Overview

overview

10

Static

static

OFERTA_542...00.exe

windows7-x64

10

OFERTA_542...00.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    300s
  • max time network
    298s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-09-2022 10:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    OFERTA_5420220000000000000000000000000000000.exe

  • Size

    713KB

  • MD5

    cd37d60e8e4e73bf7cc73737da77bd66

  • SHA1

    5241609a9066cf44f9fec214d4b1048007e4fb39

  • SHA256

    564b0058f3279d208079cc2369077a4358432acfcc9236247b3ae7517928b342

  • SHA512

    e241a492e8a76eec49365996fab506257979d91b81b89dae78336403c418f72bb44c442519b0875f1a5b954bdc0acbd95d3bf854f53c582e95506ef95793bfdc

  • SSDEEP

    12288:8ToPWBv/cpGrU3yH7mp7O0aJLpNBB/Dhw9Z7ho:8TbBv5rUsmp7jSLbBB/Dhw9Z7ho

Score
10/10
formbookf4caratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

f4ca

Decoy

QYZ6iE9Y+CsiZpCBareS0uU=

N2FQLAaH6xXE

Vc6t0MQXN+Llxsqg

ElBedmSvYGGm6yLDhHqzAtmlCxWl

4VpIWShqHR5cpjfQ4bs=

mepO9miu/iFiQQ==

Z8Owqh54IlwEpDfQ4bs=

qcq4uT5HecWZG3EVwKTiUE7slrGQGiyo

IaYYoJikKDDqgV/NigZCLA==

4Xz5pfoCCW/76NnOUrFEOw==

xiijSkVJ3Yuh9OKDcmui/d2lCxWl

cr8MmfpCEu0ULsO3p6w=

JLm2yKHo7hdVb8O3p6w=

Hriy5svWm2Qfq9mPQib9jJI65gOr

2G3nkRpidunlxsqg

gPHUAeXmi8Q9ARy3

6l5WaOf8BxhQDkp5gKQ=

KHHiXs4WOqXZdPhpaw==

+UQ5Vz5O0Ms9ARy3

pNQygKu0OziAvjOHRGLnJA==

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:684
    • C:\Users\Admin\AppData\Local\Temp\OFERTA_5420220000000000000000000000000000000.exe
      "C:\Users\Admin\AppData\Local\Temp\OFERTA_5420220000000000000000000000000000000.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:5100
      • C:\Users\Admin\AppData\Local\Temp\zaiynxotnb.exe
        "C:\Users\Admin\AppData\Local\Temp\zaiynxotnb.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4544
        • C:\Users\Admin\AppData\Local\Temp\zaiynxotnb.exe
          "C:\Users\Admin\AppData\Local\Temp\zaiynxotnb.exe"
          4⤵
          • Checks computer location settings
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2604
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 520
          4⤵
          • Program crash
          PID:3576
    • C:\Windows\SysWOW64\raserver.exe
      "C:\Windows\SysWOW64\raserver.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4892
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:3600
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4544 -ip 4544
      1⤵
        PID:3060

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\ufquzdqwths.sq
        Filesize

        4KB

        MD5

        8ce8af99aec0f201425a470be6fdeca5

        SHA1

        6f056a3ade454becbcc604143bab3a5ba65ee212

        SHA256

        6457d729a4154f853d4cada8d0f6b89e134877dfb3356ee3751021ade54f6ceb

        SHA512

        42965d4b0708276b8c301541603a9c5002d0edfad1fa0edeb9e48ad622c2de5372fb29d28a0100df5410c5796f229dd32882990c8ff7b8576101d85f05846dcb

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\xmlpovh.yf
        Filesize

        185KB

        MD5

        cb452aa55d9d50901046c0aad5568912

        SHA1

        1c2e420c5409be312a1cfb8f36848dd3559101c0

        SHA256

        873b5f2b215d0ec6ec9f4686ee6f881518dac9c589067d61455f6331b6fea7c8

        SHA512

        076ed0ee3fb1ec1ced18fdb6d3f5e7915ababa0f5ab2c85e4729c618650572081dea6686b61c3a718a69a27570f271d17c5853e3c30ac2aedf8c7c42884ef710

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\zaiynxotnb.exe
        Filesize

        56KB

        MD5

        719833e92eaca21eb5ebce6c33157c89

        SHA1

        3aafc77c21ab150976d050a5ef9fc42a76b49774

        SHA256

        82fb77e7d9ad285f60bf9a742145790aa88646b409ee9057144c2c61359f7b4c

        SHA512

        9ec7633434b81b9842e2b5ffdea0ba1813ea30805bcba6ccede4ed8c10884e0af98dae2143aa53ef364fd7dc9c52f5c9afa5c28b192a85bf21bde8c9ce5b2734

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\zaiynxotnb.exe
        Filesize

        56KB

        MD5

        719833e92eaca21eb5ebce6c33157c89

        SHA1

        3aafc77c21ab150976d050a5ef9fc42a76b49774

        SHA256

        82fb77e7d9ad285f60bf9a742145790aa88646b409ee9057144c2c61359f7b4c

        SHA512

        9ec7633434b81b9842e2b5ffdea0ba1813ea30805bcba6ccede4ed8c10884e0af98dae2143aa53ef364fd7dc9c52f5c9afa5c28b192a85bf21bde8c9ce5b2734

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\zaiynxotnb.exe
        Filesize

        56KB

        MD5

        719833e92eaca21eb5ebce6c33157c89

        SHA1

        3aafc77c21ab150976d050a5ef9fc42a76b49774

        SHA256

        82fb77e7d9ad285f60bf9a742145790aa88646b409ee9057144c2c61359f7b4c

        SHA512

        9ec7633434b81b9842e2b5ffdea0ba1813ea30805bcba6ccede4ed8c10884e0af98dae2143aa53ef364fd7dc9c52f5c9afa5c28b192a85bf21bde8c9ce5b2734

        Download Submit
      • memory/684-143-0x00000000081F0000-0x0000000008379000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/684-151-0x0000000008380000-0x00000000084D9000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/684-149-0x0000000008380000-0x00000000084D9000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2604-142-0x0000000000AB0000-0x0000000000AC0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2604-141-0x00000000012F0000-0x000000000163A000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/2604-140-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/2604-139-0x0000000000401000-0x000000000042F000-memory.dmp
        Filesize

        184KB

        Download
      • memory/2604-137-0x0000000000000000-mapping.dmp
        Download
      • memory/4544-132-0x0000000000000000-mapping.dmp
        Download
      • memory/4892-144-0x0000000000000000-mapping.dmp
        Download
      • memory/4892-145-0x0000000000060000-0x000000000007F000-memory.dmp
        Filesize

        124KB

        Download
      • memory/4892-146-0x00000000009D0000-0x00000000009FD000-memory.dmp
        Filesize

        180KB

        Download
      • memory/4892-147-0x0000000002BB0000-0x0000000002EFA000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/4892-148-0x0000000002950000-0x00000000029DF000-memory.dmp
        Filesize

        572KB

        Download
      • memory/4892-150-0x00000000009D0000-0x00000000009FD000-memory.dmp
        Filesize

        180KB

        Download