Overview

overview

10

Static

static

Attached T...5).exe

windows7-x64

10

Attached T...5).exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-08-2022 08:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Attached TT Payment Copy(USD 198,550.05).exe

  • Size

    765KB

  • MD5

    38aaaf950849630a2a3282b203532d79

  • SHA1

    6448bd7ab4c04294020479963e53f0fbbe4ecc28

  • SHA256

    a6e702e43965539bad67320474a1abe16545481c599c2200acabe41ec2ce4eb7

  • SHA512

    9de881c36367c42c639dc659c2f1565ee264909dd6823e26a97b05acc4c0ed3a30a6ed0d4d58c556d76fa6a2c1e8e29d731a43143df9c5b775f16b7222b4c0f3

Score
10/10
formbookd27eratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

d27e

Decoy

lilysbusride.com

cloud-sechs.com

danpro.co.uk

wendoortech.com

playgroundrebellion.com

betventures.xyz

digimediasolution.net

abrahambetrayedus.com

whinefree.com

realeurolicence.com

makelovetrip.com

damediaagency.com

pinaralsan.com

5bobitw.com

shootingkarelia.online

website-staging.pro

manassadhvi.online

bathroomandkitcenking.com

realtormarket.net

dfysupport.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 5 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2120
    • C:\Users\Admin\AppData\Local\Temp\Attached TT Payment Copy(USD 198,550.05).exe
      "C:\Users\Admin\AppData\Local\Temp\Attached TT Payment Copy(USD 198,550.05).exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3840
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\TQHqtqjt.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:680
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TQHqtqjt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9A1D.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:3892
      • C:\Users\Admin\AppData\Local\Temp\Attached TT Payment Copy(USD 198,550.05).exe
        "C:\Users\Admin\AppData\Local\Temp\Attached TT Payment Copy(USD 198,550.05).exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:420
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\SysWOW64\cmd.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4632
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Attached TT Payment Copy(USD 198,550.05).exe"
        3⤵
          PID:1680

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp9A1D.tmp
      Filesize

      1KB

      MD5

      5b3cd02ed05922317f6ef1d84fca7a6a

      SHA1

      b6c64c4b283e05e40f78162867ff7bc7b50a5e4d

      SHA256

      e7d3edc5d0862287b33ce6f1bfe988b97f0b83ba290f551b4f13f607987e9999

      SHA512

      024380f6e6f6c2443feb0c7d57441ba933897ecf42562be700caad1afdc0bf68e7556b763c9698d26d2d4fc2204b7042ebece5d6854d3a00cc8dd80d2e5d598a

      Download Submit
    • memory/420-160-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/420-156-0x0000000003470000-0x0000000003485000-memory.dmp
      Filesize

      84KB

      Download
    • memory/420-153-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/420-147-0x00000000012B0000-0x00000000012C5000-memory.dmp
      Filesize

      84KB

      Download
    • memory/420-145-0x0000000001760000-0x0000000001AAA000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/420-141-0x0000000000000000-mapping.dmp
      Download
    • memory/420-142-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/680-151-0x00000000711A0000-0x00000000711EC000-memory.dmp
      Filesize

      304KB

      Download
    • memory/680-138-0x0000000004C60000-0x0000000004C96000-memory.dmp
      Filesize

      216KB

      Download
    • memory/680-140-0x0000000005370000-0x0000000005998000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/680-172-0x0000000007870000-0x0000000007878000-memory.dmp
      Filesize

      32KB

      Download
    • memory/680-136-0x0000000000000000-mapping.dmp
      Download
    • memory/680-143-0x0000000005170000-0x0000000005192000-memory.dmp
      Filesize

      136KB

      Download
    • memory/680-144-0x0000000005A10000-0x0000000005A76000-memory.dmp
      Filesize

      408KB

      Download
    • memory/680-171-0x0000000007890000-0x00000000078AA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/680-170-0x0000000007790000-0x000000000779E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/680-158-0x0000000006200000-0x000000000620A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/680-149-0x00000000061C0000-0x00000000061DE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/680-150-0x0000000006800000-0x0000000006832000-memory.dmp
      Filesize

      200KB

      Download
    • memory/680-163-0x00000000077D0000-0x0000000007866000-memory.dmp
      Filesize

      600KB

      Download
    • memory/680-152-0x00000000067E0000-0x00000000067FE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/680-155-0x0000000007540000-0x000000000755A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/680-154-0x0000000007B90000-0x000000000820A000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/1680-164-0x0000000000000000-mapping.dmp
      Download
    • memory/2120-148-0x0000000008A50000-0x0000000008B70000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/2120-173-0x0000000003320000-0x000000000340D000-memory.dmp
      Filesize

      948KB

      Download
    • memory/2120-157-0x0000000008B70000-0x0000000008C83000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/2120-165-0x0000000008A50000-0x0000000008B70000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/2120-168-0x0000000003320000-0x000000000340D000-memory.dmp
      Filesize

      948KB

      Download
    • memory/3840-134-0x000000000AE10000-0x000000000AEAC000-memory.dmp
      Filesize

      624KB

      Download
    • memory/3840-132-0x0000000004F10000-0x0000000004FA2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3840-131-0x00000000054C0000-0x0000000005A64000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3840-133-0x0000000004EC0000-0x0000000004ECA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3840-130-0x0000000000470000-0x0000000000536000-memory.dmp
      Filesize

      792KB

      Download
    • memory/3840-135-0x000000000AEB0000-0x000000000AF16000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3892-137-0x0000000000000000-mapping.dmp
      Download
    • memory/4632-161-0x00000000007E0000-0x000000000083A000-memory.dmp
      Filesize

      360KB

      Download
    • memory/4632-169-0x0000000000990000-0x00000000009BF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/4632-167-0x00000000013B0000-0x0000000001444000-memory.dmp
      Filesize

      592KB

      Download
    • memory/4632-166-0x0000000001560000-0x00000000018AA000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4632-162-0x0000000000990000-0x00000000009BF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/4632-159-0x0000000000000000-mapping.dmp
      Download