Overview

overview

10

Static

static

Attached ...OC.exe

windows7-x64

10

Attached ...OC.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    151s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 14:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Attached Invoice_72_1421 DOC.exe

  • Size

    245KB

  • MD5

    13940ca97783f75831c3f0a72c59ec53

  • SHA1

    d0bea9d294ab885228296157122414eb372f5a56

  • SHA256

    810b8a39783409f1b3f56e78d764a5abda68ff7bf08ae721ba798934568db7f3

  • SHA512

    e9169747a0c4f9c90bba3fabe3d71b4985410e221be37c6fe31c2bbec4a50299d3a4dd2eaffe087b65b6a70c857be127683e78fc685ce5868ddcb4428a4f78bf

  • SSDEEP

    3072:3LfVxlyEZfp9zIzjBlLetfKhoewsEvTnL+pssSWdwU8xbtEbAqPsfSliJx:btXZXPzd5vrL8ssST5xZEBPsDJ

Score
10/10
formbookpfgcdiscoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

pfgc

Decoy

hBGNx7LOg1/1V9He6Lr1odiL8A==

JUtMWPUI+jYE3h2D0VXJrkViyWlklw==

9Onb+iNxE//TbnVsww==

+zlULMoiC8l+8Tev2wK6Xpt3qkQ2

vv/ckxYzTsV3W3KwMKjDf1rK+A==

fiNtn8AUmEDcSGooP0OzpNX0

Vo+DIT5uE/PEbnVsww==

JzMzXJDojoBk5EcxFTKznOD+

hxRyvNTzW6eTCQ==

/CcTv23E93dcQXf9RUb+

n6ODTfEg31QE9F0=

V9k3j8Pew4FJqasspfOBQNk=

mq+vfSOVMzCmhwN1wUeUUME41Pw=

1frRhiXBVRSqDTLo46vXXNc=

WP9xcxRKdPLGtCeZ8VMcCsA=

dIBJ53JHoTO5

tlakzPSKiYl02hJYqJQdC8I=

EiPtnEnwhz/bMaJp+a0cj8g=

s7mOSbbN8GbPM3von61MR8E41Pw=

HFhN1/bX7Umz

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1360
    • C:\Users\Admin\AppData\Local\Temp\Attached Invoice_72_1421 DOC.exe
      "C:\Users\Admin\AppData\Local\Temp\Attached Invoice_72_1421 DOC.exe"
      2⤵
      • Checks QEMU agent file
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:784
      • C:\Users\Admin\AppData\Local\Temp\Attached Invoice_72_1421 DOC.exe
        "C:\Users\Admin\AppData\Local\Temp\Attached Invoice_72_1421 DOC.exe"
        3⤵
        • Checks QEMU agent file
        • Checks computer location settings
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:816
    • C:\Windows\SysWOW64\msdt.exe
      "C:\Windows\SysWOW64\msdt.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      PID:1596

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsyA95D.tmp\System.dll
    Filesize

    11KB

    MD5

    7399323923e3946fe9140132ac388132

    SHA1

    728257d06c452449b1241769b459f091aabcffc5

    SHA256

    5a1c20a3e2e2eb182976977669f2c5d9f3104477e98f74d69d2434e79b92fdc3

    SHA512

    d6f28ba761351f374ae007c780be27758aea7b9f998e2a88a542eede459d18700adffe71abcb52b8a8c00695efb7ccc280175b5eeb57ca9a645542edfabb64f1

    Download Submit

  • memory/784-66-0x0000000077030000-0x00000000771B0000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/784-56-0x0000000003960000-0x0000000003A61000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/784-57-0x0000000003960000-0x0000000003A61000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/784-58-0x0000000076E50000-0x0000000076FF9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/784-61-0x0000000077030000-0x00000000771B0000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/784-62-0x0000000077030000-0x00000000771B0000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/784-54-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/784-79-0x0000000077030000-0x00000000771B0000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/784-78-0x0000000003960000-0x0000000003A61000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/816-63-0x0000000000403358-mapping.dmp

    Download

  • memory/816-82-0x00000000001C0000-0x00000000002C0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/816-68-0x0000000076E50000-0x0000000076FF9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/816-71-0x0000000077030000-0x00000000771B0000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/816-72-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/816-73-0x0000000000401000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/816-74-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/816-75-0x000000001D580000-0x000000001D883000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/816-76-0x000000001D450000-0x000000001D460000-memory.dmp

    Filesize

    64KB

    Download

  • memory/816-83-0x0000000077030000-0x00000000771B0000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/816-65-0x00000000001C0000-0x00000000002C0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/816-64-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/816-67-0x00000000001C0000-0x00000000002C0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1360-77-0x0000000007300000-0x0000000007487000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1360-88-0x0000000004A20000-0x0000000004B75000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1596-80-0x0000000000000000-mapping.dmp

    Download

  • memory/1596-84-0x0000000000240000-0x0000000000334000-memory.dmp

    Filesize

    976KB

    Download

  • memory/1596-85-0x0000000000100000-0x000000000012D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/1596-86-0x0000000002120000-0x0000000002423000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/1596-87-0x0000000001EE0000-0x0000000001F6F000-memory.dmp

    Filesize

    572KB

    Download