Overview

overview

10

Static

static

brazil order.scr

windows7-x64

10

brazil order.scr

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    15-08-2022 07:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    brazil order.scr

  • Size

    682KB

  • MD5

    17a3d3bb480da7510a2db13bd7867210

  • SHA1

    b77be761282bf96b9ff19420d8709d7bed43c9fd

  • SHA256

    e8c2f0fc24e8cc88308a76edbd992b6be7e6036f728a22c5e8fffc1cc199a7c2

  • SHA512

    f703a7fafce6813c797f2cead9d0e82cb25e748cea27dc57b4b684d20eb29c79eceaa5a7e79740c16ff090e1d00326e63bfaa92b7444b406a615365e95afc7fb

Score
10/10
formbookp94aratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

p94a

Decoy

wishgrove.com

parqueveiculos.com

spiderwebs.online

chulkanadham.com

cdtuan.net

zxazm.com

payment6528832.xyz

fengtaiol.com

bffsmovie.com

aliceseagerfitness.com

garisluruskonsulindo.website

analytical-gutter.net

ahcq8.com

fenyoga.com

ecleptic.cat

conjurecrafts.com

aquaway.date

apenpokkenschoonmaakbedrijf.com

zgramr.top

boweknives.site

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 5 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1376
    • C:\Users\Admin\AppData\Local\Temp\brazil order.scr
      "C:\Users\Admin\AppData\Local\Temp\brazil order.scr" /S
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1964
      • C:\Users\Admin\AppData\Local\Temp\brazil order.scr
        "C:\Users\Admin\AppData\Local\Temp\brazil order.scr"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2044
    • C:\Windows\SysWOW64\autochk.exe
      "C:\Windows\SysWOW64\autochk.exe"
      2⤵
        PID:1192
      • C:\Windows\SysWOW64\autochk.exe
        "C:\Windows\SysWOW64\autochk.exe"
        2⤵
          PID:1756
        • C:\Windows\SysWOW64\autochk.exe
          "C:\Windows\SysWOW64\autochk.exe"
          2⤵
            PID:1732
          • C:\Windows\SysWOW64\autochk.exe
            "C:\Windows\SysWOW64\autochk.exe"
            2⤵
              PID:1772
            • C:\Windows\SysWOW64\autochk.exe
              "C:\Windows\SysWOW64\autochk.exe"
              2⤵
                PID:520
              • C:\Windows\SysWOW64\autofmt.exe
                "C:\Windows\SysWOW64\autofmt.exe"
                2⤵
                  PID:540
                • C:\Windows\SysWOW64\autofmt.exe
                  "C:\Windows\SysWOW64\autofmt.exe"
                  2⤵
                    PID:1244
                  • C:\Windows\SysWOW64\autofmt.exe
                    "C:\Windows\SysWOW64\autofmt.exe"
                    2⤵
                      PID:1892
                    • C:\Windows\SysWOW64\autofmt.exe
                      "C:\Windows\SysWOW64\autofmt.exe"
                      2⤵
                        PID:1776
                      • C:\Windows\SysWOW64\autofmt.exe
                        "C:\Windows\SysWOW64\autofmt.exe"
                        2⤵
                          PID:1708
                        • C:\Windows\SysWOW64\autofmt.exe
                          "C:\Windows\SysWOW64\autofmt.exe"
                          2⤵
                            PID:684
                          • C:\Windows\SysWOW64\autofmt.exe
                            "C:\Windows\SysWOW64\autofmt.exe"
                            2⤵
                              PID:280
                            • C:\Windows\SysWOW64\help.exe
                              "C:\Windows\SysWOW64\help.exe"
                              2⤵
                              • Suspicious use of SetThreadContext
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious behavior: MapViewOfSection
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:1500
                              • C:\Windows\SysWOW64\cmd.exe
                                /c del "C:\Users\Admin\AppData\Local\Temp\brazil order.scr"
                                3⤵
                                • Deletes itself
                                PID:1528

                          Network

                          MITRE ATT&CK Matrix

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • memory/1376-69-0x0000000006B00000-0x0000000006C77000-memory.dmp
                            Filesize

                            1.5MB

                            Download
                          • memory/1376-78-0x00000000063D0000-0x00000000064CC000-memory.dmp
                            Filesize

                            1008KB

                            Download
                          • memory/1376-76-0x00000000063D0000-0x00000000064CC000-memory.dmp
                            Filesize

                            1008KB

                            Download
                          • memory/1500-77-0x00000000000A0000-0x00000000000CF000-memory.dmp
                            Filesize

                            188KB

                            Download
                          • memory/1500-75-0x0000000000670000-0x0000000000703000-memory.dmp
                            Filesize

                            588KB

                            Download
                          • memory/1500-74-0x0000000000860000-0x0000000000B63000-memory.dmp
                            Filesize

                            3.0MB

                            Download
                          • memory/1500-73-0x00000000000A0000-0x00000000000CF000-memory.dmp
                            Filesize

                            188KB

                            Download
                          • memory/1500-72-0x0000000000090000-0x0000000000096000-memory.dmp
                            Filesize

                            24KB

                            Download
                          • memory/1500-70-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1528-71-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1964-59-0x00000000042A0000-0x00000000042D4000-memory.dmp
                            Filesize

                            208KB

                            Download
                          • memory/1964-54-0x0000000000230000-0x00000000002E2000-memory.dmp
                            Filesize

                            712KB

                            Download
                          • memory/1964-58-0x0000000004DA0000-0x0000000004E1A000-memory.dmp
                            Filesize

                            488KB

                            Download
                          • memory/1964-57-0x0000000000310000-0x000000000031C000-memory.dmp
                            Filesize

                            48KB

                            Download
                          • memory/1964-56-0x0000000000360000-0x0000000000378000-memory.dmp
                            Filesize

                            96KB

                            Download
                          • memory/1964-55-0x00000000759E1000-0x00000000759E3000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/2044-67-0x0000000000A80000-0x0000000000D83000-memory.dmp
                            Filesize

                            3.0MB

                            Download
                          • memory/2044-68-0x00000000000D0000-0x00000000000E4000-memory.dmp
                            Filesize

                            80KB

                            Download
                          • memory/2044-66-0x0000000000400000-0x000000000042F000-memory.dmp
                            Filesize

                            188KB

                            Download
                          • memory/2044-64-0x000000000041F0F0-mapping.dmp
                            Download
                          • memory/2044-63-0x0000000000400000-0x000000000042F000-memory.dmp
                            Filesize

                            188KB

                            Download
                          • memory/2044-61-0x0000000000400000-0x000000000042F000-memory.dmp
                            Filesize

                            188KB

                            Download
                          • memory/2044-60-0x0000000000400000-0x000000000042F000-memory.dmp
                            Filesize

                            188KB

                            Download