Overview

overview

10

Static

static

order spec...ns.exe

windows7_x64

10

order spec...ns.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    185s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 11:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    order specifications.exe

  • Size

    657KB

  • MD5

    2c2b342897c2693632051bde77ef39a8

  • SHA1

    f19572d227a440b36d202343b9a6ab20ada5f2b3

  • SHA256

    2ca55ed1af922548fc6abdb7b49386a6d62edd7b6d5609d45f1c369de4fa9269

  • SHA512

    e80f335bef303ebe49279e8035b14d71aaa5c6a79d0b058df5ed22ec5f9d02fe1e59cc0ddd56b1a2e89119b540a61bfcb18dcfef2c47c051a8cbc9d08319a127

Score
10/10
formbookkvszratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kvsz

Decoy

okashyns.com

sbsgamedaejeon-two.com

drb77.com

top5dating.com

websprings.online

voizers.com

zenith.site

lahistoriade.com

qv85.com

armandonieto.com

priestvedic.com

jessandjeff.net

magic-desktop.com

jitaji.com

ldmeili.com

yuwanqingmy.com

buzhouorg.com

chaiseloungereviews.com

m2g8way.com

freespin-support.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1260
    • C:\Users\Admin\AppData\Local\Temp\order specifications.exe
      "C:\Users\Admin\AppData\Local\Temp\order specifications.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1704
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OElfQVLpgn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp95DA.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:2044
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1164
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\SysWOW64\svchost.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1916
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
          PID:976

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp95DA.tmp
      Filesize

      1KB

      MD5

      a082484f8ecbe1ba0848e56094f7265a

      SHA1

      d1e8c079a4f996b0816c247cc499b04c6c432b3c

      SHA256

      46736a56d0f17cb5e22458ff6e9195ada9983d7f8444b9c8d9fb3fbafcee90d2

      SHA512

      43fb52b904ad8d62bcd33b6541a44193ab36c6837bd3dead79cd78be750b0bad405e351c5f7456335c4c35cad910452e19b37a3e1cf78cd056ed48d31b2a5622

      Download Submit
    • memory/976-71-0x0000000000000000-mapping.dmp
      Download
    • memory/1164-65-0x000000000041ECA0-mapping.dmp
      Download
    • memory/1164-67-0x00000000008A0000-0x0000000000BA3000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1164-68-0x0000000000260000-0x0000000000274000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1164-64-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/1164-62-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/1164-61-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/1260-76-0x0000000004B50000-0x0000000004C67000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/1260-69-0x0000000004190000-0x0000000004292000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1704-55-0x0000000075781000-0x0000000075783000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1704-54-0x0000000000BF0000-0x0000000000C9A000-memory.dmp
      Filesize

      680KB

      Download
    • memory/1704-57-0x00000000047A0000-0x0000000004810000-memory.dmp
      Filesize

      448KB

      Download
    • memory/1704-58-0x00000000020A0000-0x00000000020E4000-memory.dmp
      Filesize

      272KB

      Download
    • memory/1704-56-0x0000000000370000-0x0000000000380000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1916-70-0x0000000000000000-mapping.dmp
      Download
    • memory/1916-72-0x0000000000720000-0x0000000000728000-memory.dmp
      Filesize

      32KB

      Download
    • memory/1916-73-0x0000000000080000-0x00000000000AE000-memory.dmp
      Filesize

      184KB

      Download
    • memory/1916-74-0x0000000000730000-0x0000000000A33000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1916-75-0x00000000004B0000-0x0000000000543000-memory.dmp
      Filesize

      588KB

      Download
    • memory/2044-59-0x0000000000000000-mapping.dmp
      Download