Overview

overview

10

Static

static

Factura de...df.exe

windows7_x64

10

Factura de...df.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    26-10-2021 13:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Factura de proforma.Pdf.exe

  • Size

    416KB

  • MD5

    1023715ab1412b3ab39be25ad6054e9c

  • SHA1

    b93d9283fffc26259a3675195ed878b3089ca8b7

  • SHA256

    b4585da149dee9da71100f73ac5088f6dcd2f0bad3a155a78615ab321fce3f71

  • SHA512

    63a837b607dd274a3285380d2bdad3b0b059ffbb39b7e7f14a9d76eb3dc4fca861cf0bcfd6be4420f3a13d83f3388afbc41859a08c3b87778bdebdd399eca376

Score
10/10
formbookdv9nratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dv9n

C2

http://www.elianedefalco.com/dv9n/

Decoy

nblvqing.com

delmegebuildingproducts.com

xiongba8.com

latuawebreputation.online

nowcloud.tech

cckghs.com

tradeoo.ltd

ppapo.com

tphoaphuongdo.club

whitefoxy.site

bottle-sentences.net

computersewa.com

lushberryholidays.com

motobotz.com

shadurj.com

amazonlexdeveloper.com

shunli178.xyz

sjzzlmh.com

6eu09rp.xyz

novinmes.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Formbook Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3056
    • C:\Users\Admin\AppData\Local\Temp\Factura de proforma.Pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\Factura de proforma.Pdf.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3168
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BKcHlxwvyiaYUp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp69C2.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:1644
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
          PID:1608
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          3⤵
            PID:1828
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:1656
        • C:\Windows\SysWOW64\raserver.exe
          "C:\Windows\SysWOW64\raserver.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3328
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            3⤵
              PID:2088

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Scheduled Task

        1
        T1053

        Persistence

        Scheduled Task

        1
        T1053

        Privilege Escalation

        Scheduled Task

        1
        T1053

        Defense Evasion

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1644-125-0x0000000000000000-mapping.dmp
          Download
        • memory/1656-129-0x0000000001720000-0x0000000001A40000-memory.dmp
          Filesize

          3.1MB

          Download
        • memory/1656-130-0x0000000001600000-0x0000000001614000-memory.dmp
          Filesize

          80KB

          Download
        • memory/1656-127-0x000000000041F190-mapping.dmp
          Download
        • memory/1656-126-0x0000000000400000-0x000000000042F000-memory.dmp
          Filesize

          188KB

          Download
        • memory/2088-136-0x0000000000000000-mapping.dmp
          Download
        • memory/3056-138-0x00000000050E0000-0x00000000051A0000-memory.dmp
          Filesize

          768KB

          Download
        • memory/3056-131-0x0000000006B20000-0x0000000006CC9000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/3168-121-0x00000000070C0000-0x00000000070C1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3168-118-0x0000000006E20000-0x0000000006E21000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3168-123-0x0000000009390000-0x0000000009397000-memory.dmp
          Filesize

          28KB

          Download
        • memory/3168-122-0x000000007F110000-0x000000007F111000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3168-115-0x00000000000B0000-0x00000000000B1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3168-120-0x0000000006F80000-0x0000000006F81000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3168-119-0x0000000006D20000-0x000000000721E000-memory.dmp
          Filesize

          5.0MB

          Download
        • memory/3168-124-0x0000000008980000-0x00000000089D0000-memory.dmp
          Filesize

          320KB

          Download
        • memory/3168-117-0x0000000007220000-0x0000000007221000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3328-132-0x0000000000000000-mapping.dmp
          Download
        • memory/3328-135-0x0000000004740000-0x0000000004A60000-memory.dmp
          Filesize

          3.1MB

          Download
        • memory/3328-134-0x0000000002F90000-0x0000000002FBF000-memory.dmp
          Filesize

          188KB

          Download
        • memory/3328-137-0x0000000004B00000-0x0000000004B93000-memory.dmp
          Filesize

          588KB

          Download
        • memory/3328-133-0x00000000001B0000-0x00000000001CF000-memory.dmp
          Filesize

          124KB

          Download