Overview

overview

10

Static

static

Urgent quo...f-.exe

windows7-x64

10

Urgent quo...f-.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    171s
  • max time network
    173s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-11-2022 11:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Urgent quote request -pdf-.exe

  • Size

    636KB

  • MD5

    b8315ffe6f3194b9b8b8188696524867

  • SHA1

    bb037856bb04518f5b1948efffbfbe31646af3ef

  • SHA256

    d50b5e68cc51789ccf9d892f92fd82ca4340f3603882c9fa24ea965d9e839a80

  • SHA512

    874a181dd92fcc9968f88b9a9e6a0e38473f85c4fd4ea84029bc0ed8e2717a957bc6a244b5222c8a7f8716bb85a774dee04c64f73802f9bfbe8c7b421a3ecb02

  • SSDEEP

    12288:8pcJpbKbfuLb58ZGYxiudpN0nC3Lf91I64HyfOWyoc+h2j2AKm+:8ajbKCLb58ZGIRb7f9m8g5

Score
10/10
formbooka24eratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

a24e

Decoy

flormarine.co.uk

theglazingsquad.uk

konarkpharma.com

maxpropertyfinanceuk.co.uk

jackson-ifc.com

yvonneazevedoimoveis.net

baystella.com

arexbaba.online

trihgd.xyz

filth520571.com

cikpkg.cfd

jakesupport.com

8863365.com

duniaslot777.online

lop3a.com

berkut-clan.ru

lernnavigator.com

elenaisaprincess.co.uk

daimadaquan.xyz

mychirocart.net

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 5 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2692
    • C:\Users\Admin\AppData\Local\Temp\Urgent quote request -pdf-.exe
      "C:\Users\Admin\AppData\Local\Temp\Urgent quote request -pdf-.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4016
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GyFWLglwl.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4320
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GyFWLglwl" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCAA3.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:5028
      • C:\Users\Admin\AppData\Local\Temp\Urgent quote request -pdf-.exe
        "C:\Users\Admin\AppData\Local\Temp\Urgent quote request -pdf-.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:5112
    • C:\Windows\SysWOW64\autochk.exe
      "C:\Windows\SysWOW64\autochk.exe"
      2⤵
        PID:3628
      • C:\Windows\SysWOW64\WWAHost.exe
        "C:\Windows\SysWOW64\WWAHost.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5088
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\Urgent quote request -pdf-.exe"
          3⤵
            PID:4688

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmpCAA3.tmp
        Filesize

        1KB

        MD5

        7e324b42654e5368e5d72df5518b0baf

        SHA1

        627f3e01662fd2a6148da5ac78636554a87f9334

        SHA256

        8450fe6c90ebc876b29a1686c4dd16bee51126f9a342ff2154d1eecec8fbb5fa

        SHA512

        294d041786fe9689eff3945f50f5b4cdb577b1029c3bfef349c58e2e10adf7a66a043cfacb467dd8865256aec1fdaf2e247912a61902052461fbdb37742cc960

        Download Submit
      • memory/2692-153-0x0000000008CA0000-0x0000000008DC6000-memory.dmp
        Filesize

        1.1MB

        Download
      • memory/2692-150-0x0000000008700000-0x0000000008881000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/2692-175-0x0000000003480000-0x0000000003567000-memory.dmp
        Filesize

        924KB

        Download
      • memory/2692-174-0x0000000003480000-0x0000000003567000-memory.dmp
        Filesize

        924KB

        Download
      • memory/2692-168-0x0000000008CA0000-0x0000000008DC6000-memory.dmp
        Filesize

        1.1MB

        Download
      • memory/4016-136-0x00000000092A0000-0x000000000933C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/4016-135-0x0000000005640000-0x000000000564A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/4016-134-0x0000000005680000-0x0000000005712000-memory.dmp
        Filesize

        584KB

        Download
      • memory/4016-132-0x0000000000BF0000-0x0000000000C96000-memory.dmp
        Filesize

        664KB

        Download
      • memory/4016-133-0x0000000005B90000-0x0000000006134000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/4320-140-0x00000000057D0000-0x0000000005DF8000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/4320-141-0x00000000054E0000-0x0000000005502000-memory.dmp
        Filesize

        136KB

        Download
      • memory/4320-137-0x0000000000000000-mapping.dmp
        Download
      • memory/4320-171-0x0000000007C40000-0x0000000007C48000-memory.dmp
        Filesize

        32KB

        Download
      • memory/4320-170-0x0000000007C50000-0x0000000007C6A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/4320-169-0x0000000007B50000-0x0000000007B5E000-memory.dmp
        Filesize

        56KB

        Download
      • memory/4320-143-0x0000000005E70000-0x0000000005ED6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/4320-162-0x0000000070D30000-0x0000000070D7C000-memory.dmp
        Filesize

        304KB

        Download
      • memory/4320-167-0x0000000007B80000-0x0000000007C16000-memory.dmp
        Filesize

        600KB

        Download
      • memory/4320-163-0x00000000065E0000-0x00000000065FE000-memory.dmp
        Filesize

        120KB

        Download
      • memory/4320-166-0x0000000007990000-0x000000000799A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/4320-155-0x00000000065A0000-0x00000000065BE000-memory.dmp
        Filesize

        120KB

        Download
      • memory/4320-139-0x0000000002C70000-0x0000000002CA6000-memory.dmp
        Filesize

        216KB

        Download
      • memory/4320-161-0x0000000006B40000-0x0000000006B72000-memory.dmp
        Filesize

        200KB

        Download
      • memory/4320-165-0x00000000078A0000-0x00000000078BA000-memory.dmp
        Filesize

        104KB

        Download
      • memory/4320-144-0x0000000005FD0000-0x0000000006036000-memory.dmp
        Filesize

        408KB

        Download
      • memory/4320-164-0x0000000007F00000-0x000000000857A000-memory.dmp
        Filesize

        6.5MB

        Download
      • memory/4688-157-0x0000000000000000-mapping.dmp
        Download
      • memory/5028-138-0x0000000000000000-mapping.dmp
        Download
      • memory/5088-159-0x0000000000E00000-0x0000000000E2F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/5088-160-0x00000000019C0000-0x0000000001D0A000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/5088-158-0x0000000000E50000-0x0000000000F2C000-memory.dmp
        Filesize

        880KB

        Download
      • memory/5088-172-0x0000000000E00000-0x0000000000E2F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/5088-173-0x00000000018B0000-0x0000000001943000-memory.dmp
        Filesize

        588KB

        Download
      • memory/5088-156-0x0000000000000000-mapping.dmp
        Download
      • memory/5112-145-0x0000000000000000-mapping.dmp
        Download
      • memory/5112-152-0x00000000016F0000-0x0000000001704000-memory.dmp
        Filesize

        80KB

        Download
      • memory/5112-151-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/5112-149-0x0000000001180000-0x0000000001194000-memory.dmp
        Filesize

        80KB

        Download
      • memory/5112-148-0x0000000001800000-0x0000000001B4A000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/5112-146-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/5112-154-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download