Overview

overview

10

Static

static

Purchase o...td.exe

windows7_x64

10

Purchase o...td.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 10:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Purchase order PO045793 from Voile Trading Co.,Ltd.exe

  • Size

    320KB

  • MD5

    b02fb2439cd88a5e399683f14d6d80ff

  • SHA1

    7098d5175626c3bef989a7d0e0344158a752ebc4

  • SHA256

    c6bed06259f7c50c2b15e8161d5b1fa11690e69a7e5bb3261202debfb7d96708

  • SHA512

    aff2394e671e8f8b33d7bf5a4444590fb53c74a2f6bc29faf3627a467652f0d2d7f1bd22c420bd46621638ff2849c30be265b71ecce89b14f83a4d68b6cf78ba

Score
10/10
formbookmw9ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mw9

Decoy

buyaii.com

zqdhrh.com

essentialsrefined.com

carbo-notifer.biz

cpahitr.com

westerntreasureseo.com

prowrestlingevent.com

hawthornbanksaves.com

vinhomes2.info

atriumindonesia.com

crunchinessretonation.com

masstorthedgefund.com

stroy-staleks.com

chinamarbleandtile.com

tv16878.info

hasegawa-takuma.com

cuxiaomao.com

umhhih.info

ieml.education

mwvllc.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 52 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3144
    • C:\Users\Admin\AppData\Local\Temp\Purchase order PO045793 from Voile Trading Co.,Ltd.exe
      "C:\Users\Admin\AppData\Local\Temp\Purchase order PO045793 from Voile Trading Co.,Ltd.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      PID:2272
    • C:\Windows\SysWOW64\autochk.exe
      "C:\Windows\SysWOW64\autochk.exe"
      2⤵
        PID:1316
      • C:\Windows\SysWOW64\autochk.exe
        "C:\Windows\SysWOW64\autochk.exe"
        2⤵
          PID:1404
        • C:\Windows\SysWOW64\autochk.exe
          "C:\Windows\SysWOW64\autochk.exe"
          2⤵
            PID:1424
          • C:\Windows\SysWOW64\autochk.exe
            "C:\Windows\SysWOW64\autochk.exe"
            2⤵
              PID:4692
            • C:\Windows\SysWOW64\autochk.exe
              "C:\Windows\SysWOW64\autochk.exe"
              2⤵
                PID:4664
              • C:\Windows\SysWOW64\chkdsk.exe
                "C:\Windows\SysWOW64\chkdsk.exe"
                2⤵
                • Suspicious use of SetThreadContext
                • Enumerates system info in registry
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4924
                • C:\Windows\SysWOW64\cmd.exe
                  /c del "C:\Users\Admin\AppData\Local\Temp\Purchase order PO045793 from Voile Trading Co.,Ltd.exe"
                  3⤵
                    PID:2560

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/2272-131-0x0000000004670000-0x0000000004770000-memory.dmp
                Filesize

                1024KB

                Download
              • memory/2272-133-0x0000000004AD0000-0x0000000004E1A000-memory.dmp
                Filesize

                3.3MB

                Download
              • memory/2272-134-0x0000000002F30000-0x0000000002F44000-memory.dmp
                Filesize

                80KB

                Download
              • memory/2560-137-0x0000000000000000-mapping.dmp
                Download
              • memory/3144-135-0x0000000002680000-0x000000000278A000-memory.dmp
                Filesize

                1.0MB

                Download
              • memory/3144-142-0x0000000002790000-0x0000000002827000-memory.dmp
                Filesize

                604KB

                Download
              • memory/4924-136-0x0000000000000000-mapping.dmp
                Download
              • memory/4924-138-0x00000000002C0000-0x00000000002CA000-memory.dmp
                Filesize

                40KB

                Download
              • memory/4924-140-0x0000000001080000-0x00000000013CA000-memory.dmp
                Filesize

                3.3MB

                Download
              • memory/4924-139-0x00000000008A0000-0x00000000008CD000-memory.dmp
                Filesize

                180KB

                Download
              • memory/4924-141-0x0000000000E20000-0x0000000000EB3000-memory.dmp
                Filesize

                588KB

                Download