Overview

overview

10

Static

static

order.exe

windows7_x64

10

order.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    06-07-2022 07:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    order.exe

  • Size

    121KB

  • MD5

    ba0a02061fb326c69a925c6ed28a363a

  • SHA1

    e7e668017328b7ceb7bb1f81a5ea048f990d971f

  • SHA256

    aeb2dd004a580971a25e3408e2fc4cc08535bd2a84b0300d763dddace11c6400

  • SHA512

    1000bb2afe9b15632002f64e9c5eab0f2ce66a868df1303d6a4a9fc5bedbd60b13f94faece4fc3faf23fc9e241c893ba1b3c3ebe7f8738bf472e37debe1c7a65

Score
10/10
formbookfs44ratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

fs44

Decoy

whneat.com

jljcw.net

pocodelivery.com

outofplacezine.com

yavuzcansigorta.com

xinhewood-cn.com

cartogogh.com

5avis.com

joyceyong.art

digitalsurf.community

blackcreekbarns.com

magazinedistribuidor.com

sportsgross.com

drevom.online

mayibeofservice.com

gareloi-digit.com

permitha.net

renaissanceestetica.com

facts-r-friends.com

dach-loc.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Formbook Payload 4 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2240
    • C:\Users\Admin\AppData\Local\Temp\order.exe
      "C:\Users\Admin\AppData\Local\Temp\order.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3872
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwAwAA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2796
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:5056
    • C:\Windows\SysWOW64\WWAHost.exe
      "C:\Windows\SysWOW64\WWAHost.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:776
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        3⤵
          PID:2088

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/776-154-0x0000000001A30000-0x0000000001AC3000-memory.dmp
      Filesize

      588KB

      Download
    • memory/776-153-0x0000000000D40000-0x0000000000D6F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/776-152-0x0000000001BF0000-0x0000000001F3A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/776-151-0x0000000000D40000-0x0000000000D6F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/776-149-0x00000000005F0000-0x00000000006CC000-memory.dmp
      Filesize

      880KB

      Download
    • memory/776-148-0x0000000000000000-mapping.dmp
      Download
    • memory/2088-150-0x0000000000000000-mapping.dmp
      Download
    • memory/2240-147-0x00000000081E0000-0x0000000008362000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/2240-156-0x0000000008870000-0x00000000089DB000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/2240-155-0x0000000008870000-0x00000000089DB000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/2796-136-0x0000000005AD0000-0x0000000005B36000-memory.dmp
      Filesize

      408KB

      Download
    • memory/2796-138-0x0000000007E50000-0x00000000084CA000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/2796-132-0x0000000000000000-mapping.dmp
      Download
    • memory/2796-133-0x0000000003200000-0x0000000003236000-memory.dmp
      Filesize

      216KB

      Download
    • memory/2796-134-0x0000000005C00000-0x0000000006228000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/2796-135-0x0000000005A30000-0x0000000005A52000-memory.dmp
      Filesize

      136KB

      Download
    • memory/2796-137-0x0000000006810000-0x000000000682E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/2796-139-0x0000000006D00000-0x0000000006D1A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/3872-130-0x0000000000340000-0x0000000000364000-memory.dmp
      Filesize

      144KB

      Download
    • memory/3872-140-0x0000000005BF0000-0x0000000005C82000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3872-131-0x0000000005980000-0x00000000059E6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/5056-141-0x0000000000000000-mapping.dmp
      Download
    • memory/5056-146-0x00000000015D0000-0x00000000015E4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/5056-145-0x00000000015F0000-0x000000000193A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/5056-144-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/5056-142-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download