Overview

overview

10

Static

static

Shipping d...DF.exe

windows7_x64

10

Shipping d...DF.exe

windows10_x64

10

Resubmissions

27-07-2021 19:58

210727-zryy5tgqke 10

26-04-2021 12:43

210426-a8lwg89rb6 10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    27-07-2021 19:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Shipping documents PDF.exe

  • Size

    831KB

  • MD5

    81b0bdef857aa70ba8bfe0cb6d02f727

  • SHA1

    328ce667e6d7fff59c3f27c0fcda338159c37c6f

  • SHA256

    ecc540938addc1a440ef6ceb7714a0b45153c04c28df4395e3de18181439341a

  • SHA512

    2b9c6596589265ed4a849d14e10cebff7fdac9a9a0bf7b4a6e33b41b38151a6f63aeb78b4c69e74b6a90be07c470bb86d8da2db988e2863f778780e4c07e238b

Score
10/10
formbookratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://w����5 �@q[*��S=���m

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE FormBook CnC Checkin (GET)
    suricata
  • Formbook Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3048
    • C:\Users\Admin\AppData\Local\Temp\Shipping documents PDF.exe
      "C:\Users\Admin\AppData\Local\Temp\Shipping documents PDF.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4648
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tFqKFDvgHq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1E23.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:4184
      • C:\Users\Admin\AppData\Local\Temp\Shipping documents PDF.exe
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents PDF.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:412
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      2⤵
        PID:668
      • C:\Windows\SysWOW64\help.exe
        "C:\Windows\SysWOW64\help.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:632
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\Shipping documents PDF.exe"
          3⤵
            PID:1012
      • C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
        C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
        1⤵
          PID:3364

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Scheduled Task

        1
        T1053

        Persistence

        Scheduled Task

        1
        T1053

        Privilege Escalation

        Scheduled Task

        1
        T1053

        Defense Evasion

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmp1E23.tmp
          MD5

          38ed44b24d8c84611abd1eb74cfa976f

          SHA1

          1eede321a8983ca9e7e635c0867c1e4e9c47230e

          SHA256

          ae745b46969488f1f889c5b513920d68d601711a71773b3fba6c5c1bbe1d9274

          SHA512

          2a51da8cc9cf68980364332790a571085bd84b56ebe4e53d4fda72ce401253efa2413e3ef177bb1865ee8846c18177bf17395a46adf38d35645ef5da0819fa34

          Download Submit
        • memory/412-120-0x0000000000400000-0x000000000042E000-memory.dmp
          Filesize

          184KB

          Download
        • memory/412-121-0x000000000041EAC0-mapping.dmp
          Download
        • memory/412-122-0x00000000018A0000-0x0000000001BC0000-memory.dmp
          Filesize

          3.1MB

          Download
        • memory/412-123-0x0000000001860000-0x0000000001874000-memory.dmp
          Filesize

          80KB

          Download
        • memory/632-125-0x0000000000000000-mapping.dmp
          Download
        • memory/632-130-0x0000000003350000-0x00000000033E3000-memory.dmp
          Filesize

          588KB

          Download
        • memory/632-128-0x0000000002D50000-0x0000000002D7E000-memory.dmp
          Filesize

          184KB

          Download
        • memory/632-129-0x0000000003450000-0x0000000003770000-memory.dmp
          Filesize

          3.1MB

          Download
        • memory/632-127-0x0000000000920000-0x0000000000927000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1012-126-0x0000000000000000-mapping.dmp
          Download
        • memory/3048-124-0x00000000051C0000-0x0000000005327000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/3048-131-0x0000000005330000-0x0000000005484000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3364-115-0x00000000016B0000-0x00000000016B2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/4184-118-0x0000000000000000-mapping.dmp
          Download
        • memory/4648-114-0x0000000002540000-0x0000000002541000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4648-117-0x000000007EDA0000-0x000000007EDA1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4648-116-0x0000000002541000-0x0000000002542000-memory.dmp
          Filesize

          4KB

          Download