Overview

overview

10

Static

static

1

otr69022.exe

windows7_x64

10

otr69022.exe

windows10_x64

10

Analysis

  • max time kernel
    145s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    25-10-2021 16:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    otr69022.exe

  • Size

    256KB

  • MD5

    00e7692bd5da0993f8cd7ed1c4b35d26

  • SHA1

    6c342d8f0b727586f58007fa8073e5176ee7b652

  • SHA256

    c115f11cec4e606d14bd5df33ea033f0311ca2e9915e5fb7908736b9cfa18729

  • SHA512

    7ccc7c1e315046af035c2e9bb1f0d101db1d1db234c3d9eacae8e70548cfe76afeab0ba7eade78c06c906715487ca69912ca8d2be143e70508a77f4d643a5a30

Score
10/10
formbookrv9nratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

rv9n

C2

http://www.cjspizza.net/rv9n/

Decoy

olivia-grace.show

zhuwww.com

keiretsu.xyz

olidnh.space

searuleansec.com

2fastrepair.com

brooklynmetalroof.com

scodol.com

novaprint.pro

the-loaner.com

nextroundscap.com

zbwlggs.com

internetautodealer.com

xn--tornrealestate-ekb.com

yunjiuhuo.com

skandinaviskakryptobanken.com

coxivarag.rest

ophthalmologylab.com

zzzzgjcdbqnn98.net

doeful.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1392
    • C:\Users\Admin\AppData\Local\Temp\otr69022.exe
      "C:\Users\Admin\AppData\Local\Temp\otr69022.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:332
      • C:\Users\Admin\AppData\Local\Temp\otr69022.exe
        "C:\Users\Admin\AppData\Local\Temp\otr69022.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:760
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\SysWOW64\cmd.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1260
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\otr69022.exe"
        3⤵
        • Deletes itself
        PID:1388

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nstDD94.tmp\mbba.dll
    MD5

    e83191aac369d7512911f1c86fe6b4bf

    SHA1

    4214650caa03a2b5bd086f07b24e5d98926e031e

    SHA256

    370a60f0c2956e729adb71695cdb5fa413be95f92dbf43631f6747eb6bff5a48

    SHA512

    6e3720a7bfa0d172fccccad9d06bf5f61ca229c7ea4f4fa5fb07e7125c5daac3f4d470fba7f8010bad9ea810289f15a982c8ed6e7bd838fc8297012185509a85

    Download Submit
  • memory/332-54-0x0000000075FA1000-0x0000000075FA3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/760-56-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/760-57-0x000000000041F120-mapping.dmp
    Download
  • memory/760-60-0x00000000002C0000-0x00000000002D4000-memory.dmp
    Filesize

    80KB

    Download
  • memory/760-59-0x0000000000830000-0x0000000000B33000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1260-64-0x000000004A400000-0x000000004A44C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1260-62-0x0000000000000000-mapping.dmp
    Download
  • memory/1260-65-0x0000000000080000-0x00000000000AF000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1260-66-0x0000000002060000-0x0000000002363000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1260-67-0x0000000001D90000-0x0000000001E23000-memory.dmp
    Filesize

    588KB

    Download
  • memory/1388-63-0x0000000000000000-mapping.dmp
    Download
  • memory/1392-61-0x0000000006960000-0x0000000006B00000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1392-68-0x0000000006BE0000-0x0000000006D46000-memory.dmp
    Filesize

    1.4MB

    Download