Overview

overview

10

Static

static

19f731a9fd...17.exe

windows7-x64

10

19f731a9fd...17.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    201s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    25/11/2022, 16:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    19f731a9fd9077633063590007ede514549eab529ea3b4d0c4f67c3efd861417.exe

  • Size

    696KB

  • MD5

    0a3090e1388dd1d864c61ce2da00e9ad

  • SHA1

    0d5c2bc5f9dee93582c0f44284b7de83d2fb7724

  • SHA256

    19f731a9fd9077633063590007ede514549eab529ea3b4d0c4f67c3efd861417

  • SHA512

    0711a80fd227cff79ea5cdf783c7c2f6a18ac15d7d326a058724d247ef2ff9bd9fb72d2bc1174acb6e1f9f58093baec0b00b0602ade4d792de77e5e362fca023

  • SSDEEP

    12288:H/Hvgh/PsZ1DX/VDJGBtNvY3jvhnAXO8kL/BRVSIXt1yffSyB30:Hfvgh/P9Z+jpnQOD/TzPWfSyy

Score
10/10
formbookd0a7ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

d0a7

Decoy

ngpjqd.top

provider1.net

themetaverseloyalties.com

tylpp.com

pmjewels.com

87napxxgz8x86a.com

djolobal.com

fmbmaiamelo.com

naijabam.online

networkingbits.com

beesweet.live

sexarab.homes

promptcompete.com

midsouthradio.com

23mk.top

bnhkit.xyz

2ozp56.bond

vehiclesgroups.com

healthycommunitynow.com

cwzmesr.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 5 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1224
    • C:\Users\Admin\AppData\Local\Temp\19f731a9fd9077633063590007ede514549eab529ea3b4d0c4f67c3efd861417.exe
      "C:\Users\Admin\AppData\Local\Temp\19f731a9fd9077633063590007ede514549eab529ea3b4d0c4f67c3efd861417.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1076
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KgnrSbbc.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:524
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KgnrSbbc" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC17C.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:828
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1336
    • C:\Windows\SysWOW64\control.exe
      "C:\Windows\SysWOW64\control.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1516
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
          PID:1960

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpC17C.tmp
      Filesize

      1KB

      MD5

      042efd516e2692eec606dc3a13e4b307

      SHA1

      a5ee400e14bb4dfaef938bb99022069cdbb46774

      SHA256

      f5db44e3b5793beebb22852ba727489abc73b852c2c5b1d1b4dff201429ff264

      SHA512

      0c2a08d73660c7927dd6fe3e01ae1ab284cccff709e4e5c5c9d4a16b3ab4ba498654e10b31d3f4acb5c1f895f55702dbe6bdd502a6dc6e82d9875dc86c467bbf

      Download Submit

    • memory/524-71-0x000000006F030000-0x000000006F5DB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/524-77-0x000000006F030000-0x000000006F5DB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1076-56-0x0000000000480000-0x0000000000498000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1076-57-0x0000000000430000-0x000000000043C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1076-58-0x0000000005530000-0x000000000559E000-memory.dmp

      Filesize

      440KB

      Download

    • memory/1076-55-0x0000000076AE1000-0x0000000076AE3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1076-63-0x0000000004920000-0x0000000004954000-memory.dmp

      Filesize

      208KB

      Download

    • memory/1076-54-0x0000000000920000-0x00000000009D4000-memory.dmp

      Filesize

      720KB

      Download

    • memory/1224-83-0x00000000063E0000-0x0000000006512000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1224-74-0x0000000004D10000-0x0000000004E25000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1224-85-0x00000000063E0000-0x0000000006512000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1336-64-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1336-67-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1336-70-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1336-73-0x00000000003D0000-0x00000000003E5000-memory.dmp

      Filesize

      84KB

      Download

    • memory/1336-65-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1336-72-0x0000000000B50000-0x0000000000E53000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/1516-78-0x0000000000DF0000-0x0000000000E0F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1516-80-0x00000000000C0000-0x00000000000EF000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1516-82-0x0000000000900000-0x0000000000994000-memory.dmp

      Filesize

      592KB

      Download

    • memory/1516-79-0x0000000000A90000-0x0000000000D93000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/1516-84-0x00000000000C0000-0x00000000000EF000-memory.dmp

      Filesize

      188KB

      Download