Overview

overview

10

Static

static

1

shedfam.exe

windows7-x64

8

shedfam.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-11-2022 14:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    shedfam.exe

  • Size

    880KB

  • MD5

    c0a85d86855b257b25572aa7d9d90381

  • SHA1

    ea5ce824d225c0df297586a2c6621aea5ab8584b

  • SHA256

    c9cf9f0fa6980019aa3a93b9b25ca2cf14cfad4b4afef12d43a20ece34d2093b

  • SHA512

    373c768311b5385bb45c0558a1bc112c5c8b4d9cceeb5fa41577a5a4f3a936aff6745bf0d6ac3fdc84a17d3eb518cce5d1e4744cdfe64cd35e4478a8693fd11a

  • SSDEEP

    12288:Avy7P+vzXkpdeYfU+Ey0LOPmEBrNU4jMmrKJVNwysiebm4M4qXftsFf:yAmvgeYc+EAPmEVNSmObWy7eCn4OtsFf

Score
10/10
formbooksk19ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sk19

Decoy

21diasdegratitud.com

kx1993.com

chasergt.com

837news.com

naturagent.co.uk

gatorinsurtech.com

iyaboolashilesblog.africa

jamtanganmurah.online

gguminsa.com

lilliesdrop.com

lenvera.com

link48.co.uk

azinos777.fun

lgcdct.cfd

bg-gobtc.com

livecarrer.uk

cbq4u.com

imalreadygone.com

wabeng.africa

jxmheiyouyuetot.tokyo

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 2 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3048
    • C:\Users\Admin\AppData\Local\Temp\shedfam.exe
      "C:\Users\Admin\AppData\Local\Temp\shedfam.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:884
      • C:\Users\Admin\AppData\Local\Temp\kmhbvf.exe
        "C:\Users\Admin\AppData\Local\Temp\kmhbvf.exe" "C:\Users\Admin\AppData\Local\Temp\wenvaisrl.au3"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:3100
        • C:\Users\Admin\AppData\Local\Temp\kmhbvf.exe
          "C:\Users\Admin\AppData\Local\Temp\kmhbvf.exe" "C:\Users\Admin\AppData\Local\Temp\wenvaisrl.au3"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:4092
    • C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\SysWOW64\netsh.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5076
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\kmhbvf.exe"
        3⤵
          PID:4776

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\hocjhpxqy.mm
      Filesize

      65KB

      MD5

      431eb080c0121588df787ade07921631

      SHA1

      51225d617eb675000cd546296200a3394be6e3e5

      SHA256

      e2d19473bb19ad0753170cbeb884714ec463e9f7836876f0174509fed54dfb6b

      SHA512

      c7cf3f965fe741d6d98e06bae9ee12ceadf6ff93574e03dbc2b9eb9336b4a9c23285b3dc3bbcbcd9d8b21c6e91bb92fb65b2995205ab8aaa5794fda3fc614136

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\kmhbvf.exe
      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\kmhbvf.exe
      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\kmhbvf.exe
      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\piqsiyngg.yfg
      Filesize

      185KB

      MD5

      dc7cd66f3a1b920fe91a5550f1b95608

      SHA1

      c72eb7822da4656a6f0a391847fe8a76564572e3

      SHA256

      db73c93c0d9fc5b23b95d9cb5d8bd402914999ba59b3d6c90b4dac8e7dc302e6

      SHA512

      3c030a853c7c345a3c93e53d015c51a91986ae4db4ab13e4730c9ffb2eaafbf62c65a5d11fba21b810a6cdaab3caebfe48ce36d960af54294cb55d7f108101fe

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\wenvaisrl.au3
      Filesize

      6KB

      MD5

      f94d60d73eeed59db9c9ea910387df5e

      SHA1

      a7a5d3ad43b240813ca47dd550d0632e0cc1b846

      SHA256

      35d0a39deb3a4ca1dd624d441359a320a89f044476ba5665eed31c4e51019c2c

      SHA512

      e6ce3db8563f4ed6989562fa0fbb561daeb9e022b72d6eb746ae1181b2018633c7f22a0f2ae591d14d794340aa54a4699480219266e9b81e04a1a1d67f8fa983

      Download Submit

    • memory/3048-150-0x0000000007D30000-0x0000000007E72000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3048-141-0x00000000075E0000-0x000000000771B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3048-151-0x0000000007D30000-0x0000000007E72000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3100-132-0x0000000000000000-mapping.dmp

      Download

    • memory/4092-137-0x0000000000000000-mapping.dmp

      Download

    • memory/4092-139-0x0000000001210000-0x000000000155A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4092-140-0x0000000000D10000-0x0000000000D24000-memory.dmp

      Filesize

      80KB

      Download

    • memory/4776-145-0x0000000000000000-mapping.dmp

      Download

    • memory/5076-142-0x0000000000000000-mapping.dmp

      Download

    • memory/5076-147-0x0000000000DD0000-0x0000000000DFF000-memory.dmp

      Filesize

      188KB

      Download

    • memory/5076-148-0x0000000001CC0000-0x0000000001D53000-memory.dmp

      Filesize

      588KB

      Download

    • memory/5076-149-0x0000000000DD0000-0x0000000000DFF000-memory.dmp

      Filesize

      188KB

      Download

    • memory/5076-146-0x0000000001970000-0x0000000001CBA000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/5076-144-0x0000000000C40000-0x0000000000C5E000-memory.dmp

      Filesize

      120KB

      Download