Overview

overview

10

Static

static

обÑ...df.exe

windows7_x64

10

обÑ...df.exe

windows10_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    153s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    31-08-2021 15:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    обÑ_азцы пÑ_одукции заказать pdf.exe

  • Size

    559KB

  • MD5

    f750108de86e79c14390ac0661a67b87

  • SHA1

    d83e517431a18b4fbe0d477ec980e08b3d57bf1c

  • SHA256

    de73d97fc56e19954fbec37b94bc65014305cc288b71ae6889bf37ac193c0333

  • SHA512

    f0b2a919ae68a1aab25901662d5a240620030093f87c3e7e3262822c5b085b88d9039cb594ff7c94e38072c4803b0b3beff5f15e651cd92824752df27820d761

Score
10/10
formbookn7akratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

n7ak

C2

http://www.kmresults.com/n7ak/

Decoy

modischoolcbse.com

theneverwinter.com

rszkjx-vps-hosting.website

fnihil.com

1pbet.com

nnowzscorrez.com

uaotgvjl.icu

starmapsqatar.com

ekisilani.com

extradeepsheets.com

jam-nins.com

buranly.com

orixentertainment.com

rawtech.energy

myol.guru

utex.club

jiapie.com

wowig.store

wweidlyyl.com

systaskautomation.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3028
    • C:\Users\Admin\AppData\Local\Temp\обÑ_азцы пÑ_одукции заказать pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\обÑ_азцы пÑ_одукции заказать pdf.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4044
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FmsSuTN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF264.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:3904
      • C:\Users\Admin\AppData\Local\Temp\обÑ_азцы пÑ_одукции заказать pdf.exe
        "{path}"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1276
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3768
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\обÑ_азцы пÑ_одукции заказать pdf.exe"
        3⤵
          PID:3192

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpF264.tmp
      MD5

      a883c7cb805f023c829394c8ef7f8298

      SHA1

      a3acdd2ba72a8bd20739075847dc5b523d20998a

      SHA256

      58c7ba06dd6d8ac5e2ec579c31a81ad5a864cca9e3e1d5bd4eefd7219dc64c32

      SHA512

      4cbaf56fac6571ccad90fa71de853fba60d6d1139cd6e728c93e888407842bc213d9261ce66e2aa157c688d3f61bd20a4afe242cab5fe50a16c372c22a978c72

      Download Submit
    • memory/1276-128-0x0000000001A70000-0x0000000001D90000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/1276-129-0x0000000001890000-0x00000000018A4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1276-127-0x000000000041ECE0-mapping.dmp
      Download
    • memory/1276-126-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/3028-130-0x0000000006BC0000-0x0000000006CB7000-memory.dmp
      Filesize

      988KB

      Download
    • memory/3028-139-0x00000000071C0000-0x0000000007263000-memory.dmp
      Filesize

      652KB

      Download
    • memory/3192-136-0x0000000000000000-mapping.dmp
      Download
    • memory/3768-131-0x0000000000000000-mapping.dmp
      Download
    • memory/3768-138-0x00000000046D0000-0x0000000004763000-memory.dmp
      Filesize

      588KB

      Download
    • memory/3768-137-0x00000000043B0000-0x00000000046D0000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/3768-135-0x0000000000E00000-0x0000000000E2E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/3768-134-0x0000000000F90000-0x0000000000FA2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3904-124-0x0000000000000000-mapping.dmp
      Download
    • memory/4044-120-0x0000000007440000-0x0000000007441000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4044-114-0x0000000000690000-0x0000000000691000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4044-116-0x00000000078E0000-0x00000000078E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4044-117-0x0000000007480000-0x0000000007481000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4044-118-0x0000000007520000-0x0000000007521000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4044-119-0x00000000073E0000-0x00000000078DE000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/4044-121-0x0000000009F70000-0x0000000009F7E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/4044-123-0x0000000006120000-0x0000000006163000-memory.dmp
      Filesize

      268KB

      Download
    • memory/4044-122-0x00000000049C0000-0x0000000004A52000-memory.dmp
      Filesize

      584KB

      Download