Overview

overview

10

Static

static

Delay noti...cr.exe

windows7-x64

10

Delay noti...cr.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-09-2022 16:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Delay notice of M.V. KANWAY GLOBALV.2213S.scr.exe

  • Size

    1.0MB

  • MD5

    c8bd2fd6e2e7fc24eada83b44336f570

  • SHA1

    d5ed0e54b839a3fcea2a912461f71aa3069eefde

  • SHA256

    e4e4b8f8990f7ff711e1a238445dedaf74f4d01a10afa0c774705ff4412cbc10

  • SHA512

    dc893cfbdd76f6dd9743f0948903839e6b95a01b2da66ccb9f3493a4324bc6ffe9ecdad31d4949d5e16dc81fcc842a6c5587a4f193e81619e55dae4f6dfdf5d7

  • SSDEEP

    24576:I1S9JZiaRy0nJoOT5g7QD147cdgvuSp4O1BfX+FJ2SIv:IIvKkzTq61GcmxpnQJ2S

Score
10/10
formbookruwnratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

ruwn

Decoy

MvG74HO0R0fdGfJ1BiyHgNcexfpDQlwZCA==

Dat+rkV462igk2LufHo/NSE=

3LZ+y3jZXQ==

lllq2KJ2gwVcW/QxzS+QJlYg/g==

IPYDRekc+4ny6A==

Hr2SxM0quEmQk0bKaqw9tAcW5kMF

HMTIBAtJcQ9dXRqbctU5RZ9LIpEBbQ==

cisnZn2OqJ1k0uZtPoNh

YDxFc1uGlKqtZbzEkOrtlinS6Q==

6YsTAbSR5IKsa3kAne1gFns9

849SZE7FafcEciNlOa3y3w==

dD9IgmqPmSBH+2ujSno/NSE=

oTnMzZlugA5mXPdG2xFa/iEtS2QL

FN/mUyVE6ud9z+JtPoNh

Cvcia+2HQaBy

dQfS3I9otsZTRnAqmw==

8sOHdCb+Coa/q2KySno/NSE=

EqcwLimUNlHX7XIJpPw=

4o6PAABl7uuAv5hHHpg0800k

hyQlbm+mh+3vqxn8

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2456
    • C:\Users\Admin\AppData\Local\Temp\Delay notice of M.V. KANWAY GLOBALV.2213S.scr.exe
      "C:\Users\Admin\AppData\Local\Temp\Delay notice of M.V. KANWAY GLOBALV.2213S.scr.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:5048
      • C:\Users\Admin\AppData\Local\Temp\Delay notice of M.V. KANWAY GLOBALV.2213S.scr.exe
        "C:\Users\Admin\AppData\Local\Temp\Delay notice of M.V. KANWAY GLOBALV.2213S.scr.exe"
        3⤵
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:5060
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 1276
        3⤵
        • Program crash
        PID:3852
    • C:\Windows\SysWOW64\mstsc.exe
      "C:\Windows\SysWOW64\mstsc.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:532
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:3776
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5048 -ip 5048
      1⤵
        PID:4768

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/532-151-0x00000000007A0000-0x00000000007CD000-memory.dmp
        Filesize

        180KB

        Download
      • memory/532-150-0x0000000000160000-0x000000000029A000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/532-147-0x0000000000000000-mapping.dmp
        Download
      • memory/532-152-0x0000000002AA0000-0x0000000002DEA000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/532-153-0x00000000028F0000-0x000000000297F000-memory.dmp
        Filesize

        572KB

        Download
      • memory/532-155-0x00000000007A0000-0x00000000007CD000-memory.dmp
        Filesize

        180KB

        Download
      • memory/2456-156-0x0000000008470000-0x00000000085AD000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2456-154-0x0000000008470000-0x00000000085AD000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2456-146-0x00000000080E0000-0x0000000008219000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/5048-137-0x00000000093D0000-0x0000000009436000-memory.dmp
        Filesize

        408KB

        Download
      • memory/5048-136-0x0000000009330000-0x00000000093CC000-memory.dmp
        Filesize

        624KB

        Download
      • memory/5048-132-0x0000000000A90000-0x0000000000BA2000-memory.dmp
        Filesize

        1.1MB

        Download
      • memory/5048-135-0x00000000055E0000-0x00000000055EA000-memory.dmp
        Filesize

        40KB

        Download
      • memory/5048-134-0x0000000005530000-0x00000000055C2000-memory.dmp
        Filesize

        584KB

        Download
      • memory/5048-133-0x0000000005A40000-0x0000000005FE4000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/5060-144-0x0000000001450000-0x000000000179A000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/5060-149-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/5060-148-0x0000000000401000-0x000000000042F000-memory.dmp
        Filesize

        184KB

        Download
      • memory/5060-145-0x0000000000E30000-0x0000000000E40000-memory.dmp
        Filesize

        64KB

        Download
      • memory/5060-141-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/5060-142-0x0000000000401000-0x000000000042F000-memory.dmp
        Filesize

        184KB

        Download
      • memory/5060-139-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/5060-138-0x0000000000000000-mapping.dmp
        Download