Overview

overview

10

Static

static

bb57e60238...6e.exe

windows7_x64

10

bb57e60238...6e.exe

windows10-2004_x64

10

Resubmissions

07-07-2022 08:45

220707-knxb3sbeg8 10

06-07-2022 05:07

220706-fr3k2sbad8 10

Analysis

  • max time kernel
    284s
  • max time network
    293s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    06-07-2022 05:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bb57e60238a1f7954433764a77c251f0b6367120592605b04307bf2d3aec446e.exe

  • Size

    623KB

  • MD5

    d796106a6798936495f83e5eeb341c90

  • SHA1

    671a5437ce4fe56510909a852916a19eaf983dc6

  • SHA256

    bb57e60238a1f7954433764a77c251f0b6367120592605b04307bf2d3aec446e

  • SHA512

    9cbb995f2d32fef68348d0037ea8b6fac98ba86905b96658bf527961ae04f63ce65a23efcb4dee6e6fe8b3f1e5cf77e40221fd92dff925e0a60c2563eac2a7f7

Score
10/10
formbookjr04ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

jr04

Decoy

usatotribu.com

jak-omi.xyz

spacemozaic.pro

fordheritagevauly.com

vinted.beauty

gowebinar4u.com

infinixmediapty.com

dingquanjr.com

vahidblog.com

kgav99q.icu

healtyneck.com

assg3cd.icu

airconditionerworld.site

opinkmflotp.site

mineclicker.net

davidsonfessettlement.com

secured-verification.com

kgwjqaj.icu

subtmv.xyz

auntysocialvintage.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bb57e60238a1f7954433764a77c251f0b6367120592605b04307bf2d3aec446e.exe
    "C:\Users\Admin\AppData\Local\Temp\bb57e60238a1f7954433764a77c251f0b6367120592605b04307bf2d3aec446e.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4764
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ruQKqeQx.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:644
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ruQKqeQx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp99DE.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:976
    • C:\Users\Admin\AppData\Local\Temp\bb57e60238a1f7954433764a77c251f0b6367120592605b04307bf2d3aec446e.exe
      "C:\Users\Admin\AppData\Local\Temp\bb57e60238a1f7954433764a77c251f0b6367120592605b04307bf2d3aec446e.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:764
  • C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    1⤵
    • Modifies registry class
    PID:2416
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4956
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4596

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    4
    T1082

    Peripheral Device Discovery

    1
    T1120

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp99DE.tmp
      Filesize

      1KB

      MD5

      acd8c2a84d5bac92c0d6c1ecbcfd4735

      SHA1

      f0e42e15ff794d78de96aea8b0862ace161fe84b

      SHA256

      8008f29d2cc73da5df850dc591becee68a45bc1738c117ac7e5a46ba5cd2445c

      SHA512

      481773d97a5e617d0a0dc5cfbffd1fe576591ed41d28ce177bccd8a1650cbbe3ff6cbf46ecf326f3fdee3245f527dd1ed2f8f3e1b09a385d99b05de460a933de

      Download Submit
    • memory/644-148-0x0000000071D20000-0x0000000071D6C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/644-150-0x0000000007F70000-0x00000000085EA000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/644-144-0x0000000005F80000-0x0000000005FE6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/644-143-0x0000000005750000-0x0000000005772000-memory.dmp
      Filesize

      136KB

      Download
    • memory/644-155-0x0000000007C70000-0x0000000007C8A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/644-136-0x0000000000000000-mapping.dmp
      Download
    • memory/644-154-0x0000000007B60000-0x0000000007B6E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/644-138-0x0000000005080000-0x00000000050B6000-memory.dmp
      Filesize

      216KB

      Download
    • memory/644-153-0x0000000007BB0000-0x0000000007C46000-memory.dmp
      Filesize

      600KB

      Download
    • memory/644-140-0x00000000057E0000-0x0000000005E08000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/644-152-0x00000000079A0000-0x00000000079AA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/644-151-0x0000000007930000-0x000000000794A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/644-156-0x0000000007C50000-0x0000000007C58000-memory.dmp
      Filesize

      32KB

      Download
    • memory/644-149-0x0000000006BD0000-0x0000000006BEE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/644-147-0x00000000075D0000-0x0000000007602000-memory.dmp
      Filesize

      200KB

      Download
    • memory/644-146-0x0000000006630000-0x000000000664E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/764-142-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/764-141-0x0000000000000000-mapping.dmp
      Download
    • memory/764-145-0x00000000014B0000-0x00000000017FA000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/976-137-0x0000000000000000-mapping.dmp
      Download
    • memory/4764-134-0x0000000009750000-0x00000000097EC000-memory.dmp
      Filesize

      624KB

      Download
    • memory/4764-130-0x0000000000DD0000-0x0000000000E72000-memory.dmp
      Filesize

      648KB

      Download
    • memory/4764-133-0x0000000005830000-0x000000000583A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4764-132-0x0000000005860000-0x00000000058F2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4764-131-0x0000000005E10000-0x00000000063B4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4764-135-0x00000000098A0000-0x0000000009906000-memory.dmp
      Filesize

      408KB

      Download