Overview

overview

10

Static

static

new.exe

windows7_x64

10

new.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 18:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    new.exe

  • Size

    268KB

  • MD5

    a88e4bd1e3507132fcdd28f38a6751f7

  • SHA1

    26e3eed8ee5b0e18cc401ed88b73b287c8ad8de7

  • SHA256

    7527530d28c88ea0850926a24ba050a4a77983fb8271309c749ba43e7b10c695

  • SHA512

    657b6c77d0d72945293978df4dc4bae3fb722978be866ddfe0ceb3fa6c604ed9c27ef516a77f159cc98dd577fb4a042fcf8c9406912f7985a8d5e8b3587682ae

Score
10/10
formbookuw7ratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

uw7

Decoy

casa-miquela.com

phongcach8.com

tvdefrance.net

vipeorfresh.com

litsp.net

9dj2-ycg.biz

3157allen.com

newidea.site

merchandiserod.com

blueictbd.com

151manbetx.com

roehallwedding.com

huaruiju.com

sparkjoywithshannon.com

massif.biz

ochrebridge.com

r6t9.com

fuuvomoogmusic.net

perfectpawsdoggyboutique.com

nst-nri.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Formbook Payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1220
    • C:\Users\Admin\AppData\Local\Temp\new.exe
      "C:\Users\Admin\AppData\Local\Temp\new.exe"
      2⤵
      • Maps connected drives based on registry
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1056
      • C:\Windows\SysWOW64\wscript.exe
        "C:\Windows\SysWOW64\wscript.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1236
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\new.exe"
          4⤵
          • Deletes itself
          PID:2040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1056-62-0x0000000000BB0000-0x0000000000BC4000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1056-55-0x00000000003B0000-0x00000000003E4000-memory.dmp
    Filesize

    208KB

    Download
  • memory/1056-56-0x0000000000590000-0x00000000005BA000-memory.dmp
    Filesize

    168KB

    Download
  • memory/1056-57-0x0000000000590000-0x00000000005BA000-memory.dmp
    Filesize

    168KB

    Download
  • memory/1056-58-0x00000000054B0000-0x00000000057B3000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1056-59-0x0000000000AC0000-0x0000000000AD4000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1056-54-0x0000000000CD0000-0x0000000000D18000-memory.dmp
    Filesize

    288KB

    Download
  • memory/1220-63-0x0000000004B20000-0x0000000004C5A000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/1220-60-0x00000000040A0000-0x0000000004156000-memory.dmp
    Filesize

    728KB

    Download
  • memory/1220-70-0x0000000004C60000-0x0000000004D47000-memory.dmp
    Filesize

    924KB

    Download
  • memory/1236-64-0x0000000000000000-mapping.dmp
    Download
  • memory/1236-65-0x0000000000430000-0x0000000000456000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1236-66-0x0000000000070000-0x000000000009A000-memory.dmp
    Filesize

    168KB

    Download
  • memory/1236-68-0x0000000002070000-0x0000000002373000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1236-69-0x0000000001E20000-0x0000000001EB3000-memory.dmp
    Filesize

    588KB

    Download
  • memory/2040-67-0x0000000000000000-mapping.dmp
    Download