Overview

overview

10

Static

static

comandă d...df.exe

windows7_x64

10

comandă d...df.exe

windows10_x64

10

Analysis

  • max time kernel
    157s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    27-01-2022 13:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    comandă de achiziție pdf.exe

  • Size

    409KB

  • MD5

    6d1c90c44010cfd2f785c5d415a5cd18

  • SHA1

    37a88f4f80b5e8e4345eefbbb9f2b23df08de18a

  • SHA256

    3d28df7c5fa301b4e6d80f4bbc9dfa70bec762ca5ef085bcc8373b4b359b177f

  • SHA512

    ace2fe025f112cf2bff848f5c6e8709b6db239d919d1b3ae0c63edcc2cdbe4ea941f7d2012e99d50ef80df36c36d630bc709ea8f59672416bffacbca6d09d32c

Score
10/10
formbookg2m3ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g2m3

Decoy

stocktonfingerprinting.com

metaaiqr.com

junicy.com

libertymutualgrou.com

jklhs7gl.xyz

alex-covalcova.space

socialfiguild.com

drnicholasreid.com

androidappprogrammierie.com

relatingtohumans.com

jitsystems.com

gbwpmz.com

lesaventuresdecocomango.com

wu8ggqdv077p.xyz

autnvg.com

wghakt016.xyz

lagosian.store

hilldoor.com

oculos-ajustavel-br.xyz

nameniboothac.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1356
    • C:\Users\Admin\AppData\Local\Temp\comandă de achiziție pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\comandă de achiziție pdf.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1148
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IJwFJArDPTvJz.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:436
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IJwFJArDPTvJz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5090.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:2040
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
          PID:1896
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:752
      • C:\Windows\SysWOW64\systray.exe
        "C:\Windows\SysWOW64\systray.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1176
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          3⤵
            PID:1900

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp5090.tmp
        MD5

        f732f7c6faee466d02d1ab9cfa4d5c2c

        SHA1

        626519fee1836f1fb5bdc77f97cb5e642bd01532

        SHA256

        42bd9368ce172fdfbc0b05ce68b592ab561b5f8b551a24a229e1da95872b0965

        SHA512

        8270c05c2249615b81735d7a763ae7323ef2dda6f6f1447142e4671e3df59d89077ac4e5050209428aacc0f0bf065cd86a745dd65ae55e31f5605146e5ab426b

        Download Submit
      • memory/436-75-0x00000000024F0000-0x000000000313A000-memory.dmp
        Filesize

        12.3MB

        Download
      • memory/436-72-0x00000000024F0000-0x000000000313A000-memory.dmp
        Filesize

        12.3MB

        Download
      • memory/752-64-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/752-67-0x00000000001F0000-0x0000000000204000-memory.dmp
        Filesize

        80KB

        Download
      • memory/752-66-0x0000000000840000-0x0000000000B43000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/752-63-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/752-62-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1148-59-0x00000000056C0000-0x000000000572A000-memory.dmp
        Filesize

        424KB

        Download
      • memory/1148-55-0x0000000001010000-0x000000000107C000-memory.dmp
        Filesize

        432KB

        Download
      • memory/1148-58-0x0000000000390000-0x000000000039C000-memory.dmp
        Filesize

        48KB

        Download
      • memory/1148-57-0x0000000004DB0000-0x0000000004DB1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1148-56-0x0000000076511000-0x0000000076513000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1176-69-0x0000000000D40000-0x0000000000D45000-memory.dmp
        Filesize

        20KB

        Download
      • memory/1176-70-0x0000000000080000-0x00000000000AF000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1176-71-0x0000000000A30000-0x0000000000D33000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1176-73-0x0000000000920000-0x00000000009B3000-memory.dmp
        Filesize

        588KB

        Download
      • memory/1356-68-0x0000000006B80000-0x0000000006CCE000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1356-74-0x0000000006D90000-0x0000000006F08000-memory.dmp
        Filesize

        1.5MB

        Download