Overview

overview

10

Static

static

1

rrwq200123.exe

windows7_x64

10

rrwq200123.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    19-10-2021 11:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rrwq200123.exe

  • Size

    253KB

  • MD5

    3a5c5bb43232e4e48b63cdf123dec876

  • SHA1

    95b478c57de28b87d6bd87dd32a4faec02b0d620

  • SHA256

    e5ebc473e259ec57e2a831477b449dd07c13198c0db74ce67732a8fce59e25ac

  • SHA512

    59bd907d7faa8aab41c1cfc78d0aabf8592e8e1e8b49abc4340b807718b96d2e281270f15a5767d6df4e4acde5375ed20756c8598019ed927866dc25c70f7281

Score
10/10
formbookrv9nratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

rv9n

C2

http://www.cjspizza.net/rv9n/

Decoy

olivia-grace.show

zhuwww.com

keiretsu.xyz

olidnh.space

searuleansec.com

2fastrepair.com

brooklynmetalroof.com

scodol.com

novaprint.pro

the-loaner.com

nextroundscap.com

zbwlggs.com

internetautodealer.com

xn--tornrealestate-ekb.com

yunjiuhuo.com

skandinaviskakryptobanken.com

coxivarag.rest

ophthalmologylab.com

zzzzgjcdbqnn98.net

doeful.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 4 IoCs
    rat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1380
    • C:\Users\Admin\AppData\Local\Temp\rrwq200123.exe
      "C:\Users\Admin\AppData\Local\Temp\rrwq200123.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1700
      • C:\Users\Admin\AppData\Local\Temp\rrwq200123.exe
        "C:\Users\Admin\AppData\Local\Temp\rrwq200123.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1516
        • C:\Windows\SysWOW64\wscript.exe
          "C:\Windows\SysWOW64\wscript.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:292
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Users\Admin\AppData\Local\Temp\rrwq200123.exe"
            5⤵
            • Deletes itself
            PID:1652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsyD5D6.tmp\ylbzgkuxqsi.dll
    MD5

    51d6f1227b9a2e0b090c9d0dab9d4528

    SHA1

    43149a31386cd9613c5b0e8a218f1e7cc7f77af8

    SHA256

    23e80d01cf007b17f91366fb1866568f0385ff08767434728f209535d3452fdd

    SHA512

    b85fd793d0ddf2e96833b458fee64008ff13a863a4b9ba044bf916efc41947fdadc13cfb1deaa151d58c162d706e32226e14ea2a7ba82557eccff329c9e38afb

    Download Submit
  • memory/292-66-0x0000000000000000-mapping.dmp
    Download
  • memory/292-71-0x0000000000DF0000-0x0000000000E83000-memory.dmp
    Filesize

    588KB

    Download
  • memory/292-70-0x0000000000AE0000-0x0000000000DE3000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/292-69-0x0000000000070000-0x000000000009F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/292-68-0x0000000000FA0000-0x0000000000FC6000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1380-65-0x00000000068A0000-0x000000000696D000-memory.dmp
    Filesize

    820KB

    Download
  • memory/1380-62-0x0000000006590000-0x0000000006658000-memory.dmp
    Filesize

    800KB

    Download
  • memory/1380-72-0x0000000007A90000-0x0000000007BD6000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/1516-63-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1516-64-0x00000000003A0000-0x00000000003B4000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1516-61-0x0000000000340000-0x0000000000354000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1516-59-0x00000000008A0000-0x0000000000BA3000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1516-58-0x000000000041F120-mapping.dmp
    Download
  • memory/1516-57-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1652-67-0x0000000000000000-mapping.dmp
    Download
  • memory/1700-55-0x00000000762D1000-0x00000000762D3000-memory.dmp
    Filesize

    8KB

    Download