Overview

overview

10

Static

static

tmp.exe

windows7-x64

1

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/10/2022, 11:14

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    1.0MB

  • MD5

    17bbc32ae7b7b8282df2908c19e7af86

  • SHA1

    20fedf92f7e8c031a197bf735ff6fced3d8e96a1

  • SHA256

    0e1d21f60b2306337010b1d717e236067de9c46bd2c4b9f7c38e011af7b46093

  • SHA512

    65ce67671dff258200d21b351915a9a69f4eb64b35fa1bd16549cab6bf0ad9eb7f9b7c6a87c0b7c103afe10c0069a9ab431d1bcedca5d7e7bde82dfd394ab614

  • SSDEEP

    12288:wT7PqP2iNcvaHfNSiJoAdC9Kpki86TPKBt+kY4sDTwKOZLeGu:dP1Ls/Umi86TPKBK4sDTgX

Score
10/10
formbookey84ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ey84

Decoy

agencecapture.com

ky4149.com

thetherapypractice.asia

serviciosemi.com

tprhddxvn.buzz

prompttransport.net

tuv39.site

swd3.com

arti.fun

9kriketnp.com

prozoriy.fun

locphatapl.com

impactxp-dashboard.live

sponsoredoffers.com

buy-used-cars-sa.store

crown.football

jaeralintel.com

rapidguides.online

creaminthecoffee.com

makkaa.online

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 5 IoCs
    rat
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3004
    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3012
      • C:\Users\Admin\AppData\Local\Temp\tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1108
    • C:\Windows\SysWOW64\autoconv.exe
      "C:\Windows\SysWOW64\autoconv.exe"
      2⤵
        PID:3320
      • C:\Windows\SysWOW64\autochk.exe
        "C:\Windows\SysWOW64\autochk.exe"
        2⤵
          PID:3848
        • C:\Windows\SysWOW64\autochk.exe
          "C:\Windows\SysWOW64\autochk.exe"
          2⤵
            PID:1360
          • C:\Windows\SysWOW64\autochk.exe
            "C:\Windows\SysWOW64\autochk.exe"
            2⤵
              PID:5088
            • C:\Windows\SysWOW64\autochk.exe
              "C:\Windows\SysWOW64\autochk.exe"
              2⤵
                PID:4392
              • C:\Windows\SysWOW64\autochk.exe
                "C:\Windows\SysWOW64\autochk.exe"
                2⤵
                  PID:1564
                • C:\Windows\SysWOW64\autochk.exe
                  "C:\Windows\SysWOW64\autochk.exe"
                  2⤵
                    PID:1152
                  • C:\Windows\SysWOW64\autochk.exe
                    "C:\Windows\SysWOW64\autochk.exe"
                    2⤵
                      PID:2228
                    • C:\Windows\SysWOW64\autochk.exe
                      "C:\Windows\SysWOW64\autochk.exe"
                      2⤵
                        PID:1880
                      • C:\Windows\SysWOW64\ipconfig.exe
                        "C:\Windows\SysWOW64\ipconfig.exe"
                        2⤵
                        • Suspicious use of SetThreadContext
                        • Gathers network information
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious behavior: MapViewOfSection
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3080
                        • C:\Windows\SysWOW64\cmd.exe
                          /c del "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
                          3⤵
                            PID:4596
                      • C:\Windows\System32\svchost.exe
                        C:\Windows\System32\svchost.exe -k netsvcs -p
                        1⤵
                        • Drops file in System32 directory
                        • Checks processor information in registry
                        • Enumerates system info in registry
                        PID:4932

                      Network

                            MITRE ATT&CK Enterprise v6

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • memory/1108-145-0x00000000016A0000-0x00000000016B4000-memory.dmp

                              Filesize

                              80KB

                              Download

                            • memory/1108-148-0x0000000000400000-0x000000000042F000-memory.dmp

                              Filesize

                              188KB

                              Download

                            • memory/1108-142-0x0000000001630000-0x0000000001644000-memory.dmp

                              Filesize

                              80KB

                              Download

                            • memory/1108-141-0x0000000001C40000-0x0000000001F8A000-memory.dmp

                              Filesize

                              3.3MB

                              Download

                            • memory/1108-139-0x0000000000400000-0x000000000042F000-memory.dmp

                              Filesize

                              188KB

                              Download

                            • memory/1108-144-0x0000000000400000-0x000000000042F000-memory.dmp

                              Filesize

                              188KB

                              Download

                            • memory/3004-146-0x00000000036A0000-0x0000000003797000-memory.dmp

                              Filesize

                              988KB

                              Download

                            • memory/3004-156-0x0000000009100000-0x000000000926E000-memory.dmp

                              Filesize

                              1.4MB

                              Download

                            • memory/3004-143-0x0000000008B40000-0x0000000008CD6000-memory.dmp

                              Filesize

                              1.6MB

                              Download

                            • memory/3004-154-0x0000000009100000-0x000000000926E000-memory.dmp

                              Filesize

                              1.4MB

                              Download

                            • memory/3012-132-0x00000000004C0000-0x00000000005C8000-memory.dmp

                              Filesize

                              1.0MB

                              Download

                            • memory/3012-135-0x0000000005020000-0x000000000502A000-memory.dmp

                              Filesize

                              40KB

                              Download

                            • memory/3012-137-0x0000000009C50000-0x0000000009CB6000-memory.dmp

                              Filesize

                              408KB

                              Download

                            • memory/3012-134-0x0000000004F80000-0x0000000005012000-memory.dmp

                              Filesize

                              584KB

                              Download

                            • memory/3012-133-0x0000000005530000-0x0000000005AD4000-memory.dmp

                              Filesize

                              5.6MB

                              Download

                            • memory/3012-136-0x0000000009BB0000-0x0000000009C4C000-memory.dmp

                              Filesize

                              624KB

                              Download

                            • memory/3080-149-0x0000000000ED0000-0x0000000000EDB000-memory.dmp

                              Filesize

                              44KB

                              Download

                            • memory/3080-150-0x0000000000E80000-0x0000000000EAF000-memory.dmp

                              Filesize

                              188KB

                              Download

                            • memory/3080-151-0x00000000018A0000-0x0000000001BEA000-memory.dmp

                              Filesize

                              3.3MB

                              Download

                            • memory/3080-153-0x00000000017F0000-0x0000000001883000-memory.dmp

                              Filesize

                              588KB

                              Download

                            • memory/3080-155-0x0000000000E80000-0x0000000000EAF000-memory.dmp

                              Filesize

                              188KB

                              Download