Overview

overview

10

Static

static

Ordem de c...df.exe

windows7_x64

10

Ordem de c...df.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    43s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    29-06-2022 16:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ordem de compra para julho.pdf.exe

  • Size

    687KB

  • MD5

    01ac3fb5a4476de95369f325ea906ea5

  • SHA1

    e291db506ea6b82f60b1b5e035f764595d6b7f3c

  • SHA256

    b6426721805cf7ba17f04f3ab2540c182758682a0b6397ee277f4f3aa3709bd1

  • SHA512

    548686caf1858bb22aaebee04c0ee0a8fef3d4f4577a6700dbbfe213d34654e621be09927bbddff418c61c33c9380c8a6f92ffe3ae202ab53c149d5f80dd40ca

Score
10/10
formbookde08ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

de08

Decoy

retirecloudyyard.com

fabiyan.xyz

chrisarlyde.com

selapex.com

vivalosgales.com

specialty-medicine.com

contasesolucoes.com

satunusanews.net

allyibc.com

alameda1876.com

artofdala.com

yukoidusp.xyz

steeldrumbandnearme.com

stonewedgetechnology.com

kentonai.com

macquarie-private.com

ddgwy.com

megagreenhousekits.com

descomplicaomarketing.com

inclusiverealtor.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 5 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1220
    • C:\Users\Admin\AppData\Local\Temp\Ordem de compra para julho.pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\Ordem de compra para julho.pdf.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1416
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JXVNljtiVHwGbZ.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1732
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXVNljtiVHwGbZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp711B.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:1236
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:588
    • C:\Windows\SysWOW64\chkdsk.exe
      "C:\Windows\SysWOW64\chkdsk.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:600
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
          PID:1488

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    2
    T1082

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp711B.tmp
      Filesize

      1KB

      MD5

      aa274cc321ca553f6958976385e9f0a7

      SHA1

      e9d9401324053a2ba97806e5db5c23b52661653d

      SHA256

      d01f18622754c7145d0db31695a018217187c59b463da80b5c36bdb687ad1b33

      SHA512

      6af92d7b06f9a3637b736b33357d02b25a12c16b3533c8ec95fb8edd386fc1e74086eea5a4f6ae050a11eb49cf8430431be686e89168f9962da0c60fedb6f1cc

      Download Submit
    • memory/588-64-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/588-73-0x0000000000160000-0x0000000000174000-memory.dmp
      Filesize

      80KB

      Download
    • memory/588-70-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/588-72-0x0000000000A20000-0x0000000000D23000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/588-68-0x000000000041F120-mapping.dmp
      Download
    • memory/588-67-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/588-65-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/600-80-0x0000000002080000-0x0000000002383000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/600-76-0x0000000000000000-mapping.dmp
      Download
    • memory/600-78-0x00000000006D0000-0x00000000006D7000-memory.dmp
      Filesize

      28KB

      Download
    • memory/600-79-0x0000000000080000-0x00000000000AF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/600-81-0x0000000001DB0000-0x0000000001E43000-memory.dmp
      Filesize

      588KB

      Download
    • memory/600-82-0x0000000000080000-0x00000000000AF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1220-74-0x0000000004B20000-0x0000000004CBB000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1236-60-0x0000000000000000-mapping.dmp
      Download
    • memory/1416-63-0x0000000004C50000-0x0000000004C84000-memory.dmp
      Filesize

      208KB

      Download
    • memory/1416-54-0x0000000001030000-0x00000000010E2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/1416-58-0x0000000005070000-0x00000000050DC000-memory.dmp
      Filesize

      432KB

      Download
    • memory/1416-57-0x0000000000420000-0x000000000042A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1416-56-0x0000000000410000-0x0000000000426000-memory.dmp
      Filesize

      88KB

      Download
    • memory/1416-55-0x00000000764C1000-0x00000000764C3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1488-77-0x0000000000000000-mapping.dmp
      Download
    • memory/1732-71-0x000000006EB10000-0x000000006F0BB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1732-75-0x000000006EB10000-0x000000006F0BB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1732-59-0x0000000000000000-mapping.dmp
      Download