Overview

overview

10

Static

static

comandă d...df.exe

windows7_x64

10

comandă d...df.exe

windows10_x64

10

Analysis

  • max time kernel
    163s
  • max time network
    164s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    27-01-2022 13:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    comandă de achiziție pdf.exe

  • Size

    409KB

  • MD5

    6d1c90c44010cfd2f785c5d415a5cd18

  • SHA1

    37a88f4f80b5e8e4345eefbbb9f2b23df08de18a

  • SHA256

    3d28df7c5fa301b4e6d80f4bbc9dfa70bec762ca5ef085bcc8373b4b359b177f

  • SHA512

    ace2fe025f112cf2bff848f5c6e8709b6db239d919d1b3ae0c63edcc2cdbe4ea941f7d2012e99d50ef80df36c36d630bc709ea8f59672416bffacbca6d09d32c

Score
10/10
formbookg2m3ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g2m3

Decoy

stocktonfingerprinting.com

metaaiqr.com

junicy.com

libertymutualgrou.com

jklhs7gl.xyz

alex-covalcova.space

socialfiguild.com

drnicholasreid.com

androidappprogrammierie.com

relatingtohumans.com

jitsystems.com

gbwpmz.com

lesaventuresdecocomango.com

wu8ggqdv077p.xyz

autnvg.com

wghakt016.xyz

lagosian.store

hilldoor.com

oculos-ajustavel-br.xyz

nameniboothac.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 41 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2896
    • C:\Users\Admin\AppData\Local\Temp\comandă de achiziție pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\comandă de achiziție pdf.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:824
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IJwFJArDPTvJz.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2948
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IJwFJArDPTvJz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3EB6.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:2824
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:360
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\SysWOW64\wscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3060
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
          PID:1172

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp3EB6.tmp
      MD5

      43edb229c0d510bf4c6a90d88175af2f

      SHA1

      73b531e5b7a00f224a29bb0f36cd8fc67444affd

      SHA256

      13b8726e3e3ea044768dc08ce2912655c90b32f30ea0dcf4f3c70f4ca2dd9aa7

      SHA512

      0957ae5bf45f7cad960b8230b7c7464b9b2953a500df979790fcb80a4120f19335bf329aeb71113809ff7f63a0fd9922446d65222898b49f3e3ea5adf867796a

      Download Submit
    • memory/360-132-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/360-136-0x0000000000E00000-0x0000000000E14000-memory.dmp
      Filesize

      80KB

      Download
    • memory/360-135-0x00000000009C0000-0x0000000000CE0000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/824-119-0x0000000005A30000-0x0000000005F2E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/824-120-0x0000000005480000-0x0000000005512000-memory.dmp
      Filesize

      584KB

      Download
    • memory/824-121-0x0000000005530000-0x0000000005A2E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/824-122-0x0000000005450000-0x000000000545A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/824-123-0x00000000056A0000-0x00000000056AC000-memory.dmp
      Filesize

      48KB

      Download
    • memory/824-124-0x0000000007C20000-0x0000000007CBC000-memory.dmp
      Filesize

      624KB

      Download
    • memory/824-125-0x0000000007D30000-0x0000000007D9A000-memory.dmp
      Filesize

      424KB

      Download
    • memory/824-118-0x0000000000A80000-0x0000000000AEC000-memory.dmp
      Filesize

      432KB

      Download
    • memory/2896-137-0x0000000000A40000-0x0000000000B2D000-memory.dmp
      Filesize

      948KB

      Download
    • memory/2896-149-0x00000000026F0000-0x0000000002795000-memory.dmp
      Filesize

      660KB

      Download
    • memory/2948-129-0x0000000004330000-0x0000000004366000-memory.dmp
      Filesize

      216KB

      Download
    • memory/2948-165-0x000000007EB70000-0x000000007EB71000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2948-143-0x0000000006EA0000-0x0000000006F06000-memory.dmp
      Filesize

      408KB

      Download
    • memory/2948-138-0x0000000006A10000-0x0000000006A32000-memory.dmp
      Filesize

      136KB

      Download
    • memory/2948-134-0x0000000006F70000-0x0000000007598000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/2948-365-0x00000000006F0000-0x00000000006F8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/2948-142-0x0000000006E30000-0x0000000006E96000-memory.dmp
      Filesize

      408KB

      Download
    • memory/2948-360-0x0000000000820000-0x000000000083A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/2948-166-0x0000000004403000-0x0000000004404000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2948-131-0x0000000004402000-0x0000000004403000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2948-146-0x0000000007C40000-0x0000000007C8B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/2948-145-0x00000000075D0000-0x00000000075EC000-memory.dmp
      Filesize

      112KB

      Download
    • memory/2948-147-0x0000000007F40000-0x0000000007FB6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/2948-167-0x00000000092C0000-0x0000000009354000-memory.dmp
      Filesize

      592KB

      Download
    • memory/2948-130-0x0000000004400000-0x0000000004401000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2948-158-0x0000000008FB0000-0x0000000008FE3000-memory.dmp
      Filesize

      204KB

      Download
    • memory/2948-159-0x0000000008BE0000-0x0000000008BFE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/2948-164-0x00000000090E0000-0x0000000009185000-memory.dmp
      Filesize

      660KB

      Download
    • memory/2948-144-0x00000000077B0000-0x0000000007B00000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/3060-139-0x0000000000BB0000-0x0000000000BD7000-memory.dmp
      Filesize

      156KB

      Download
    • memory/3060-148-0x0000000004D50000-0x0000000004EEA000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3060-141-0x0000000005090000-0x00000000053B0000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/3060-140-0x0000000000B40000-0x0000000000B6F000-memory.dmp
      Filesize

      188KB

      Download