Overview

overview

10

Static

static

MT103-203674982.exe

windows7_x64

10

MT103-203674982.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    02-07-2022 14:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MT103-203674982.exe

  • Size

    247KB

  • MD5

    400ff0ca3ab2676f072aea68870ef70d

  • SHA1

    dfd2f2443fd103089be9ab9f6fe651399b3d19f4

  • SHA256

    7a605579f572e0ca0067f031db05ceec4f0445a09aae0a57bc36b14e5874d734

  • SHA512

    a441c8e2b7aaf60a46a95077d4296888cc0bebc694e0fefb7501bab664d2fe5a81de8ec703b66df61372dfc3a09d8d918ed9ee952dbb558181a88f535b8d329b

Score
10/10
formbookm56uratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

m56u

Decoy

tercantiq.com

fortvillechicken.net

spiritsandtheb.com

alliant-inc.biz

yh1902.com

xiaodewenhua.net

cityjobs.xyz

seniorlivingwisconsin.com

piadagrilla.com

truistfinancebank.online

nft-fashionlover.com

hangmandownload.com

chun888.xyz

lemonviral.com

getagrip.network

daniellepinnock.info

chiswickstudios.com

essayservicee.com

bharatpragatifoundation.com

800vn.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Formbook Payload 4 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Users\Admin\AppData\Local\Temp\MT103-203674982.exe
      "C:\Users\Admin\AppData\Local\Temp\MT103-203674982.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2308
      • C:\Users\Admin\AppData\Local\Temp\binn.exe
        "C:\Users\Admin\AppData\Local\Temp\binn.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2396
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4968
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\binn.exe"
        3⤵
          PID:4924

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\binn.exe
      Filesize

      185KB

      MD5

      e1f5a85acd28c0ede994855fa013aefa

      SHA1

      186f3d8528f4016285d3d37adb10b368eea6a2c3

      SHA256

      6c9b4c99b8aa445727927fc0a209bede836c9465b3de875cbf34425347cb0cfd

      SHA512

      a4671c682e78a32dd013c71ab53c133564c8c04bfda4ce2c96e3d7385f51c4f27d1ef26ba5e991d6b24ffdb1602f85f114d3be5195ad618b7c91ebd7fe049337

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\binn.exe
      Filesize

      185KB

      MD5

      e1f5a85acd28c0ede994855fa013aefa

      SHA1

      186f3d8528f4016285d3d37adb10b368eea6a2c3

      SHA256

      6c9b4c99b8aa445727927fc0a209bede836c9465b3de875cbf34425347cb0cfd

      SHA512

      a4671c682e78a32dd013c71ab53c133564c8c04bfda4ce2c96e3d7385f51c4f27d1ef26ba5e991d6b24ffdb1602f85f114d3be5195ad618b7c91ebd7fe049337

      Download Submit
    • memory/2308-130-0x0000000000930000-0x0000000000974000-memory.dmp
      Filesize

      272KB

      Download
    • memory/2396-131-0x0000000000000000-mapping.dmp
      Download
    • memory/2396-134-0x0000000000DF0000-0x000000000113A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/2396-135-0x0000000000CC0000-0x0000000000CD4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/2432-143-0x00000000082E0000-0x0000000008413000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/2432-136-0x00000000081F0000-0x00000000082DD000-memory.dmp
      Filesize

      948KB

      Download
    • memory/2432-145-0x00000000082E0000-0x0000000008413000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/4924-138-0x0000000000000000-mapping.dmp
      Download
    • memory/4968-140-0x0000000000900000-0x000000000092F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/4968-141-0x0000000002810000-0x0000000002B5A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4968-142-0x00000000025B0000-0x0000000002643000-memory.dmp
      Filesize

      588KB

      Download
    • memory/4968-139-0x00000000000E0000-0x00000000000F4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/4968-144-0x0000000000900000-0x000000000092F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/4968-137-0x0000000000000000-mapping.dmp
      Download