Overview

overview

10

Static

static

Specificat...78.exe

windows7-x64

10

Specificat...78.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-11-2022 12:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Specification 5678.exe

  • Size

    783KB

  • MD5

    10a84bec0fb372b198ef40ca39f55bd8

  • SHA1

    3865a090d536a52b9e2625ca4eee5e3b346b74f0

  • SHA256

    c85a06161a28fcfcc80891d618c37d37b72e970be0be060fec72925424412044

  • SHA512

    fc4f3cb89b437a2e29b95c4b39c8dbc5a3cde31d6b73281d1080c4dc29788f56fe39580eb9498ac8b250fa81602bd4dcc1ea825978f3e06817f8b0ed6886522c

  • SSDEEP

    12288:jb7Vnri6k1mS35TcRi1fHlFKIBVKlAhQhngAKEogIYWkejwFGf:jRri6koS35rHbzMnngAKEogIreG

Score
10/10
formbooknhg6ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

nhg6

Decoy

FSZGb3Of7ECMIOG9mh1ql/w=

DAPP3Pm63eo+zg==

khOZTuClxYsKQsZALgy3ob9TFAk=

5uWol2f/RF3CAwFd

P70LqPOi2iE9g4vpPH1Lk8E0K6tC

KBRl7TSt3eo+zg==

rqedJWUJXKkDbORa

lpORtIg8lvMKbJ77PQW9kes=

Qinv+gsohAIooqyTcfUYgZ/IVxQ=

J0L2ggPAiE2gxm4=

r/I6qOGI5noJCghf

khJg6HKM6l9okVK+pg==

HRMTK/6p3eo+zg==

HqMiuv2JaKYJCghf

+FzGYtsGTpK46OkKkh5C

BBrOUpUY91R/r8gkPwrcuw==

klWfn2smdNcqog581h6vX7px

t8uvr7+R7IPaHSOH1hqvX7px

bHdghkj64OjzY2hOLa/WObrRkkeJjQ==

s3/smhoylh1J0mPS4aDHBDRyJw==

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2440
    • C:\Users\Admin\AppData\Local\Temp\Specification 5678.exe
      "C:\Users\Admin\AppData\Local\Temp\Specification 5678.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3704
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\pPXFqtKQrbbp.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3860
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pPXFqtKQrbbp" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA71D.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:4212
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2556
    • C:\Windows\SysWOW64\cmmon32.exe
      "C:\Windows\SysWOW64\cmmon32.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2200
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:4368

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpA71D.tmp
      Filesize

      1KB

      MD5

      d7e4d271a54c5fd0a645e90ca59b1546

      SHA1

      4af1a6da3cdeb0d64266e7eb151afcbb8d323132

      SHA256

      c4452aa9743a57fda3f6c39ee4a461cbba708f189d6e76b05c0087e1b2f83714

      SHA512

      7c6b53963a43a023741a375849b96b4076d48881a08d68df115e8236e4c07ec546f51b613b30adaabe99e1928e97b61af4b734fa6202d035e0f02814072a1c3f

      Download Submit
    • memory/2200-158-0x0000000000000000-mapping.dmp
      Download
    • memory/2200-161-0x0000000000C00000-0x0000000000C0C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/2200-162-0x0000000001200000-0x000000000122D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/2200-165-0x00000000031A0000-0x00000000034EA000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/2200-171-0x0000000001200000-0x000000000122D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/2200-169-0x0000000002EF0000-0x0000000002F7F000-memory.dmp
      Filesize

      572KB

      Download
    • memory/2440-154-0x0000000007D70000-0x0000000007EFA000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/2440-172-0x0000000002EA0000-0x0000000002F5F000-memory.dmp
      Filesize

      764KB

      Download
    • memory/2440-170-0x0000000002EA0000-0x0000000002F5F000-memory.dmp
      Filesize

      764KB

      Download
    • memory/2556-142-0x0000000000000000-mapping.dmp
      Download
    • memory/2556-143-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/2556-148-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/2556-149-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/2556-150-0x0000000000401000-0x000000000042F000-memory.dmp
      Filesize

      184KB

      Download
    • memory/2556-151-0x0000000001B80000-0x0000000001ECA000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/2556-152-0x0000000001700000-0x0000000001710000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3704-136-0x0000000007B40000-0x0000000007BDC000-memory.dmp
      Filesize

      624KB

      Download
    • memory/3704-135-0x00000000051B0000-0x00000000051BA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3704-134-0x0000000005100000-0x0000000005192000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3704-132-0x00000000006C0000-0x000000000078A000-memory.dmp
      Filesize

      808KB

      Download
    • memory/3704-133-0x0000000005790000-0x0000000005D34000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3860-153-0x00000000067A0000-0x00000000067BE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/3860-164-0x0000000007D40000-0x0000000007DD6000-memory.dmp
      Filesize

      600KB

      Download
    • memory/3860-157-0x0000000006D70000-0x0000000006D8E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/3860-155-0x0000000007970000-0x00000000079A2000-memory.dmp
      Filesize

      200KB

      Download
    • memory/3860-159-0x0000000008100000-0x000000000877A000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/3860-160-0x0000000007AC0000-0x0000000007ADA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/3860-147-0x0000000006150000-0x00000000061B6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3860-146-0x0000000005FA0000-0x0000000006006000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3860-163-0x0000000007B30000-0x0000000007B3A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3860-156-0x0000000071A90000-0x0000000071ADC000-memory.dmp
      Filesize

      304KB

      Download
    • memory/3860-145-0x00000000057F0000-0x0000000005812000-memory.dmp
      Filesize

      136KB

      Download
    • memory/3860-166-0x0000000007CF0000-0x0000000007CFE000-memory.dmp
      Filesize

      56KB

      Download
    • memory/3860-167-0x0000000007E00000-0x0000000007E1A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/3860-168-0x0000000007DE0000-0x0000000007DE8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/3860-141-0x0000000005970000-0x0000000005F98000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/3860-139-0x0000000005210000-0x0000000005246000-memory.dmp
      Filesize

      216KB

      Download
    • memory/3860-137-0x0000000000000000-mapping.dmp
      Download
    • memory/4212-138-0x0000000000000000-mapping.dmp
      Download