Overview

overview

10

Static

static

MY0025007022.exe

windows7-x64

10

MY0025007022.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-07-2022 08:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MY0025007022.exe

  • Size

    67KB

  • MD5

    09d635e7fac13ca49037a27ffa10cdbf

  • SHA1

    b12b7a877682838b5b1673ee4783bbf44eba4863

  • SHA256

    b12c23f3cf0937291c634f1505ca5123dc08363dcc0f766ac029b1238cade11d

  • SHA512

    f50052ccd601ef2830e0c1a5df7e4414249e55acc8aeef3a0eb1ca16f8d92da372ae25a94fc6a9deda85a812e01104f9000b429dc70cbcab0bc6fb46aaf12f85

Score
10/10
formbookfs44ratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

fs44

Decoy

whneat.com

jljcw.net

pocodelivery.com

outofplacezine.com

yavuzcansigorta.com

xinhewood-cn.com

cartogogh.com

5avis.com

joyceyong.art

digitalsurf.community

blackcreekbarns.com

magazinedistribuidor.com

sportsgross.com

drevom.online

mayibeofservice.com

gareloi-digit.com

permitha.net

renaissanceestetica.com

facts-r-friends.com

dach-loc.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Formbook payload 4 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Users\Admin\AppData\Local\Temp\MY0025007022.exe
      "C:\Users\Admin\AppData\Local\Temp\MY0025007022.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:980
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwAwAA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1956
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe purecrypter
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:4424
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:408
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
          PID:4544

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/408-146-0x0000000000000000-mapping.dmp
      Download
    • memory/408-153-0x00000000026E0000-0x0000000002773000-memory.dmp
      Filesize

      588KB

      Download
    • memory/408-152-0x0000000000760000-0x000000000078F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/408-150-0x0000000000760000-0x000000000078F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/408-151-0x0000000002870000-0x0000000002BBA000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/408-149-0x0000000000CB0000-0x0000000000CC2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/980-131-0x00000000064E0000-0x0000000006502000-memory.dmp
      Filesize

      136KB

      Download
    • memory/980-130-0x0000000000E20000-0x0000000000E36000-memory.dmp
      Filesize

      88KB

      Download
    • memory/1956-136-0x00000000062F0000-0x0000000006356000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1956-135-0x0000000006280000-0x00000000062E6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1956-132-0x0000000000000000-mapping.dmp
      Download
    • memory/1956-139-0x0000000006E30000-0x0000000006E4A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/1956-138-0x00000000081D0000-0x000000000884A000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/1956-133-0x0000000003370000-0x00000000033A6000-memory.dmp
      Filesize

      216KB

      Download
    • memory/1956-134-0x0000000005AE0000-0x0000000006108000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/1956-137-0x0000000006950000-0x000000000696E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/3068-155-0x0000000002910000-0x0000000002A43000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/3068-154-0x0000000002910000-0x0000000002A43000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/3068-145-0x00000000079B0000-0x0000000007B5B000-memory.dmp
      Filesize

      1.7MB

      Download
    • memory/4424-144-0x0000000000CB0000-0x0000000000CC4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/4424-147-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/4424-143-0x00000000011C0000-0x000000000150A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4424-141-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/4424-140-0x0000000000000000-mapping.dmp
      Download
    • memory/4544-148-0x0000000000000000-mapping.dmp
      Download