:\Users\Admin\AppData\Local\Temp\[RFQ] New Project Items 7519 Quotation.exe
      "C:\Users\Admin\AppData\Local\Temp\[RFQ] New Project Items 7519 Quotation.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1820
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LAZpqKjONWsk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp15E1.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:1028
      • C:\Users\Admin\AppData\Local\Temp\[RFQ] New Project Items 7519 Quotation.exe
        "C:\Users\Admin\AppData\Local\Temp\[RFQ] New Project Items 7519 Quotation.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1004
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:640
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\[RFQ] New Project Items 7519 Quotation.exe"
        3⤵
        • Deletes itself
        PID:1280

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp15E1.tmp
    MD5

    42d4cede9bcfeaeceb06dee7fbe9c09d

    SHA1

    b5ae0a2fdfc61ee572f2f86ca15580d9209ddb75

    SHA256

    6b458231e36d83c04409f14dd18bf082f10777ad0e2b10e9b48b40730a717df1

    SHA512

    b46274eb2b3d4d03683e985a395190f1b8f944501a24376e496e08f8cca32607a6e04b841bb2a30c8541fef35a0ea2fc539563e291ca53b92c1f82daea92aee3

    Download Submit

  • memory/640-74-0x0000000000000000-mapping.dmp

    Download

  • memory/640-80-0x0000000001F80000-0x0000000002013000-memory.dmp

    Filesize

    588KB

    Download

  • memory/640-79-0x0000000002110000-0x0000000002413000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/640-78-0x00000000000D0000-0x00000000000FE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/640-77-0x0000000000670000-0x0000000000684000-memory.dmp

    Filesize

    80KB

    Download

  • memory/640-75-0x0000000076641000-0x0000000076643000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1004-72-0x0000000000280000-0x0000000000294000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1004-69-0x000000000041ED10-mapping.dmp

    Download

  • memory/1004-71-0x0000000000900000-0x0000000000C03000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/1004-68-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1028-66-0x0000000000000000-mapping.dmp

    Download

  • memory/1208-73-0x0000000004790000-0x00000000048B8000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1208-81-0x0000000004CF0000-0x0000000004E30000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1280-76-0x0000000000000000-mapping.dmp

    Download

  • memory/1820-60-0x0000000000F80000-0x0000000000F81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1820-65-0x0000000000A60000-0x0000000000A98000-memory.dmp

    Filesize

    224KB

    Download

  • memory/1820-64-0x0000000004CF0000-0x0000000004D6E000-memory.dmp

    Filesize

    504KB

    Download

  • memory/1820-63-0x00000000003D0000-0x00000000003D4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1820-62-0x0000000004990000-0x0000000004991000-memory.dmp

    Filesize

    4KB

    Download