Overview

overview

10

Static

static

PAYMENT COPY.exe

windows7-x64

10

PAYMENT COPY.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-09-2022 14:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PAYMENT COPY.exe

  • Size

    1.0MB

  • MD5

    40b8041f55f40b2975deb791cdd40f17

  • SHA1

    c0a57f918bbdd09d69e2fb380ccea7cc69e65ba8

  • SHA256

    9a5edc79c2643926c35c6e83248b6c196c5cd081f74b3b689ae9f02be6b18369

  • SHA512

    f3f0cbb4bd3515caeaad79f99e050445e02a6678ecc679206dca1c7b701785fd65086e10e7eedf4ed55a3196f8a2995961b92a7ae1bcab93bf71b11f2ac4f995

  • SSDEEP

    24576:iqJo1MNiwGovlW0G4lA0PsUCiyfTwWQn:iqiKlbfPbCiy7w

Score
10/10
formbookuymoratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

uymo

Decoy

A4J+j1lFUiMbPgQD0uzpdg==

F3lajp/JwxgpzPZ3bf9zrK0EzWDU/JY=

bOCwjfx/jOF4Las6GFv7+tQ=

9BDZHgUVSa1ypSWjNcPR

S9u+wp+ai+yEW4OWIQ==

wXxiP8BRWDG2JiTw5XA=

VeumNjNg3QeL/qtw

KYxbMI9RU7eqPpEYg1v7+tQ=

zwfU2Vv4NxXzDLy1IWFrDo3iqOoV1KB3

0XQ3wM3oGntH+iTw5XA=

nx7p2XIfYkHv9+Uu+VKx3l41j3mS454=

+BIOmtNni5xbAo5VEZFYQFAw

tkQa0SXOEjV/0yTw5XA=

YOLHv42Us4eMrHCod80dYluXJzNn

HZdsbBNsdAvOq+cr4CaIfg==

YlQ/0dwFQYtd+DXIxzKUlO8kBc9C9A==

mCL+zS69yZ9DyvVMC4399tE/Xk0V1KB3

+tXLkwCl2LyCqaNnalv7+tQ=

yPzM2bjLKPyixsjWSoWe9NI=

KQPQVL5puBHigv/RmyAU0ExD4GDU/JY=

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2684
    • C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe
      "C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3348
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:964
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GTYovZfcuUiN.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2100
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GTYovZfcuUiN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAA69.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:1856
      • C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe
        "C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe"
        3⤵
          PID:2016
        • C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe
          "C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe"
          3⤵
            PID:2396
          • C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe
            "C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe"
            3⤵
            • Checks computer location settings
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:3580
        • C:\Windows\SysWOW64\wscript.exe
          "C:\Windows\SysWOW64\wscript.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3120
          • C:\Program Files\Mozilla Firefox\Firefox.exe
            "C:\Program Files\Mozilla Firefox\Firefox.exe"
            3⤵
              PID:1768

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          968cb9309758126772781b83adb8a28f

          SHA1

          8da30e71accf186b2ba11da1797cf67f8f78b47c

          SHA256

          92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

          SHA512

          4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          18KB

          MD5

          bcbce9ccbda3f9aa86e5e2f7e168d08e

          SHA1

          edbcb30070e36fb62bcd8afc54fd93e2b9d11777

          SHA256

          ff08b85d3df5cba52f8c889df0904d38e608583b73f8a7bcebd073af5beb6ec9

          SHA512

          c7370b73271768df96388e6f645092b99789681e233fcd2c899b7b14a8bb58ab157b54c0234071424a04e40390d56056429d67ab4f013199cf1affe7df01e2a1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmpAA69.tmp
          Filesize

          1KB

          MD5

          0468ee61199d0afdac07abcff33d3645

          SHA1

          b9c887f87ca32b02ec1b393feb9b7eb5f6b77c36

          SHA256

          84254b9eec28fe7138d4500c911ba686eb0577641a24e5f1e80c903756686736

          SHA512

          f3ef31b5a385c72a8874e0facd4a4db89214e70633369dad25d6e4ba51e6a6035e7ede80396779e33d2a5644cae61ef26f3786adafeb4bb7d14a2ad22651e14b

          Download Submit

        • memory/964-170-0x0000000006FE0000-0x0000000006FEE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/964-167-0x0000000006DB0000-0x0000000006DCA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/964-157-0x0000000004830000-0x000000000484E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/964-139-0x00000000021A0000-0x00000000021D6000-memory.dmp

          Filesize

          216KB

          Download

        • memory/964-164-0x0000000006090000-0x00000000060AE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/964-162-0x0000000075160000-0x00000000751AC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/964-172-0x00000000070D0000-0x00000000070D8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/964-144-0x00000000049C0000-0x00000000049E2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/964-161-0x0000000006050000-0x0000000006082000-memory.dmp

          Filesize

          200KB

          Download

        • memory/2100-166-0x0000000007B20000-0x000000000819A000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/2100-171-0x0000000007820000-0x000000000783A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2100-169-0x0000000007760000-0x00000000077F6000-memory.dmp

          Filesize

          600KB

          Download

        • memory/2100-168-0x0000000007550000-0x000000000755A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2100-163-0x0000000075160000-0x00000000751AC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/2100-142-0x0000000005390000-0x00000000059B8000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/2100-145-0x0000000005210000-0x0000000005276000-memory.dmp

          Filesize

          408KB

          Download

        • memory/2684-156-0x0000000002510000-0x00000000025CD000-memory.dmp

          Filesize

          756KB

          Download

        • memory/2684-179-0x00000000077C0000-0x00000000078FD000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2684-175-0x0000000002510000-0x00000000025CD000-memory.dmp

          Filesize

          756KB

          Download

        • memory/2684-178-0x00000000077C0000-0x00000000078FD000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3120-177-0x0000000000FD0000-0x0000000000FFD000-memory.dmp

          Filesize

          180KB

          Download

        • memory/3120-160-0x0000000000FD0000-0x0000000000FFD000-memory.dmp

          Filesize

          180KB

          Download

        • memory/3120-165-0x0000000003270000-0x00000000035BA000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/3120-176-0x00000000031B0000-0x000000000323F000-memory.dmp

          Filesize

          572KB

          Download

        • memory/3120-159-0x0000000000120000-0x0000000000147000-memory.dmp

          Filesize

          156KB

          Download

        • memory/3348-134-0x0000000005850000-0x00000000058E2000-memory.dmp

          Filesize

          584KB

          Download

        • memory/3348-132-0x0000000000D70000-0x0000000000E80000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3348-137-0x0000000009C40000-0x0000000009CA6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/3348-136-0x0000000009950000-0x00000000099EC000-memory.dmp

          Filesize

          624KB

          Download

        • memory/3348-133-0x0000000005EE0000-0x0000000006484000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/3348-135-0x0000000005810000-0x000000000581A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/3580-154-0x0000000001570000-0x00000000018BA000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/3580-149-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/3580-151-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/3580-152-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/3580-153-0x0000000000401000-0x000000000042F000-memory.dmp

          Filesize

          184KB

          Download

        • memory/3580-155-0x0000000001270000-0x0000000001280000-memory.dmp

          Filesize

          64KB

          Download