Overview

overview

10

Static

static

IyEXXDHLEU4cBtq.exe

windows7-x64

10

IyEXXDHLEU4cBtq.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    173s
  • max time network
    201s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    18-11-2022 22:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    IyEXXDHLEU4cBtq.exe

  • Size

    721KB

  • MD5

    0dd734598701e5ba50d5596a42b8d94c

  • SHA1

    d6cf2163dd892eb8c5e274856c61e9f90b03d1d9

  • SHA256

    501d6ddc2677cf909cdf85570bfbf09099004a108236bb25954758387f080b9f

  • SHA512

    d22bf5d34170f274883346349b3093d90d15a5769e9d6a1a7fb75e6230b9bce373af1f7601d40c19aa34551bbcbc08170cae464651525bdc02d418efd378c745

  • SSDEEP

    12288:yxBnM33302IgFJN0V3foFtswOSf5nHoHY8up3wxb4xZ2cbTEcjZnbCkI:YBnG30YComSxEY8gwxED2SBjZnbCkI

Score
10/10
formbookbmr1ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

bmr1

Decoy

q05YNsJC4MpYLGAf4A==

6KUzKCvwX0fwzrFQXvlucw==

KA4ZibW1w+hWN5Q=

TfgNq18tIWtsM7h+DexncQ==

zspNqjUKBdJVHTkiMMXJYeF7G53bVvMPoA==

hopQr+b8KzPIbMWvw0Yxir6cyw==

2thmt+17FR/MVsakbM/+w3xGOhopJw==

5gO5gfA6jwna/4FNSPqrvvHyr2A=

kqtr0wr9KaOXVMyDDexncQ==

PNldyz0Boa5cLGAf4A==

Gysor7fqabd0UzTwWp3Zir6cyw==

pMRgV18gtLorB21prX4=

ukpf+vu2u+hWN5Q=

pcS/rO+KmPMj69G9cMHnoSEm59cbIQ==

4fWGzv347bFNDYJeeIHKG5co

WXlRyM2Yn+4Ab1EgRAFHWdGDCzf1

ZPoM+2U1cwMzteOBsHY=

o8jQoNron4sT3A/KomE=

7QX8tTpv/A+YKw==

wFvmV8SY/A+YKw==

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Users\Admin\AppData\Local\Temp\IyEXXDHLEU4cBtq.exe
      "C:\Users\Admin\AppData\Local\Temp\IyEXXDHLEU4cBtq.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1756
      • C:\Users\Admin\AppData\Local\Temp\IyEXXDHLEU4cBtq.exe
        "C:\Users\Admin\AppData\Local\Temp\IyEXXDHLEU4cBtq.exe"
        3⤵
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:360
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\SysWOW64\cscript.exe"
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:676
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:1528

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\sqlite3.dll
      Filesize

      804KB

      MD5

      b09588d000ef4bf2a3dddd85bd701423

      SHA1

      44a810ff8920a340a30b66d932253555143dc28b

      SHA256

      ce4ffc1a12150b8523378553f2a97dd3fc44d5210ae6c296ab31e2c78f0d03c3

      SHA512

      1d807d92da34ccba4628f2a55c3ac1c03ff63925d79e266b4e52d71002228cbde76206ec696c3e25143fc2e0cab56589155666ff6f8ea0ebfd5ebcd362168e2a

      Download Submit
    • memory/360-69-0x00000000008C0000-0x0000000000BC3000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/360-66-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/360-68-0x0000000000401000-0x000000000042F000-memory.dmp
      Filesize

      184KB

      Download
    • memory/360-67-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/360-70-0x00000000001A0000-0x00000000001B0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/360-60-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/360-61-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/360-63-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/360-64-0x00000000004012B0-mapping.dmp
      Download
    • memory/676-78-0x0000000000070000-0x000000000009D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/676-76-0x0000000001DE0000-0x0000000001E6F000-memory.dmp
      Filesize

      572KB

      Download
    • memory/676-75-0x00000000020B0000-0x00000000023B3000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/676-73-0x0000000000310000-0x0000000000332000-memory.dmp
      Filesize

      136KB

      Download
    • memory/676-74-0x0000000000070000-0x000000000009D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/676-72-0x0000000000000000-mapping.dmp
      Download
    • memory/1268-71-0x0000000006B20000-0x0000000006C7E000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1268-77-0x0000000004B70000-0x0000000004CB7000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1268-80-0x0000000004B70000-0x0000000004CB7000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1756-58-0x0000000005E40000-0x0000000005EB0000-memory.dmp
      Filesize

      448KB

      Download
    • memory/1756-59-0x0000000000AA0000-0x0000000000AD6000-memory.dmp
      Filesize

      216KB

      Download
    • memory/1756-56-0x00000000003E0000-0x00000000003F8000-memory.dmp
      Filesize

      96KB

      Download
    • memory/1756-55-0x0000000075C11000-0x0000000075C13000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1756-54-0x0000000000CA0000-0x0000000000D5A000-memory.dmp
      Filesize

      744KB

      Download
    • memory/1756-57-0x00000000003C0000-0x00000000003CC000-memory.dmp
      Filesize

      48KB

      Download