Overview

overview

10

Static

static

44a8227ccd...18.exe

windows7_x64

10

44a8227ccd...18.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    185s
  • max time network
    188s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    12-05-2022 11:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    44a8227ccd3bd1fb5285b84d99282b199594457c73bdab74c4cbeb331e671618.exe

  • Size

    414KB

  • MD5

    f3becd80be8779dfeb8ca5791f7ffb86

  • SHA1

    91f03335ff735cef93edafc6748d354d08eabe87

  • SHA256

    44a8227ccd3bd1fb5285b84d99282b199594457c73bdab74c4cbeb331e671618

  • SHA512

    f508be9b45170e7669c69ab6ec4849ddb318ee8d9a0d3ffc906197747de67b94d4c32b8aecb383fee6ce49d7e364a07743c8e3a7ed6e91132219633d65661abb

Score
10/10
formbookkvszratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kvsz

Decoy

hdlivesonlinetv24.com

illaheehillsseniorliving.com

wihong.com

christopher-cost.com

huayvipee.com

csdroped.xyz

relationsvivantes.com

xmcombohome.com

qingc2.com

sunsetcinemamusic.com

anotherheadache.com

connectlcv.com

unitermi.com

cugetarileunuisarman.com

agakegois.com

burnercouture.com

ambassador-holidays.com

schnarr-design.com

2013lang.com

httattoos.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Formbook Payload 2 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3208
    • C:\Users\Admin\AppData\Local\Temp\44a8227ccd3bd1fb5285b84d99282b199594457c73bdab74c4cbeb331e671618.exe
      "C:\Users\Admin\AppData\Local\Temp\44a8227ccd3bd1fb5285b84d99282b199594457c73bdab74c4cbeb331e671618.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4064
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HTufYRAKxBK" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDC56.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:636
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
          PID:4824
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          3⤵
            PID:1124
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:1120
        • C:\Windows\SysWOW64\cmmon32.exe
          "C:\Windows\SysWOW64\cmmon32.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2968
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            3⤵
              PID:3836

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Scheduled Task

        1
        T1053

        Persistence

        Scheduled Task

        1
        T1053

        Privilege Escalation

        Scheduled Task

        1
        T1053

        Defense Evasion

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmpDC56.tmp
          Filesize

          1KB

          MD5

          743111505624ef151253e5ca4720ae85

          SHA1

          431966eef50c42946d75e1af0bce92144a90a5e6

          SHA256

          68b756267e27774c6bcf00d2817d111d2f2410aa5efce335ab593f1100bfb8ff

          SHA512

          0c9e6a7198ff33220bb704db6a13bf8fc8a155ef3bf794162ce10f2684417a6ec9c4c57ca74d85a5c09bd375b0d3b437938c106dbf5b258361f6e0200ea4d34f

          Download Submit
        • memory/636-136-0x0000000000000000-mapping.dmp
          Download
        • memory/1120-144-0x00000000015E0000-0x00000000015F4000-memory.dmp
          Filesize

          80KB

          Download
        • memory/1120-143-0x00000000017B0000-0x0000000001AFA000-memory.dmp
          Filesize

          3.3MB

          Download
        • memory/1120-141-0x0000000000400000-0x000000000042E000-memory.dmp
          Filesize

          184KB

          Download
        • memory/1120-140-0x0000000000000000-mapping.dmp
          Download
        • memory/1124-139-0x0000000000000000-mapping.dmp
          Download
        • memory/2968-146-0x0000000000000000-mapping.dmp
          Download
        • memory/2968-147-0x0000000000470000-0x000000000047C000-memory.dmp
          Filesize

          48KB

          Download
        • memory/2968-151-0x00000000023B0000-0x0000000002443000-memory.dmp
          Filesize

          588KB

          Download
        • memory/2968-149-0x0000000002680000-0x00000000029CA000-memory.dmp
          Filesize

          3.3MB

          Download
        • memory/2968-148-0x0000000000380000-0x00000000003AE000-memory.dmp
          Filesize

          184KB

          Download
        • memory/3208-145-0x0000000008AA0000-0x0000000008C22000-memory.dmp
          Filesize

          1.5MB

          Download
        • memory/3208-152-0x0000000008C30000-0x0000000008DA3000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/3836-150-0x0000000000000000-mapping.dmp
          Download
        • memory/4064-131-0x0000000006FF0000-0x000000000708C000-memory.dmp
          Filesize

          624KB

          Download
        • memory/4064-130-0x0000000000150000-0x00000000001BE000-memory.dmp
          Filesize

          440KB

          Download
        • memory/4064-132-0x0000000007640000-0x0000000007BE4000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/4064-133-0x0000000007130000-0x00000000071C2000-memory.dmp
          Filesize

          584KB

          Download
        • memory/4064-134-0x00000000070D0000-0x00000000070DA000-memory.dmp
          Filesize

          40KB

          Download
        • memory/4064-135-0x0000000007340000-0x0000000007396000-memory.dmp
          Filesize

          344KB

          Download
        • memory/4824-138-0x0000000000000000-mapping.dmp
          Download