Overview

overview

10

Static

static

4_60484345...876.js

windows7-x64

8

4_60484345...876.js

windows10-2004-x64

10

Resubmissions

24-11-2022 01:33

221124-byys8aaa97 10

23-11-2022 13:44

221123-q1t1dafd39 8

Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 01:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4_6048434599929842876.js

  • Size

    9KB

  • MD5

    f0d8c4e88c78cb534e1bf4df33cd0edf

  • SHA1

    56e576823ce200a5d079b245cec26c4e1af71b4b

  • SHA256

    392d3c413e8ea60cd0c8ec8876f0ff381aac710dce9ccb7f0f3432117582ee89

  • SHA512

    25601825fd6b756aa65f84ab3bbf7f9ed3b953ea77d26b36fbeb91979c3d8abd0f655a9ace4f0510073a890c1fada5bd147a71bca6a563aa01c1dd66d1150082

  • SSDEEP

    192:gRwZrQjrWzVD3CxZRfVjl/yzrPKs3RuHLKyJW7X1Kz5uMYICz5uaYzZ46Qz5IaYr:vZQjrWo3/ySa42yYFNaxSr+uai01z7U0

Score
10/10
formbooka3c0ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

a3c0

Decoy

sQND4WdTOlkFZlIDVHk3N6w=

q+EQwUVJu0rqKMvucOA=

nf4X7hV5HnoX

D2GdxSupGqxnbntNXXJp+w==

KoafL5HWwP+dkIBzBGFB5g==

1xVJ44BmoRm3DNlzGHJX

UYqmwE2sg4Vs5dM=

Jo62P3tOy75tHQ==

/GeWSaKPP50rCg==

PZnUga+I0irSgi0Mieg=

Qq3jB6ADzvuvtjaTC2zo8w==

/EuBFH8FGV4K

X77vcuHgVNFutJyPCWj00bya

8G2Ond0wiP7wr1q4

FHaWv/JCjt7Im5NFHnNf

FG2UQcq8nnlv1c4=

WaW7Fh1B8o01AA==

B0prj62IYqtFLyEECFgQ1JKD

LYeyy+6iB2sV

zxVH23VoYL1fYBiGVL62CvZe0A==

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3048
    • C:\Windows\system32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Local\Temp\4_6048434599929842876.js
      2⤵
      • Blocklisted process makes network request
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4952
      • C:\Users\Admin\AppData\Local\Temp\NHGGFuI.exe
        "C:\Users\Admin\AppData\Local\Temp\NHGGFuI.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3372
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2212
    • C:\Windows\SysWOW64\ipconfig.exe
      "C:\Windows\SysWOW64\ipconfig.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Gathers network information
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3592
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:4048

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Command-Line Interface

    1
    T1059

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\NHGGFuI.exe
      Filesize

      302KB

      MD5

      a84720d5301bba0506a66dd9fd8da0d1

      SHA1

      42f1d84f9c93e46b66a8d3aff6c42093c8f9fa40

      SHA256

      c25c4ca3c32cfce10924b13da6d881c9cff7b81275d125b85ce96ec20c0200a3

      SHA512

      860726a34346eea7f1dcf38e05ba02700f952ed8f3e4597ea039f32d6ffc9a68d1829d4f4c8af1dd0d2dffbd444c9adb27d3be6d35fd488d7a06af1860df1cc1

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\NHGGFuI.exe
      Filesize

      302KB

      MD5

      a84720d5301bba0506a66dd9fd8da0d1

      SHA1

      42f1d84f9c93e46b66a8d3aff6c42093c8f9fa40

      SHA256

      c25c4ca3c32cfce10924b13da6d881c9cff7b81275d125b85ce96ec20c0200a3

      SHA512

      860726a34346eea7f1dcf38e05ba02700f952ed8f3e4597ea039f32d6ffc9a68d1829d4f4c8af1dd0d2dffbd444c9adb27d3be6d35fd488d7a06af1860df1cc1

      Download Submit
    • memory/2212-146-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/2212-147-0x0000000000401000-0x000000000042E000-memory.dmp
      Filesize

      180KB

      Download
    • memory/2212-136-0x0000000000000000-mapping.dmp
      Download
    • memory/2212-137-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/2212-139-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/2212-140-0x0000000000401000-0x000000000042E000-memory.dmp
      Filesize

      180KB

      Download
    • memory/2212-142-0x0000000000F00000-0x000000000124A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/2212-143-0x0000000000970000-0x0000000000980000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3048-144-0x0000000002FF0000-0x00000000030A8000-memory.dmp
      Filesize

      736KB

      Download
    • memory/3048-153-0x0000000008380000-0x000000000850E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3048-154-0x0000000008380000-0x000000000850E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3372-132-0x0000000000000000-mapping.dmp
      Download
    • memory/3372-135-0x0000000000910000-0x0000000000962000-memory.dmp
      Filesize

      328KB

      Download
    • memory/3592-145-0x0000000000000000-mapping.dmp
      Download
    • memory/3592-148-0x0000000000310000-0x000000000031B000-memory.dmp
      Filesize

      44KB

      Download
    • memory/3592-150-0x0000000000D00000-0x000000000104A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/3592-149-0x0000000000260000-0x000000000028D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/3592-151-0x0000000000260000-0x000000000028D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/3592-152-0x0000000000A60000-0x0000000000AEF000-memory.dmp
      Filesize

      572KB

      Download