Overview

overview

10

Static

static

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    26-07-2022 21:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    24KB

  • MD5

    1706365b5058cbaa560b23dc297f9585

  • SHA1

    9933c13c7db40fb5ddce9013c42496e66d7a1b5e

  • SHA256

    bf081d3cd1264716c4522f06c6e0294eaa9834c8a06f11d501780d065d7c0135

  • SHA512

    09821d8f4a2eb557d581d107e7e99cdec7738cb2227ebace1d7e9b350496117300cf47a640fc30796b1a80c59ff73f2a6adaa969ab28ede069458fdd877da665

Score
10/10
formbooks4s9ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

s4s9

Decoy

qianyuandianshang.com

bernardklein.com

slhomeservices.com

findasaas.com

janellelancaster.xyz

umkpro.site

nr6949.online

mersquare.club

lanariproperties.com

3rdeyefocused.com

giftexpress8260.xyz

hilleleven.xyz

beajod.com

kosazs.online

ishare.team

mb314.com

xjjinxingda.com

ayekooprojectamazing.com

ballsybanter.com

todayshoppingbd.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 5 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1260
    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:308
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgA=
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1440
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1888
    • C:\Windows\SysWOW64\autoconv.exe
      "C:\Windows\SysWOW64\autoconv.exe"
      2⤵
        PID:848
      • C:\Windows\SysWOW64\wscript.exe
        "C:\Windows\SysWOW64\wscript.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1532
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
          3⤵
            PID:732

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/308-55-0x0000000075C51000-0x0000000075C53000-memory.dmp
        Filesize

        8KB

        Download
      • memory/308-56-0x0000000005710000-0x0000000005788000-memory.dmp
        Filesize

        480KB

        Download
      • memory/308-57-0x00000000058D0000-0x0000000005962000-memory.dmp
        Filesize

        584KB

        Download
      • memory/308-54-0x0000000000B40000-0x0000000000B4C000-memory.dmp
        Filesize

        48KB

        Download
      • memory/732-73-0x0000000000000000-mapping.dmp
        Download
      • memory/1260-70-0x0000000006A80000-0x0000000006C19000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/1260-80-0x0000000006C20000-0x0000000006D8F000-memory.dmp
        Filesize

        1.4MB

        Download
      • memory/1260-78-0x0000000006C20000-0x0000000006D8F000-memory.dmp
        Filesize

        1.4MB

        Download
      • memory/1440-58-0x0000000000000000-mapping.dmp
        Download
      • memory/1440-60-0x000000006F640000-0x000000006FBEB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1440-61-0x000000006F640000-0x000000006FBEB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1532-75-0x0000000002070000-0x0000000002373000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1532-71-0x0000000000000000-mapping.dmp
        Download
      • memory/1532-74-0x0000000000C40000-0x0000000000C66000-memory.dmp
        Filesize

        152KB

        Download
      • memory/1532-76-0x0000000000070000-0x000000000009F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1532-77-0x00000000008F0000-0x0000000000983000-memory.dmp
        Filesize

        588KB

        Download
      • memory/1532-79-0x0000000000070000-0x000000000009F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1888-69-0x0000000000320000-0x0000000000334000-memory.dmp
        Filesize

        80KB

        Download
      • memory/1888-67-0x0000000000820000-0x0000000000B23000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1888-72-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1888-65-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1888-66-0x000000000041F0E0-mapping.dmp
        Download
      • memory/1888-63-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1888-62-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download