Overview

overview

10

Static

static

Ministry o...in.exe

windows7_x64

10

Ministry o...in.exe

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    180s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    14-10-2021 15:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ministry of Health Kingdom of Bahrain.exe

  • Size

    358KB

  • MD5

    e1a110c51c33c12ee53679c40c954395

  • SHA1

    361ca3b8600138c93a6cb8728ddefd7bb1be53ef

  • SHA256

    ad4c2025f6a3741ba965e53a40e907b04dd1031c666e80d98afe6fd00c70239d

  • SHA512

    8572c6c49eca57c0a89523df94c73eb65617687c4e89045633eeafb05f2844f6c14df7ef0e61fa05a1cae39d5fa664d8e206c6cccadcacc03d749a9b0caefdfb

Score
10/10
formbookey5aratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ey5a

C2

http://www.puwuved.xyz/ey5a/

Decoy

lygptkl.com

winsentrade.com

bluprintliving.com

yumohealth.com

cherryadulttoys.com

gianttigar.com

maxhutmacher.net

autostokyocorp.com

calvaryload.com

stixxiepix.com

j98152.com

starsky666.xyz

loadkicks.com

designauraspace.com

wwwfmcna.com

mikakonaitopsychologist.com

kristalsuaritma.com

kh180.com

kulturel.net

araveenapark.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 4 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1400
    • C:\Users\Admin\AppData\Local\Temp\Ministry of Health Kingdom of Bahrain.exe
      "C:\Users\Admin\AppData\Local\Temp\Ministry of Health Kingdom of Bahrain.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1884
      • C:\Users\Admin\AppData\Local\Temp\Ministry of Health Kingdom of Bahrain.exe
        "C:\Users\Admin\AppData\Local\Temp\Ministry of Health Kingdom of Bahrain.exe"
        3⤵
          PID:1528
        • C:\Users\Admin\AppData\Local\Temp\Ministry of Health Kingdom of Bahrain.exe
          "C:\Users\Admin\AppData\Local\Temp\Ministry of Health Kingdom of Bahrain.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2016
      • C:\Windows\SysWOW64\cscript.exe
        "C:\Windows\SysWOW64\cscript.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1480
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\Ministry of Health Kingdom of Bahrain.exe"
          3⤵
          • Deletes itself
          PID:1900

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1400-66-0x00000000044D0000-0x00000000045BD000-memory.dmp
      Filesize

      948KB

      Download
    • memory/1400-77-0x0000000007980000-0x0000000007B03000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/1400-70-0x0000000006A00000-0x0000000006B51000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1480-71-0x0000000000000000-mapping.dmp
      Download
    • memory/1480-76-0x00000000022B0000-0x0000000002344000-memory.dmp
      Filesize

      592KB

      Download
    • memory/1480-75-0x0000000001FA0000-0x00000000022A3000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1480-72-0x0000000000320000-0x0000000000342000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1480-73-0x00000000000B0000-0x00000000000DF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1884-57-0x0000000004A80000-0x0000000004A81000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1884-56-0x00000000751A1000-0x00000000751A3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1884-59-0x0000000000E50000-0x0000000000EA0000-memory.dmp
      Filesize

      320KB

      Download
    • memory/1884-58-0x0000000000250000-0x0000000000255000-memory.dmp
      Filesize

      20KB

      Download
    • memory/1884-54-0x0000000001270000-0x0000000001271000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1900-74-0x0000000000000000-mapping.dmp
      Download
    • memory/2016-63-0x000000000041F070-mapping.dmp
      Download
    • memory/2016-69-0x00000000004C0000-0x00000000004D5000-memory.dmp
      Filesize

      84KB

      Download
    • memory/2016-68-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/2016-67-0x00000000002C0000-0x00000000002D5000-memory.dmp
      Filesize

      84KB

      Download
    • memory/2016-65-0x0000000000770000-0x0000000000A73000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/2016-62-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/2016-61-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/2016-60-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download