Overview

overview

10

Static

static

1

Shipment D...pg.exe

windows7-x64

7

Shipment D...pg.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-10-2022 11:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Shipment Document BL,INV and packing list.jpg.exe

  • Size

    323KB

  • MD5

    858a0b8a0c24df21ce22f3ff702a3737

  • SHA1

    f285429ebe2a75c143abe1fd579c979122c6afe0

  • SHA256

    88819addd430324a7461bdf59c1ab994bc613bb2b17f09e572b7ba1c0c47e6f9

  • SHA512

    cfdab69ebe17d666b05a399c935a28f411a9bc1a5c014dd1fa533043992b7a947d6417982011b9fabc76c21d2d294d6384a2157580fc30b4ef46e53eb0c57ca7

  • SSDEEP

    6144:/6dbOGzzzzzzzzzzzzzzzzzzzzzzzzzzzzkzTzzzzzzQtkauL/sVfEBlUbrQ2Inh:itka2UbrQlZI/JTV6V7KAF

Score
10/10
formbookd06cdiscoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

d06c

Decoy

douglasdetoledopiza.com

yxcc.online

primo.llc

mediamomos.com

cosmetiq-pro.com

22labs.tech

turbowashing.com

lindaivell.site

princess-bed.club

groundget.cfd

agretaminiousa.com

lomoni.com

nessesse.us

lexgo.cloud

halilsener.xyz

kirokubo.cloud

corotip.sbs

meghq.net

5y6s.world

weasib.online

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 3 IoCs
    rat
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3092
    • C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and packing list.jpg.exe
      "C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and packing list.jpg.exe"
      2⤵
      • Checks QEMU agent file
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2500
      • C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and packing list.jpg.exe
        "C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and packing list.jpg.exe"
        3⤵
        • Checks QEMU agent file
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2844
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      2⤵
        PID:1256
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Windows\SysWOW64\svchost.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4988
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and packing list.jpg.exe"
          3⤵
            PID:2628

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\nsg7D9D.tmp\System.dll
        Filesize

        11KB

        MD5

        0063d48afe5a0cdc02833145667b6641

        SHA1

        e7eb614805d183ecb1127c62decb1a6be1b4f7a8

        SHA256

        ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

        SHA512

        71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

        Download Submit

      • memory/2500-133-0x00000000031A0000-0x00000000032A1000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/2500-134-0x00000000031A0000-0x00000000032A1000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/2500-135-0x00007FFAD6610000-0x00007FFAD6805000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2500-136-0x0000000077370000-0x0000000077513000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/2500-148-0x00000000031A0000-0x00000000032A1000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/2500-139-0x0000000077370000-0x0000000077513000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/2628-155-0x0000000000000000-mapping.dmp

        Download

      • memory/2844-145-0x000000001D810000-0x000000001DB5A000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2844-151-0x0000000077370000-0x0000000077513000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/2844-142-0x00007FFAD6610000-0x00007FFAD6805000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2844-143-0x0000000077370000-0x0000000077513000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/2844-144-0x0000000000401000-0x0000000001654000-memory.dmp

        Filesize

        18.3MB

        Download

      • memory/2844-146-0x000000001D640000-0x000000001D654000-memory.dmp

        Filesize

        80KB

        Download

      • memory/2844-140-0x0000000001660000-0x0000000001760000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2844-137-0x0000000000000000-mapping.dmp

        Download

      • memory/2844-138-0x0000000000400000-0x0000000001654000-memory.dmp

        Filesize

        18.3MB

        Download

      • memory/2844-152-0x0000000001660000-0x0000000001760000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2844-150-0x00007FFAD6610000-0x00007FFAD6805000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2844-141-0x0000000001660000-0x0000000001760000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/3092-147-0x0000000007DE0000-0x0000000007F27000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/3092-158-0x0000000007F30000-0x0000000008057000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/3092-160-0x0000000007F30000-0x0000000008057000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/4988-149-0x0000000000000000-mapping.dmp

        Download

      • memory/4988-154-0x00000000004E0000-0x000000000050F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/4988-153-0x0000000000410000-0x000000000041E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4988-156-0x0000000001100000-0x000000000144A000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/4988-157-0x0000000001000000-0x0000000001093000-memory.dmp

        Filesize

        588KB

        Download

      • memory/4988-159-0x00000000004E0000-0x000000000050F000-memory.dmp

        Filesize

        188KB

        Download