Overview

overview

10

Static

static

639b8c7c6c...f8.exe

windows7-x64

10

639b8c7c6c...f8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    186s
  • max time network
    196s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2022 23:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    639b8c7c6c073dba732b3bf637198ef8.exe

  • Size

    1.1MB

  • MD5

    639b8c7c6c073dba732b3bf637198ef8

  • SHA1

    678981a9dd87757102383c8179213e4fdb50f981

  • SHA256

    cb51a857dc33e532754e21259545e94dd518baff0783b8dd0623a20621af3a28

  • SHA512

    c6d5ffffe53e6472dfe7cb12380ee2619cc353994ab7aee682ca5b97a7dfc2b7cd0e9d0ea49d38626ed82256bb391860e3ac3ae67b07150a15711a5de8dd75a9

  • SSDEEP

    12288:NQnk3GDYKGcblOOO8veSJJ9F5qhBWX7riHB7BF7M9VVRyF/2gLrQ8H5Z/wwC+r1Q:XAOcZPOeJ9FEeHiT7MdIF/2gzf3hL69p

Score
10/10
formbooknursratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

nurs

Decoy

caixinhascomcarinho.com

abinotools.com

oporto-tours.com

iruos.com

yesmamawinebar.com

wwwscu.com

habit2impact.com

antigenresearch.com

ux4space.com

diarypisces.com

cryptopers.com

lovingmoreband.com

beerwars.net

ascariproject.site

livesoccerhd.info

bluestardivingschool.com

pluik.com

snorrky.space

lcoi9.com

phantomxr.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 5 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1284
    • C:\Users\Admin\AppData\Local\Temp\639b8c7c6c073dba732b3bf637198ef8.exe
      "C:\Users\Admin\AppData\Local\Temp\639b8c7c6c073dba732b3bf637198ef8.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:560
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\1_25\sacoeskrb.vbe"
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:472
        • C:\Users\Admin\AppData\Local\Temp\1_25\sqia.exe
          "C:\Users\Admin\AppData\Local\Temp\1_25\sqia.exe" obhixptvt.sdb
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1864
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            5⤵
              PID:1044
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
              5⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              PID:1048
      • C:\Windows\SysWOW64\cmstp.exe
        "C:\Windows\SysWOW64\cmstp.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:924
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          3⤵
            PID:1120

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\1_25\EWVDXV~1.UWT
        Filesize

        370KB

        MD5

        475aeaa2f299104829cf51855f967732

        SHA1

        2d0a6a9354352de037ba138eaa396a555e81f2fc

        SHA256

        1fccb373d0874ca7b1724be22c92c0d43e57bacd7b63fc8d941c7547547e42cc

        SHA512

        a08cc7830b9c3871206614f9c2b5561924213677098c0540833ffdb34d1ae18131aae73a14c507b0a4f29866f0297928428649b761488855d08c58d3e65ab739

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\1_25\kwveqml.xls
        Filesize

        46KB

        MD5

        7019bcd3fb865e3a8e2da1b516c564a3

        SHA1

        3262d4ee592347d82a8fd2140d93bb6910d00075

        SHA256

        d681907c61f968ace305acd2ea934a4435fc3cb8da56e0344aba8bea454b4218

        SHA512

        0bd7d208720e6b079e1cf4068e005e52bc270b571688f7a8e1f254c4c79c166b8aa9607e42f399960aa17accc03df7f51cba425a0f51b03908c06a8b47e809cc

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\1_25\obhixptvt.sdb
        Filesize

        175.1MB

        MD5

        082a1acafdf54eb080f1d2e7283c4ae7

        SHA1

        051cbe21e76e4e0204a1ca8e6f84a3f2552d9f0f

        SHA256

        358e471f362945f7fe80c899ae57ccc310ebf5b8a4f397cea470074bd6ab9f9b

        SHA512

        d227860690ed097dff52abdd5d24b128cc594d300a48cfea590b536b8e48a8b5c2b4edb21ed95927de3a553ba563bedd3146e7bf3a54f35efbded687761572ce

