Overview

overview

10

Static

static

Quotation-pdf.exe

windows7_x64

10

Quotation-pdf.exe

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    28-01-2022 14:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quotation-pdf.exe

  • Size

    573KB

  • MD5

    43be7a6cfb1c2fae6ad5c9e0440be4f8

  • SHA1

    af4be0100e8c2b00ec1d821d72d15174ab2197e4

  • SHA256

    0337d7784d4021b8467b2652f8c6ca9703732a0f132a1aebcafae37673db026d

  • SHA512

    18a88af955dda3fbfc44a44ee72f8dcd32aefcc1d998316980bb235b485de6b6fee09b1322a5bd863cab5036c6b9b16c6a8aaf30c918ba5862c5b83b29406643

Score
10/10
formbookm17yratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

m17y

Decoy

dental-implants-us-prices.site

eolegends.online

drskinstudio.com

miamivideomapping.com

cqytwater.com

fesfe.net

dlautostore.com

wwwpledge.com

trynutiliti.com

551milesoak.com

jemmetalfab.com

teamtrinitysellsncarolina.com

injurypersonallawyer.com

r3qcf2.xyz

djellaba-boutique.com

t6fwagd.xyz

lm-upto100.com

shyashijz.com

classicbasilicata.com

exactias.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Formbook Payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1368
    • C:\Users\Admin\AppData\Local\Temp\Quotation-pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\Quotation-pdf.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IfvVzYPE.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:688
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IfvVzYPE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC8DB.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:648
      • C:\Users\Admin\AppData\Local\Temp\Quotation-pdf.exe
        "C:\Users\Admin\AppData\Local\Temp\Quotation-pdf.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1804
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1836
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Quotation-pdf.exe"
        3⤵
        • Deletes itself
        PID:1784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpC8DB.tmp
    MD5

    6eceacfc1b8435e47e443d422fb18561

    SHA1

    60a8dfebf704053886bfb1014438816453bfad36

    SHA256

    b885c897568a29dc0cb2bb50d8a522c821028e59f6f0589977c8f6ff46ef73c9

    SHA512

    eb04b19e2088a975542b434561a6b14a6922a44f3815196030b26e8d61aa14b433e189ab3f7ce8fa247fc614a2658ed0a36b9e7f9e318f115668da2b65edfedb

    Download Submit
  • memory/688-72-0x00000000023B0000-0x0000000002FFA000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/688-71-0x00000000023B0000-0x0000000002FFA000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/688-70-0x00000000023B0000-0x0000000002FFA000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/1368-66-0x0000000004C10000-0x0000000004CDC000-memory.dmp
    Filesize

    816KB

    Download
  • memory/1368-75-0x00000000068F0000-0x0000000006A37000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/1368-81-0x0000000006B00000-0x0000000006C11000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1732-56-0x0000000004D80000-0x0000000004D81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1732-57-0x0000000000490000-0x000000000049C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/1732-55-0x0000000074F11000-0x0000000074F13000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1732-54-0x0000000000E50000-0x0000000000EE6000-memory.dmp
    Filesize

    600KB

    Download
  • memory/1732-58-0x0000000005340000-0x00000000053AA000-memory.dmp
    Filesize

    424KB

    Download
  • memory/1804-67-0x0000000000360000-0x0000000000375000-memory.dmp
    Filesize

    84KB

    Download
  • memory/1804-63-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1804-65-0x00000000008B0000-0x0000000000BB3000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1804-73-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1804-74-0x00000000003A0000-0x00000000003B5000-memory.dmp
    Filesize

    84KB

    Download
  • memory/1804-62-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1804-61-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1836-77-0x00000000003F0000-0x0000000000404000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1836-78-0x0000000000090000-0x00000000000BF000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1836-79-0x00000000021B0000-0x00000000024B3000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1836-80-0x00000000020C0000-0x0000000002154000-memory.dmp
    Filesize

    592KB

    Download