Overview

overview

10

Static

static

REVISED OR...ER.exe

windows7-x64

10

REVISED OR...ER.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    30-11-2022 10:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    REVISED ORDER FOR DECEMBER.exe

  • Size

    573KB

  • MD5

    0e27fab3f710b0b524091aba6ed455c7

  • SHA1

    2b6aca7bc31a565f0cb1e00d9daab463b570f269

  • SHA256

    40f511e420e73d2cb620d782e9ed31dbd1dabe4103b31e025a4158d39a209a5e

  • SHA512

    d795b666ec53c9ed058c8fa77dac06e6e77f9d4871dfea8d59ebe49653b9b0620d292677482a88e81b276893948780db6ecc7b7e67ebb1c2a1995fc16876ba2a

  • SSDEEP

    6144:/+qpqSmgUZtFUaJqMJ3iwyoqAnrHxC4AbUkO0dDW8P4SATkU6Uk5dWXwzlf7Tvm:GqgSmdzUZAUndDWE4pkFv5DzA

Score
10/10
formbookf9r5ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

f9r5

Decoy

teknotimur.com

zuliboo.com

remmingtoncampbell.com

vehicletitleloansphoenix.com

sen-computer.com

98731.biz

shelikesblu.com

canis-totem.com

metaversemedianetwork.com

adsdu.com

vanishmediasystems.com

astewaykebede.com

wszhongxue.com

gacha-animator-free.com

papatyadekorasyon.com

mqc168.top

simplebrilliantsolutions.com

jubileehawkesprairie.com

ridflab.com

conboysfilm.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 6 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1284
    • C:\Users\Admin\AppData\Local\Temp\REVISED ORDER FOR DECEMBER.exe
      "C:\Users\Admin\AppData\Local\Temp\REVISED ORDER FOR DECEMBER.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1220
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GlzwuZ.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1468
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GlzwuZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp13EF.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:1392
      • C:\Users\Admin\AppData\Local\Temp\REVISED ORDER FOR DECEMBER.exe
        "C:\Users\Admin\AppData\Local\Temp\REVISED ORDER FOR DECEMBER.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1760
    • C:\Windows\SysWOW64\mstsc.exe
      "C:\Windows\SysWOW64\mstsc.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1708
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\REVISED ORDER FOR DECEMBER.exe"
        3⤵
        • Deletes itself
        PID:608

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp13EF.tmp
    Filesize

    1KB

    MD5

    ec346b9fe7a9c584d99a96d48aa7fa84

    SHA1

    f922cc573a7b98b18fb036be2d4e6c9d2fcf5bd5

    SHA256

    d4d5b1282856317d8882a332be978e656878c72d65de92267765b23aa5610180

    SHA512

    0fcbf911f159cbd03491adb929e8d281fc2fe223892231d9b1a696a05e5ce6409bf2dca68e4f6f2075a0a8fad607c81cf2ba3755482a675883603d088a1b26ad

    Download Submit
  • memory/608-82-0x0000000000000000-mapping.dmp
    Download
  • memory/1220-63-0x0000000004890000-0x00000000048C4000-memory.dmp
    Filesize

    208KB

    Download
  • memory/1220-57-0x0000000000330000-0x000000000033E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1220-58-0x0000000007E10000-0x0000000007E80000-memory.dmp
    Filesize

    448KB

    Download
  • memory/1220-54-0x00000000010D0000-0x0000000001166000-memory.dmp
    Filesize

    600KB

    Download
  • memory/1220-55-0x0000000074D81000-0x0000000074D83000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1220-56-0x0000000000210000-0x0000000000226000-memory.dmp
    Filesize

    88KB

    Download
  • memory/1284-89-0x00000000072C0000-0x00000000073DE000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1284-73-0x0000000006A30000-0x0000000006B6D000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/1284-87-0x00000000072C0000-0x00000000073DE000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1284-77-0x0000000006C10000-0x0000000006D5E000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/1392-61-0x0000000000000000-mapping.dmp
    Download
  • memory/1468-59-0x0000000000000000-mapping.dmp
    Download
  • memory/1468-78-0x0000000073F40000-0x00000000744EB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1468-74-0x0000000073F40000-0x00000000744EB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1708-79-0x0000000000000000-mapping.dmp
    Download
  • memory/1708-83-0x0000000000C10000-0x0000000000D14000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/1708-88-0x0000000000080000-0x00000000000AF000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1708-86-0x0000000000A50000-0x0000000000AE3000-memory.dmp
    Filesize

    588KB

    Download
  • memory/1708-85-0x0000000002120000-0x0000000002423000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1708-84-0x0000000000080000-0x00000000000AF000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1760-70-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1760-67-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1760-80-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1760-68-0x000000000041F150-mapping.dmp
    Download
  • memory/1760-72-0x0000000000350000-0x0000000000364000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1760-71-0x0000000000890000-0x0000000000B93000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1760-65-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1760-76-0x0000000000390000-0x00000000003A4000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1760-64-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download