Overview

overview

10

Static

static

RE CNHTC--...54.exe

windows7-x64

10

RE CNHTC--...54.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 18:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RE CNHTC--PO confirmation7876765655545654.exe

  • Size

    1.1MB

  • MD5

    3fe6259ed37afe425f5062f917897fe8

  • SHA1

    1ee3b44562f12d7236ad8b635f282532a7586e7d

  • SHA256

    f875be79be10a88a9a5c815b0676cbfc58f48e7524f2e4d383b2d7ef63d2e306

  • SHA512

    ba748a8fd1fc131fdd634d6ef77ee5325e6ad15f719d21e7d3932e96222ec72f269ee516421ee9c240be21b847e5ba94e66111d974d1aefcfd4a038833824807

  • SSDEEP

    24576:OKoG74DjPRhmKOC9Gbnn32Nd/xCjqdOp:O074fPLmuAbnn32Nd/CqdO

Score
10/10
formbookned5ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ned5

Decoy

asian-dating-42620.com

ttg06.com

cupandbelle.com

prepaidprocess.com

jrzkt.com

hdgby2.com

finnnann.com

chillpill-shoppygood.com

sfdgg.online

articlerewritertool.net

cdjxsculture.com

omnificare.info

lasafblanch.com

omaxfort.xyz

spk.info

shb1368.com

jewelry-10484.com

hubsp0t.com

shronky.com

yangjh34.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 6 IoCs
    rat
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1256
    • C:\Users\Admin\AppData\Local\Temp\RE CNHTC--PO confirmation7876765655545654.exe
      "C:\Users\Admin\AppData\Local\Temp\RE CNHTC--PO confirmation7876765655545654.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1800
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sFVRBoZT.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1644
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sFVRBoZT" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB108.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:624
      • C:\Users\Admin\AppData\Local\Temp\RE CNHTC--PO confirmation7876765655545654.exe
        "C:\Users\Admin\AppData\Local\Temp\RE CNHTC--PO confirmation7876765655545654.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1868
        • C:\Windows\SysWOW64\cmmon32.exe
          "C:\Windows\SysWOW64\cmmon32.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1720
          • C:\Program Files\Mozilla Firefox\Firefox.exe
            "C:\Program Files\Mozilla Firefox\Firefox.exe"
            5⤵
              PID:1508

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpB108.tmp
      Filesize

      1KB

      MD5

      23491df84b50ec35637701bfb62fe8ee

      SHA1

      944064e5411ba2e03443913c77ca862750879342

      SHA256

      2a0c5b0a4ce071939d8c144fc062e234ef10de917f6d643eb8378b122493e994

      SHA512

      dd627c80547b5f6153f26d13f8abfc0a93e99ed22bb21a9163ae2034cf2b8ed5b42dfa352715bc508aa6de6c551ddd68424eb331bf6ece3e653bc38f2fe1a40f

      Download Submit

    • C:\Users\Admin\AppData\Roaming\OM2Q-D0F\OM2logim.jpeg
      Filesize

      66KB

      MD5

      cfc7cd4ffb2d2c81e70b23dcef5ddef5

      SHA1

      7ec8d47cd0bb0a6d5a82802d92f230c675266bc7

      SHA256

      9c1c13b4d4bd00b594b6da32329a2d8985710902cee93ea4d419e64b53a09d3d

      SHA512

      2f0cfb7daf94fed900b93cded6905862f6594858a91f06210cf3fec52528016549059887163d5863b2daec26069f3694ea559ea7e7e717cfa950d55c8a26fc18

      Download Submit

    • C:\Users\Admin\AppData\Roaming\OM2Q-D0F\OM2logrf.ini
      Filesize

      40B

      MD5

      2f245469795b865bdd1b956c23d7893d

      SHA1

      6ad80b974d3808f5a20ea1e766c7d2f88b9e5895

      SHA256

      1662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361

      SHA512

      909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f

      Download Submit

    • C:\Users\Admin\AppData\Roaming\OM2Q-D0F\OM2logri.ini
      Filesize

      40B

      MD5

      d63a82e5d81e02e399090af26db0b9cb

      SHA1

      91d0014c8f54743bba141fd60c9d963f869d76c9

      SHA256

      eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

      SHA512

      38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

      Download Submit

    • C:\Users\Admin\AppData\Roaming\OM2Q-D0F\OM2logrv.ini
      Filesize

      40B

      MD5

      ba3b6bc807d4f76794c4b81b09bb9ba5

      SHA1

      24cb89501f0212ff3095ecc0aba97dd563718fb1

      SHA256

      6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507

      SHA512

      ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf

      Download Submit

    • memory/624-60-0x0000000000000000-mapping.dmp

      Download

    • memory/1256-88-0x0000000006380000-0x00000000064C2000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1256-77-0x0000000006260000-0x000000000637A000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1256-85-0x0000000006380000-0x00000000064C2000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1256-74-0x00000000060E0000-0x0000000006252000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1644-59-0x0000000000000000-mapping.dmp

      Download

    • memory/1644-70-0x000000006E9B0000-0x000000006EF5B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1720-87-0x0000000001EE0000-0x0000000001F74000-memory.dmp

      Filesize

      592KB

      Download

    • memory/1720-86-0x0000000000080000-0x00000000000AF000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1720-84-0x0000000001EE0000-0x0000000001F74000-memory.dmp

      Filesize

      592KB

      Download

    • memory/1720-82-0x0000000001FB0000-0x00000000022B3000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/1720-80-0x0000000000740000-0x000000000074D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/1720-81-0x0000000000080000-0x00000000000AF000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1720-78-0x0000000000000000-mapping.dmp

      Download

    • memory/1800-63-0x0000000007FD0000-0x000000000803E000-memory.dmp

      Filesize

      440KB

      Download

    • memory/1800-54-0x00000000000E0000-0x0000000000202000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1800-55-0x00000000758C1000-0x00000000758C3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1800-56-0x0000000000A00000-0x0000000000A18000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1800-57-0x0000000000A20000-0x0000000000A2C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1800-58-0x0000000007F20000-0x0000000007FC6000-memory.dmp

      Filesize

      664KB

      Download

    • memory/1868-72-0x0000000000B70000-0x0000000000E73000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/1868-68-0x000000000041F060-mapping.dmp

      Download

    • memory/1868-65-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1868-64-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1868-67-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1868-71-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1868-79-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1868-73-0x00000000002A0000-0x00000000002B5000-memory.dmp

      Filesize

      84KB

      Download

    • memory/1868-76-0x0000000000300000-0x0000000000315000-memory.dmp

      Filesize

      84KB

      Download