Overview

overview

10

Static

static

1

RFQ 8525-22.exe

windows7-x64

8

RFQ 8525-22.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    171s
  • max time network
    210s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-11-2022 13:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFQ 8525-22.exe

  • Size

    388KB

  • MD5

    11160a2dacd444402d8ba3d97be284ec

  • SHA1

    8e4c00a7e42b4c35c57cd970d21981c7697df195

  • SHA256

    fdc647398dc8d60cba61b2f6c4120c1829a78d845c3bf545ce7857380735c390

  • SHA512

    1a8a2d321099b20254cb2b10965fc27038117a9444569188c5ee5a8aac87311ef08952113de554135c5c85b7068fd3ed6ad87e536977b17d17742f67eb7c952e

  • SSDEEP

    6144:hBn7A5jMUCoQR7h3Xfbxp0Cw1g1+B4iX8OUYilXUqD:vrR7hn70Lg1+v8ONilXUqD

Score
10/10
formbookm9aepersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

m9ae

Decoy

nWTQpX6TYm6dfT3Lcw==

7JaBLgMm8EKn2AlTy5Ksj4Jq

yWRJIhE3viQgqEpZS3o=

ES9dFo0bytF8vlvRcg==

aX/aBZn29pD+cg==

lU64sYOZV7ZVpUy1ag==

9BpOCYAPv8L8TyIFAiTp2PSqLg==

uEJ2RyQ1BcBXfFr8kT5Z1KV0

oVM42Ury9pD+cg==

0Zl3VkcuKaY+

OjZeGI8dw67Z6eWtnOoBfoI=

ytwFn9j4i+N8nKYRSgcfh3xn5LU=

xMb1+YkOyxmbxJ53JsP7Pg==

HODQpzTBS1gVoi4X0hStKQ==

fQ417ycwD+ziKt1u0hStKQ==

nsApOqE62sA8uS735uCXVP+YcrQ=

4aobG3oZ3AHqTPs=

P2LEwJatZbQZUTayTW0=

/bopO7NR6clCfT3Lcw==

bBxRRkFY01R+20pZS3o=

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2508
    • C:\Users\Admin\AppData\Local\Temp\RFQ 8525-22.exe
      "C:\Users\Admin\AppData\Local\Temp\RFQ 8525-22.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1560
      • C:\Users\Admin\AppData\Local\Temp\vjdrvjdg.exe
        "C:\Users\Admin\AppData\Local\Temp\vjdrvjdg.exe" C:\Users\Admin\AppData\Local\Temp\ovnhsfisr.c
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:3052
        • C:\Users\Admin\AppData\Local\Temp\vjdrvjdg.exe
          "C:\Users\Admin\AppData\Local\Temp\vjdrvjdg.exe" C:\Users\Admin\AppData\Local\Temp\ovnhsfisr.c
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:4008
    • C:\Windows\SysWOW64\wlanext.exe
      "C:\Windows\SysWOW64\wlanext.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      PID:3136

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ovnhsfisr.c
    Filesize

    7KB

    MD5

    47b4b620db59baa3aeebf13bd207887a

    SHA1

    5d8e4172fafb73ff2866d2c4b5f7923ddbcc13f0

    SHA256

    12e30c3f96700b492ed8fb83d58aed0c7495e31bba3b89bd31548c7b42234ac2

    SHA512

    40a81546bd7b5ad4493278420b25372513f3af0e2e6064639a38c4efaaccaba9b4e71ee434ec5a743dd8418fa9bfc4ea0ab332ca84341780d2979379064a665d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\svbcxznxc.wg
    Filesize

    185KB

    MD5

    38931dd8ec15787023ca0bec5855b2c8

    SHA1

    51fb41644d6c3952bca31bd900e6483afeb6f695

    SHA256

    00051b16f93009fdcc607627b53ec3fc7c7f7c8a37be000b5b8452d7a6ba9f98

    SHA512

    f1d7b02e02bb241191cb7147e0686cabe4b9290b304e5dff02eb3ed2a1fe8671aa9d28c09e8a2c19c34a6cd26df1e360a26135236a51c361cf012d85468c30be

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\vjdrvjdg.exe
    Filesize

    122KB

    MD5

    3a9b0a1a143b4bbb337edc0aacbd7ffc

    SHA1

    0e1c4bf9d3aca2796ddfda3e633323228a5d9cff

    SHA256

    3ab4cfdc61905541f75d91d375dac78bc9057eee579db753dece76961809737d

    SHA512

    a21cb44596f03f91ac481e643b582a916e8951f1215d195d47d6425d8ddb2f0de94c0d0ad109a809aa32bbe59bb0a2ec01cde8eb2c2f28d0e530ef0f547a87ed

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\vjdrvjdg.exe
    Filesize

    122KB

    MD5

    3a9b0a1a143b4bbb337edc0aacbd7ffc

    SHA1

    0e1c4bf9d3aca2796ddfda3e633323228a5d9cff

    SHA256

    3ab4cfdc61905541f75d91d375dac78bc9057eee579db753dece76961809737d

    SHA512

    a21cb44596f03f91ac481e643b582a916e8951f1215d195d47d6425d8ddb2f0de94c0d0ad109a809aa32bbe59bb0a2ec01cde8eb2c2f28d0e530ef0f547a87ed

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\vjdrvjdg.exe
    Filesize

    122KB

    MD5

    3a9b0a1a143b4bbb337edc0aacbd7ffc

    SHA1

    0e1c4bf9d3aca2796ddfda3e633323228a5d9cff

    SHA256

    3ab4cfdc61905541f75d91d375dac78bc9057eee579db753dece76961809737d

    SHA512

    a21cb44596f03f91ac481e643b582a916e8951f1215d195d47d6425d8ddb2f0de94c0d0ad109a809aa32bbe59bb0a2ec01cde8eb2c2f28d0e530ef0f547a87ed

    Download Submit
  • memory/2508-144-0x0000000007AC0000-0x0000000007BDA000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/2508-153-0x0000000006F00000-0x0000000006FC0000-memory.dmp
    Filesize

    768KB

    Download
  • memory/2508-151-0x0000000006F00000-0x0000000006FC0000-memory.dmp
    Filesize

    768KB

    Download
  • memory/2508-147-0x0000000007AC0000-0x0000000007BDA000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/3052-132-0x0000000000000000-mapping.dmp
    Download
  • memory/3136-152-0x00000000010A0000-0x00000000010CD000-memory.dmp
    Filesize

    180KB

    Download
  • memory/3136-150-0x00000000015E0000-0x000000000166F000-memory.dmp
    Filesize

    572KB

    Download
  • memory/3136-149-0x0000000001750000-0x0000000001A9A000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/3136-148-0x00000000010A0000-0x00000000010CD000-memory.dmp
    Filesize

    180KB

    Download
  • memory/3136-145-0x0000000000000000-mapping.dmp
    Download
  • memory/3136-146-0x0000000000050000-0x0000000000067000-memory.dmp
    Filesize

    92KB

    Download
  • memory/4008-137-0x0000000000000000-mapping.dmp
    Download
  • memory/4008-143-0x00000000004B0000-0x00000000004C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4008-142-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/4008-141-0x0000000000A00000-0x0000000000D4A000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/4008-140-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/4008-139-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download