Overview

overview

10

Static

static

Ordem de C...4h.exe

windows7-x64

10

Ordem de C...4h.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    207s
  • max time network
    35s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2022 17:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ordem de Compra pdf xxQ4h.exe

  • Size

    894KB

  • MD5

    973a94d5f2fb8e7d4da718d074dfd9eb

  • SHA1

    707f58e7972ed3493b0bd62480e4ed9538eba93f

  • SHA256

    608aed0c05c0bd3ff091e559c92093440f659cc8b6f98865ce907cd9d6885ba3

  • SHA512

    9b5dac4e93ff472550e557b9ea6e3bc4ccdcefd861886403a4c3729b9070de30d507ce3d4dc341d671416b1f4bd6e1a7a3624e5f9cd0f9935b3c375b89595250

  • SSDEEP

    24576:EHryn040Nznszfdf0DYkmybe7hxtcPuDdEPf:6mp0SZfsgyOT6vP

Score
10/10
formbookcy28ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cy28

Decoy

100049723423.review

lovehealthcare.online

immuniversity.info

ihproductions.net

originatorsu.mobi

shxwjn.top

fivemeters.com

planettiki.site

berantaspinjol.online

oregonusedtrucks.com

darkstarkoi.com

izmirhaberci.world

41014.top

georgiaspanishgoats.com

dealstopstartups.click

ravmodeling.center

unsundayjesus.world

initialslash.site

shubaola.top

caserevision.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 6 IoCs
    rat
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1268
      • C:\Users\Admin\AppData\Local\Temp\Ordem de Compra pdf xxQ4h.exe
        "C:\Users\Admin\AppData\Local\Temp\Ordem de Compra pdf xxQ4h.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:888
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IAFLNzOdgRR.exe"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1676
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IAFLNzOdgRR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp41E1.tmp"
          3⤵
          • Creates scheduled task(s)
          PID:732
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1604
          • C:\Windows\SysWOW64\wscript.exe
            "C:\Windows\SysWOW64\wscript.exe"
            4⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1988
            • C:\Windows\SysWOW64\cmd.exe
              /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
              5⤵
                PID:880

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp41E1.tmp
        Filesize

        1KB

        MD5

        c0a44275ca41acddb603d0517c77f04c

        SHA1

        e31ef94ac7f7b0f3744d2a9b740fd91418311f14

        SHA256

        f9ee1503e8a89b277eccbf9acbf2fef83348c7e7e4b3740ef87c625ac9237743

        SHA512

        5d14814f8674a084d72a19bdbbe154562bf6cf087c27772b428c9979f5ea29728d18a630391884f244d034f79cd8f21b30540fe8450d3b6988fb5f5d0aacc69d

        Download Submit
      • memory/732-60-0x0000000000000000-mapping.dmp
        Download
      • memory/880-84-0x0000000000000000-mapping.dmp
        Download
      • memory/888-54-0x00000000008B0000-0x0000000000996000-memory.dmp
        Filesize

        920KB

        Download
      • memory/888-55-0x0000000075B61000-0x0000000075B63000-memory.dmp
        Filesize

        8KB

        Download
      • memory/888-56-0x00000000005A0000-0x00000000005B6000-memory.dmp
        Filesize

        88KB

        Download
      • memory/888-57-0x00000000005B0000-0x00000000005BE000-memory.dmp
        Filesize

        56KB

        Download
      • memory/888-58-0x0000000005480000-0x0000000005526000-memory.dmp
        Filesize

        664KB

        Download
      • memory/888-63-0x0000000004FD0000-0x000000000503C000-memory.dmp
        Filesize

        432KB

        Download
      • memory/1268-88-0x0000000004CA0000-0x0000000004D71000-memory.dmp
        Filesize

        836KB

        Download
      • memory/1268-77-0x0000000004960000-0x0000000004A43000-memory.dmp
        Filesize

        908KB

        Download
      • memory/1268-73-0x0000000003CE0000-0x0000000003DC4000-memory.dmp
        Filesize

        912KB

        Download
      • memory/1604-71-0x0000000000AA0000-0x0000000000DA3000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1604-64-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1604-68-0x000000000041F140-mapping.dmp
        Download
      • memory/1604-72-0x0000000000190000-0x00000000001A4000-memory.dmp
        Filesize

        80KB

        Download
      • memory/1604-67-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1604-74-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1604-76-0x0000000000320000-0x0000000000334000-memory.dmp
        Filesize

        80KB

        Download
      • memory/1604-65-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1604-80-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1676-78-0x000000006E760000-0x000000006ED0B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1676-70-0x000000006E760000-0x000000006ED0B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1676-59-0x0000000000000000-mapping.dmp
        Download
      • memory/1676-85-0x000000006E760000-0x000000006ED0B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1988-79-0x0000000000000000-mapping.dmp
        Download
      • memory/1988-83-0x0000000000070000-0x000000000009F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1988-82-0x0000000001FB0000-0x00000000022B3000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1988-86-0x0000000000070000-0x000000000009F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1988-81-0x0000000000460000-0x0000000000486000-memory.dmp
        Filesize

        152KB

        Download
      • memory/1988-87-0x0000000001D80000-0x0000000001E13000-memory.dmp
        Filesize

        588KB

        Download