502751e0b4a8acff074def25e8bf46495cc258100652ae11194aea84b5278fcf

General

Target

formbook4.exe
Size

1.0MB
MD5

e434c99075bb1cc365706ac25bc1c53a
SHA1

4cbc665703ef6c5eb46608aa5b8fef42c6afe6f5
SHA256

f50fd444e689593c2b29b62961986f31fe2b61f28850d23680aab7671add1365
SHA512

a6de56271d64f1ec3c4049faaeb99b7822f22b0acb6716a5ac52f7726d6278724d3110361cf13b63d441af01c3668dcde727a3ba322af17e00b33b0b0abb4610
SSDEEP

24576:bpxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxNuss8gPkS3k:23cj+/ZEFdj

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1112 schtasks.exe

pid	process
1112	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

formbook4.exepowershell.exe

pid	process
1196	formbook4.exe
1196	formbook4.exe
1196	formbook4.exe
1196	formbook4.exe
1196	formbook4.exe
1196	formbook4.exe
1196	formbook4.exe
1196	formbook4.exe
1196	formbook4.exe
1196	formbook4.exe
1196	formbook4.exe
1196	formbook4.exe
1196	formbook4.exe
1196	formbook4.exe
1196	formbook4.exe
1196	formbook4.exe
1196	formbook4.exe
1196	formbook4.exe
1196	formbook4.exe
1196	formbook4.exe
1196	formbook4.exe
1196	formbook4.exe
1196	formbook4.exe
1272	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

formbook4.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1196 formbook4.exe
Token: SeDebugPrivilege 1272 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1196	formbook4.exe
Token: SeDebugPrivilege	1272	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

formbook4.exe

description	pid	process	target process
PID 1196 wrote to memory of 1272	1196	formbook4.exe	powershell.exe
PID 1196 wrote to memory of 1272	1196	formbook4.exe	powershell.exe
PID 1196 wrote to memory of 1272	1196	formbook4.exe	powershell.exe
PID 1196 wrote to memory of 1272	1196	formbook4.exe	powershell.exe
PID 1196 wrote to memory of 1112	1196	formbook4.exe	schtasks.exe
PID 1196 wrote to memory of 1112	1196	formbook4.exe	schtasks.exe
PID 1196 wrote to memory of 1112	1196	formbook4.exe	schtasks.exe
PID 1196 wrote to memory of 1112	1196	formbook4.exe	schtasks.exe
PID 1196 wrote to memory of 1556	1196	formbook4.exe	formbook4.exe
PID 1196 wrote to memory of 1556	1196	formbook4.exe	formbook4.exe
PID 1196 wrote to memory of 1556	1196	formbook4.exe	formbook4.exe
PID 1196 wrote to memory of 1556	1196	formbook4.exe	formbook4.exe
PID 1196 wrote to memory of 1780	1196	formbook4.exe	formbook4.exe
PID 1196 wrote to memory of 1780	1196	formbook4.exe	formbook4.exe
PID 1196 wrote to memory of 1780	1196	formbook4.exe	formbook4.exe
PID 1196 wrote to memory of 1780	1196	formbook4.exe	formbook4.exe
PID 1196 wrote to memory of 1316	1196	formbook4.exe	formbook4.exe
PID 1196 wrote to memory of 1316	1196	formbook4.exe	formbook4.exe
PID 1196 wrote to memory of 1316	1196	formbook4.exe	formbook4.exe
PID 1196 wrote to memory of 1316	1196	formbook4.exe	formbook4.exe
PID 1196 wrote to memory of 1520	1196	formbook4.exe	formbook4.exe
PID 1196 wrote to memory of 1520	1196	formbook4.exe	formbook4.exe
PID 1196 wrote to memory of 1520	1196	formbook4.exe	formbook4.exe
PID 1196 wrote to memory of 1520	1196	formbook4.exe	formbook4.exe
PID 1196 wrote to memory of 316	1196	formbook4.exe	formbook4.exe
PID 1196 wrote to memory of 316	1196	formbook4.exe	formbook4.exe
PID 1196 wrote to memory of 316	1196	formbook4.exe	formbook4.exe
PID 1196 wrote to memory of 316	1196	formbook4.exe	formbook4.exe

C:\Users\Admin\AppData\Local\Temp\formbook4.exe
"C:\Users\Admin\AppData\Local\Temp\formbook4.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vwzBruALhhNkob.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vwzBruALhhNkob" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1517.tmp"
2⤵
- Creates scheduled task(s)
PID:1112

C:\Users\Admin\AppData\Local\Temp\formbook4.exe
"C:\Users\Admin\AppData\Local\Temp\formbook4.exe"
2⤵
PID:1556

C:\Users\Admin\AppData\Local\Temp\formbook4.exe
"C:\Users\Admin\AppData\Local\Temp\formbook4.exe"
2⤵
PID:1780

C:\Users\Admin\AppData\Local\Temp\formbook4.exe
"C:\Users\Admin\AppData\Local\Temp\formbook4.exe"
2⤵
PID:1316

C:\Users\Admin\AppData\Local\Temp\formbook4.exe
"C:\Users\Admin\AppData\Local\Temp\formbook4.exe"
2⤵
PID:1520

C:\Users\Admin\AppData\Local\Temp\formbook4.exe
"C:\Users\Admin\AppData\Local\Temp\formbook4.exe"
2⤵
PID:316

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1517.tmp
Filesize
1KB

MD5
2f74f4f1575ecfd2ef6441070c88db90

SHA1
4b68723d8869f6c5f4f47cf230e456e5164704eb

SHA256
22bd941ee24da334fd0ee92695fd13da71f0aafc3a2439637794999087ed281e

SHA512
33d80ccfe9148989a0004933afcac5f207289b19ee738dc3111906416cdebd6d54759dde3236b8e2789651557dfdf367ef35f34d6779c2c06322818be1dc64e5

Download Submit
memory/1112-60-0x0000000000000000-mapping.dmp

Download
memory/1196-54-0x00000000003B0000-0x00000000004BC000-memory.dmp

Filesize
1.0MB

Download
memory/1196-55-0x0000000076531000-0x0000000076533000-memory.dmp

Filesize
8KB

Download
memory/1196-56-0x0000000000510000-0x0000000000528000-memory.dmp

Filesize
96KB

Download
memory/1196-57-0x0000000000530000-0x000000000053C000-memory.dmp

Filesize
48KB

Download
memory/1196-58-0x0000000002010000-0x000000000209E000-memory.dmp

Filesize
568KB

Download
memory/1196-63-0x00000000052B0000-0x00000000052E4000-memory.dmp

Filesize
208KB

Download
memory/1272-59-0x0000000000000000-mapping.dmp

Download
memory/1272-64-0x000000006EC30000-0x000000006F1DB000-memory.dmp

Filesize
5.7MB

Download
memory/1272-65-0x000000006EC30000-0x000000006F1DB000-memory.dmp

Filesize
5.7MB

Download
memory/1272-66-0x000000006EC30000-0x000000006F1DB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads