Overview

overview

10

Static

static

Confirmare...df.exe

windows7_x64

10

Confirmare...df.exe

windows10_x64

10

Analysis

  • max time kernel
    165s
  • max time network
    164s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    29-01-2022 08:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Confirmarea platii.Pdf.exe

  • Size

    821KB

  • MD5

    c93940644125559a6aa5f89f532066b8

  • SHA1

    9e80136c79abe4072b9629fb57f19c2692dc33a8

  • SHA256

    b76cdf3f203937fdd5a57710faf9c4d78281f4b893e8caff17a5053bb741bffc

  • SHA512

    2c5eee79d2b488cdf1ec10d0fe295dc87fcb3383665bd072174571cdc6feeb7531a329861eaabd9838799fca633203b5dc7d98a535123bd7a4ba458c5f42c0af

Score
10/10
formbookd2g7ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

d2g7

Decoy

inviteonlyme.com

noashopping.com

raysyoutube.com

chicagp.com

brnguatemala.com

speechboutique.com

philippinepodcastdirectory.com

konnecio.com

9q1ng6.icu

treez.info

appleiclou.com

pettras.com

txherz.icu

freearcae.com

mindpetalsoftwaresolutions.com

my-beautiful-switzerland.com

hpzebike.online

fadsekclub.xyz

newcastledhaka.com

varidsk.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3040
    • C:\Users\Admin\AppData\Local\Temp\Confirmarea platii.Pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\Confirmarea platii.Pdf.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ClmeTculHDsCcc.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3940
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ClmeTculHDsCcc" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC80F.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:3276
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:600
    • C:\Windows\SysWOW64\help.exe
      "C:\Windows\SysWOW64\help.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2132
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
          PID:1528

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpC80F.tmp
      MD5

      9ca0b58b568853c3200eaddb63bb700f

      SHA1

      e9225bd23adffd1ae32f55bd6dad0e4ee393884e

      SHA256

      15e6d47925ac34e305a875abbdecce49c54e494b2da13f870e48fcfa37910a99

      SHA512

      d35f516b57408a8d68b1bc011f63f58b2747cf258787c707d24aeab2a085bbccf350de0440aef8e2b399b3cce783814c13b598fe6242e12da9dcdb2cc6b9ed61

      Download Submit
    • memory/600-140-0x0000000001650000-0x0000000001970000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/600-129-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/600-161-0x00000000014B0000-0x000000000164C000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/600-160-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/600-141-0x00000000014B0000-0x000000000164C000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2132-205-0x0000000000610000-0x000000000063F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/2132-203-0x0000000000D20000-0x0000000000D27000-memory.dmp
      Filesize

      28KB

      Download
    • memory/2132-379-0x0000000000AA0000-0x0000000000C30000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2132-207-0x0000000002D30000-0x0000000003050000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/3040-380-0x0000000005440000-0x000000000554E000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/3040-162-0x00000000068F0000-0x0000000006A3C000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3040-142-0x0000000005C00000-0x0000000005D4F000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3052-123-0x00000000080F0000-0x000000000818C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/3052-117-0x0000000000CC0000-0x0000000000D94000-memory.dmp
      Filesize

      848KB

      Download
    • memory/3052-122-0x0000000007DC0000-0x0000000007DCC000-memory.dmp
      Filesize

      48KB

      Download
    • memory/3052-120-0x00000000057E0000-0x0000000005CDE000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/3052-121-0x0000000005710000-0x000000000571A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3052-124-0x00000000082A0000-0x0000000008306000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3052-118-0x0000000005CE0000-0x00000000061DE000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/3052-119-0x00000000057E0000-0x0000000005872000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3940-143-0x00000000086F0000-0x0000000008766000-memory.dmp
      Filesize

      472KB

      Download
    • memory/3940-134-0x0000000004BC0000-0x0000000004BC1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3940-138-0x0000000008420000-0x000000000843C000-memory.dmp
      Filesize

      112KB

      Download
    • memory/3940-152-0x000000007F590000-0x000000007F591000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3940-153-0x0000000009620000-0x0000000009653000-memory.dmp
      Filesize

      204KB

      Download
    • memory/3940-154-0x00000000095E0000-0x00000000095FE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/3940-159-0x0000000009950000-0x00000000099F5000-memory.dmp
      Filesize

      660KB

      Download
    • memory/3940-136-0x00000000080D0000-0x0000000008420000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/3940-135-0x0000000004BC2000-0x0000000004BC3000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3940-133-0x0000000007FA0000-0x0000000008006000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3940-163-0x0000000004BC3000-0x0000000004BC4000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3940-164-0x0000000009AB0000-0x0000000009B44000-memory.dmp
      Filesize

      592KB

      Download
    • memory/3940-132-0x0000000007D50000-0x0000000007DB6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3940-131-0x0000000007CB0000-0x0000000007CD2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/3940-130-0x0000000007610000-0x0000000007C38000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/3940-360-0x0000000009A30000-0x0000000009A4A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/3940-365-0x0000000009A10000-0x0000000009A18000-memory.dmp
      Filesize

      32KB

      Download
    • memory/3940-139-0x0000000008440000-0x000000000848B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/3940-128-0x0000000006FA0000-0x0000000006FD6000-memory.dmp
      Filesize

      216KB

      Download