Overview

overview

10

Static

static

order SEC.exe

windows7_x64

10

order SEC.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-05-2022 13:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    order SEC.exe

  • Size

    303KB

  • MD5

    d0b89f322dfa77b6a13aabf7f7984f87

  • SHA1

    81d40efb20f6dbfdb8e14a87c57d26b5dc9217d9

  • SHA256

    228e2e5ff30fec5cdde918f48e98664d9bf1f77f550666baa21208ca9b047af4

  • SHA512

    ee98f698267f78abe777276a6853f17499098f9de546ee87ccd4eafd1bc361a0340625a0a9defb11380396297f5fb3200fba14822571618574e127403a88930e

Score
10/10
formbookg8uratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.0

Campaign

g8u

Decoy

stuition.com

mj-sculpture.com

cannatainmentevents.com

dianjintang.com

rmlusitania.info

effet-spiruline.com

flatheme.com

supergaminator-vip.com

craftyourmagic.com

lakai.ltd

electionshawaii.com

iqpdct.com

thebestfourstarhotels.com

satoshiceo.com

saintmartiner.com

brothersmarinetoronto.com

citicoin.online

scentsationalsniffers.com

hellonighbourgameees.com

displayonline-france.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1252
    • C:\Users\Admin\AppData\Local\Temp\order SEC.exe
      "C:\Users\Admin\AppData\Local\Temp\order SEC.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      PID:552
    • C:\Windows\SysWOW64\chkdsk.exe
      "C:\Windows\SysWOW64\chkdsk.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1760
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\order SEC.exe"
        3⤵
        • Deletes itself
        PID:908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/552-54-0x0000000001310000-0x0000000001360000-memory.dmp
    Filesize

    320KB

    Download
  • memory/552-55-0x0000000001310000-0x0000000001360000-memory.dmp
    Filesize

    320KB

    Download
  • memory/552-56-0x0000000000DA0000-0x00000000010A3000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/552-57-0x00000000001B0000-0x00000000001C4000-memory.dmp
    Filesize

    80KB

    Download
  • memory/908-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1252-58-0x0000000005F90000-0x00000000060B3000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1252-65-0x00000000061E0000-0x000000000635D000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1760-59-0x0000000000000000-mapping.dmp
    Download
  • memory/1760-61-0x0000000000430000-0x0000000000437000-memory.dmp
    Filesize

    28KB

    Download
  • memory/1760-62-0x00000000000C0000-0x00000000000ED000-memory.dmp
    Filesize

    180KB

    Download
  • memory/1760-63-0x0000000001FF0000-0x00000000022F3000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1760-64-0x0000000001E00000-0x0000000001E93000-memory.dmp
    Filesize

    588KB

    Download