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\1_25\sqia.exe
        Filesize

        887KB

        MD5

        9cb747e90a356ba69be4204d8bfd200e

        SHA1

        68346ca6bcbef5ed66845b607213483fb16eba89

        SHA256

        f06ee32abde9a559f10f7f94bc75b735b969774f532a09f6688b34ab3575d5eb

        SHA512

        c67f175455144a52597912fb80aeb6da440a4fa9065c16f69f49c9f4c1ca5b8bc53ee4422dbea157adaca893636cdc95e2262212eb394ccb90577d605a0e5129

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\1_25\sqia.exe
        Filesize

        887KB

        MD5

        9cb747e90a356ba69be4204d8bfd200e

        SHA1

        68346ca6bcbef5ed66845b607213483fb16eba89

        SHA256

        f06ee32abde9a559f10f7f94bc75b735b969774f532a09f6688b34ab3575d5eb

        SHA512

        c67f175455144a52597912fb80aeb6da440a4fa9065c16f69f49c9f4c1ca5b8bc53ee4422dbea157adaca893636cdc95e2262212eb394ccb90577d605a0e5129

        Download Submit
      • C:\Users\Admin\AppData\Local\temp\1_25\sacoeskrb.vbe
        Filesize

        21KB

        MD5

        86585175a5cea2d2e40f4d6bf8a7f2a2

        SHA1

        1bfa7cf0e59e91aade5843e7781e8b6020a83103

        SHA256

        a28850acd2150df85cf31643b282637a089c5a38a9499bc4f3133bfbbfb54aba

        SHA512

        dedbffde74768669456b847deb5299e9870df0c3e362180afddae5804b95d82b47508735168e7b1744d16a0b9ddb82bde29ba723f57e71647cd73f3265f690d1

        Download Submit
      • \Users\Admin\AppData\Local\Temp\1_25\sqia.exe
        Filesize

        887KB

        MD5

        9cb747e90a356ba69be4204d8bfd200e

        SHA1

        68346ca6bcbef5ed66845b607213483fb16eba89

        SHA256

        f06ee32abde9a559f10f7f94bc75b735b969774f532a09f6688b34ab3575d5eb

        SHA512

        c67f175455144a52597912fb80aeb6da440a4fa9065c16f69f49c9f4c1ca5b8bc53ee4422dbea157adaca893636cdc95e2262212eb394ccb90577d605a0e5129

        Download Submit
      • memory/472-55-0x0000000000000000-mapping.dmp
        Download
      • memory/560-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/924-84-0x0000000000110000-0x000000000013F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/924-75-0x0000000000000000-mapping.dmp
        Download
      • memory/924-82-0x0000000000660000-0x00000000006F3000-memory.dmp
        Filesize

        588KB

        Download
      • memory/924-80-0x0000000001FF0000-0x00000000022F3000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/924-79-0x0000000000110000-0x000000000013F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/924-78-0x00000000005A0000-0x00000000005B8000-memory.dmp
        Filesize

        96KB

        Download
      • memory/1048-69-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1048-73-0x0000000000150000-0x0000000000164000-memory.dmp
        Filesize

        80KB

        Download
      • memory/1048-76-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1048-72-0x0000000000A90000-0x0000000000D93000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1048-70-0x000000000041F140-mapping.dmp
        Download
      • memory/1048-67-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1048-66-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1120-81-0x0000000000000000-mapping.dmp
        Download
      • memory/1284-74-0x0000000006210000-0x00000000063BE000-memory.dmp
        Filesize

        1.7MB

        Download
      • memory/1284-83-0x0000000006040000-0x0000000006160000-memory.dmp
        Filesize

        1.1MB

        Download
      • memory/1284-85-0x0000000006040000-0x0000000006160000-memory.dmp
        Filesize

        1.1MB

        Download
      • memory/1864-60-0x0000000000000000-mapping.dmp
        Download