Overview

overview

10

Static

static

1

Order List...22.exe

windows7-x64

8

Order List...22.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-11-2022 07:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Order List_28_11_22.exe

  • Size

    239KB

  • MD5

    0acb5bcb968b08f9fa0275337eaf9d81

  • SHA1

    9ff40194659288c71ee7ff01435eac29d5d55004

  • SHA256

    2b11d3a570fd45fda3e8c062f447e09dbabcfafee5e89f4258c0ac7c6e294fdc

  • SHA512

    a6c9ee59f120f5400ea08726337ed52d982184d71809f12255f44643fb6170e996a0bd89b5465b6498854978e0acab09e7cb7d6b912bcd1396e848392b1e986a

  • SSDEEP

    6144:QBn1gQ5lYu+gRaCuvlFMC5oTlyEwP5Od6mcELn3Wm:ggQ4DgRaxL5oJmP5O3jmm

Score
10/10
formbookn2hmratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

n2hm

Decoy

XCeG4IxNKbAl

YzJWbnC+El84nA==

KAJcdmP8yEcO5LXPCFF42Wfb

I+J+xYO95GJQWVU=

GtgxPPv3FmQmhw==

Og9NYF4xEl+j7vGTR93xvg==

506Cg07bsT0G6yK+A96H0h35V+JLkwI=

wAYXFN+pSFIXgQ==

ijzLI/f+FmQmhw==

UfT2PweNm+w8

GQWVw5aZnfF/kS5e

30BKYjua9zcA7gAwsPUngLnjyrBNEgo=

AM65OrmyFmQmhw==

VSlTVxISZ4J/kS5e

GGKj6K33SRh6e0/YzT5nQGlK5CXRqw==

B9H98cUUfX+AWOqiTA==

MxVffWOIoVnM37zrd2sTaOY=

z6bxCgG/mGhR7oDzQA==

pQgSLSRi6AK3M/PdArpX

6rRRsYuSnXx/kS5e

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Blocklisted process makes network request 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2440
    • C:\Users\Admin\AppData\Local\Temp\Order List_28_11_22.exe
      "C:\Users\Admin\AppData\Local\Temp\Order List_28_11_22.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3704
      • C:\Users\Admin\AppData\Local\Temp\utmeaaxkt.exe
        "C:\Users\Admin\AppData\Local\Temp\utmeaaxkt.exe" C:\Users\Admin\AppData\Local\Temp\pmrftq.yd
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:3536
        • C:\Users\Admin\AppData\Local\Temp\utmeaaxkt.exe
          "C:\Users\Admin\AppData\Local\Temp\utmeaaxkt.exe" C:\Users\Admin\AppData\Local\Temp\pmrftq.yd
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:3552
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\SysWOW64\wscript.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1332
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:3548

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\pmrftq.yd
      Filesize

      5KB

      MD5

      e8ebc5cd0631d44f074c42c7ee0d483a

      SHA1

      6743c1526437ffdf26e4eca9ae9e22a5501eb75e

      SHA256

      8bb81683329f68320da93751770f2ddc5b01615ace88d3c028c2346df13513db

      SHA512

      93636c03b0a35aa1192c34b733eececb4c433fa16bba51a57b9428d5e705f5eb6255b679c5df9495a962d1f52381f9f2b713e7a8100f648c69b364c8d4b1887f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\utmeaaxkt.exe
      Filesize

      46KB

      MD5

      8627b859df0f7adfe76b545c5b5ebf1f

      SHA1

      1d1ee3ad3452b25ca5e467bc5317d2e61819e39f

      SHA256

      6ae3660b761846df15f7cc42dd6ea7fd43039f55685ead53b820fd07b5589295

      SHA512

      c59c97a8c511f6913f099b890fea3cb1c1718733f3182887c5bc796f16dcfd3916b42de802f293a938e86b1ddc56f482d8d3dff3adbcc12fcbc6050a363f05c7

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\utmeaaxkt.exe
      Filesize

      46KB

      MD5

      8627b859df0f7adfe76b545c5b5ebf1f

      SHA1

      1d1ee3ad3452b25ca5e467bc5317d2e61819e39f

      SHA256

      6ae3660b761846df15f7cc42dd6ea7fd43039f55685ead53b820fd07b5589295

      SHA512

      c59c97a8c511f6913f099b890fea3cb1c1718733f3182887c5bc796f16dcfd3916b42de802f293a938e86b1ddc56f482d8d3dff3adbcc12fcbc6050a363f05c7

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\utmeaaxkt.exe
      Filesize

      46KB

      MD5

      8627b859df0f7adfe76b545c5b5ebf1f

      SHA1

      1d1ee3ad3452b25ca5e467bc5317d2e61819e39f

      SHA256

      6ae3660b761846df15f7cc42dd6ea7fd43039f55685ead53b820fd07b5589295

      SHA512

      c59c97a8c511f6913f099b890fea3cb1c1718733f3182887c5bc796f16dcfd3916b42de802f293a938e86b1ddc56f482d8d3dff3adbcc12fcbc6050a363f05c7

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\zypmxv.wq
      Filesize

      185KB

      MD5

      48b7015056cb576386fea23bd3c8de63

      SHA1

      495cc01b56f6c46450bb347f6d0dab43af51853e

      SHA256

      f2fb694ed9980983d87b18d45f19eb94d9c38425e25ef26d06d058ad8411595a

      SHA512

      6c9d62953e4257929c685df596b2d4ff71c4339b216a7a810b351c7ac9cc66b9148b8114d8afda049e24738251edf1e477e9eb1c45da082da9af271c956c73d0

      Download Submit
    • memory/1332-144-0x0000000000000000-mapping.dmp
      Download
    • memory/1332-146-0x0000000000CD0000-0x0000000000CF7000-memory.dmp
      Filesize

      156KB

      Download
    • memory/1332-147-0x0000000003270000-0x00000000035BA000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/1332-151-0x0000000001220000-0x000000000124D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/1332-148-0x0000000001220000-0x000000000124D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/1332-149-0x00000000030C0000-0x000000000314F000-memory.dmp
      Filesize

      572KB

      Download
    • memory/2440-152-0x0000000008240000-0x0000000008333000-memory.dmp
      Filesize

      972KB

      Download
    • memory/2440-143-0x0000000007D70000-0x0000000007EAF000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/2440-150-0x0000000008240000-0x0000000008333000-memory.dmp
      Filesize

      972KB

      Download
    • memory/3536-132-0x0000000000000000-mapping.dmp
      Download
    • memory/3552-137-0x0000000000000000-mapping.dmp
      Download
    • memory/3552-145-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/3552-142-0x0000000000670000-0x0000000000680000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3552-141-0x0000000000AF0000-0x0000000000E3A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/3552-140-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/3552-139-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download