Overview

overview

10

Static

static

Orden de producto.exe

windows7_x64

10

Orden de producto.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    22-07-2021 09:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Orden de producto.exe

  • Size

    736KB

  • MD5

    967d2dd88fe4a18a1593c5fb25da4a6e

  • SHA1

    5295dbd3fd2d828e56d20741db9fbd84e809cfa7

  • SHA256

    e324db0ece1d167afd6b4344e41ae12cd39bf5b87b774722c52b0408fe156ca1

  • SHA512

    1e532896797738ad655c31c3be06d16453049d23bf7a78e08358ae41d45b2d5d2db02e5c8383334529faeb84040b7c59a668adcb22198b8f3fd6196a07f18ef6

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.kmresults.com/n7ak/

Decoy

modischoolcbse.com

theneverwinter.com

rszkjx-vps-hosting.website

fnihil.com

1pbet.com

nnowzscorrez.com

uaotgvjl.icu

starmapsqatar.com

ekisilani.com

extradeepsheets.com

jam-nins.com

buranly.com

orixentertainment.com

rawtech.energy

myol.guru

utex.club

jiapie.com

wowig.store

wweidlyyl.com

systaskautomation.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3048
    • C:\Users\Admin\AppData\Local\Temp\Orden de producto.exe
      "C:\Users\Admin\AppData\Local\Temp\Orden de producto.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4648
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 1260
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3984
      • C:\Windows\SysWOW64\DpiScaling.exe
        C:\Windows\System32\DpiScaling.exe
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:4264
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      2⤵
        PID:3216
      • C:\Windows\SysWOW64\autofmt.exe
        "C:\Windows\SysWOW64\autofmt.exe"
        2⤵
          PID:3344
        • C:\Windows\SysWOW64\autofmt.exe
          "C:\Windows\SysWOW64\autofmt.exe"
          2⤵
            PID:492
          • C:\Windows\SysWOW64\autofmt.exe
            "C:\Windows\SysWOW64\autofmt.exe"
            2⤵
              PID:508
            • C:\Windows\SysWOW64\autofmt.exe
              "C:\Windows\SysWOW64\autofmt.exe"
              2⤵
                PID:576
              • C:\Windows\SysWOW64\autofmt.exe
                "C:\Windows\SysWOW64\autofmt.exe"
                2⤵
                  PID:636
                • C:\Windows\SysWOW64\autofmt.exe
                  "C:\Windows\SysWOW64\autofmt.exe"
                  2⤵
                    PID:648
                  • C:\Windows\SysWOW64\autochk.exe
                    "C:\Windows\SysWOW64\autochk.exe"
                    2⤵
                      PID:808
                    • C:\Windows\SysWOW64\autochk.exe
                      "C:\Windows\SysWOW64\autochk.exe"
                      2⤵
                        PID:816
                      • C:\Windows\SysWOW64\autochk.exe
                        "C:\Windows\SysWOW64\autochk.exe"
                        2⤵
                          PID:860
                        • C:\Windows\SysWOW64\autochk.exe
                          "C:\Windows\SysWOW64\autochk.exe"
                          2⤵
                            PID:908
                          • C:\Windows\SysWOW64\autochk.exe
                            "C:\Windows\SysWOW64\autochk.exe"
                            2⤵
                              PID:1208
                            • C:\Windows\SysWOW64\autochk.exe
                              "C:\Windows\SysWOW64\autochk.exe"
                              2⤵
                                PID:392
                              • C:\Windows\SysWOW64\netsh.exe
                                "C:\Windows\SysWOW64\netsh.exe"
                                2⤵
                                • Suspicious use of SetThreadContext
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious behavior: MapViewOfSection
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of WriteProcessMemory
                                PID:584
                                • C:\Windows\SysWOW64\cmd.exe
                                  /c del "C:\Windows\SysWOW64\DpiScaling.exe"
                                  3⤵
                                    PID:1076

                              Network

                              MITRE ATT&CK Matrix

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • memory/584-123-0x0000000000000000-mapping.dmp
                                Download
                              • memory/584-128-0x0000000003780000-0x0000000003813000-memory.dmp
                                Filesize

                                588KB

                                Download
                              • memory/584-127-0x0000000003A20000-0x0000000003D40000-memory.dmp
                                Filesize

                                3.1MB

                                Download
                              • memory/584-126-0x0000000003160000-0x000000000318E000-memory.dmp
                                Filesize

                                184KB

                                Download
                              • memory/584-125-0x0000000000C70000-0x0000000000C8E000-memory.dmp
                                Filesize

                                120KB

                                Download
                              • memory/1076-124-0x0000000000000000-mapping.dmp
                                Download
                              • memory/3048-122-0x0000000006300000-0x000000000648B000-memory.dmp
                                Filesize

                                1.5MB

                                Download
                              • memory/3048-120-0x0000000006150000-0x00000000062F1000-memory.dmp
                                Filesize

                                1.6MB

                                Download
                              • memory/3048-129-0x00000000029B0000-0x0000000002A7D000-memory.dmp
                                Filesize

                                820KB

                                Download
                              • memory/4264-121-0x0000000000DB0000-0x0000000000DC4000-memory.dmp
                                Filesize

                                80KB

                                Download
                              • memory/4264-118-0x0000000004560000-0x0000000004880000-memory.dmp
                                Filesize

                                3.1MB

                                Download
                              • memory/4264-119-0x0000000000D70000-0x0000000000D84000-memory.dmp
                                Filesize

                                80KB

                                Download
                              • memory/4264-117-0x0000000010410000-0x000000001043E000-memory.dmp
                                Filesize

                                184KB

                                Download
                              • memory/4264-116-0x00000000004B0000-0x00000000004B1000-memory.dmp
                                Filesize

                                4KB

                                Download
                              • memory/4264-115-0x0000000000000000-mapping.dmp
                                Download
                              • memory/4648-114-0x0000000000750000-0x0000000000751000-memory.dmp
                                Filesize

                                4KB

                                Download