Overview

overview

10

Static

static

1

clientIC.exe

windows7-x64

8

clientIC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    262s
  • max time network
    282s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-11-2022 09:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    clientIC.exe

  • Size

    233KB

  • MD5

    6748ab9c3f718189aa1942e6465c5de4

  • SHA1

    872407ac71d607b1d02b1e116ce7c1a788078888

  • SHA256

    d7cc0491b79a1024a4b9cdff777d016b9ccd6ecb7b335ccb54f61fea89e345cd

  • SHA512

    90710bb4a02c94c9274aa25ca67357c037475d1c7793fc9a72568e853c989a5e77587f7f7a66bcc46c89f53e3629a507d537721c234866710cabb362b79da74a

  • SSDEEP

    6144:5Bnuy0yPQ9aJbN6bWfO8hOXFI07pyDRAHUdTHyqiYBNBYd5PP2Tkc+:Ky0yPQ90bN6bkhI9W2rMNBYn2Ic+

Score
10/10
formbookwh23ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

wh23

Decoy

ow9vyvfee.com

alvis.one

mutantgobz.claims

plynofon.com

southofkingst.store

nuvidamedspa.com

coffeeforyou56.com

opaletechevents.com

momobar.life

abcmousu.com

learnicd-11.com

tipokin.xyz

kahvezevki.com

suratdimond.com

oldartists.best

infoepic.info

mattresslabo.com

skarlmotors.com

cl9319x.xyz

med49app.net

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 3 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1300
    • C:\Users\Admin\AppData\Local\Temp\clientIC.exe
      "C:\Users\Admin\AppData\Local\Temp\clientIC.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3140
      • C:\Users\Admin\AppData\Local\Temp\phduzwarfr.exe
        "C:\Users\Admin\AppData\Local\Temp\phduzwarfr.exe" C:\Users\Admin\AppData\Local\Temp\zvqzaut.hws
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:4636
        • C:\Users\Admin\AppData\Local\Temp\phduzwarfr.exe
          "C:\Users\Admin\AppData\Local\Temp\phduzwarfr.exe" C:\Users\Admin\AppData\Local\Temp\zvqzaut.hws
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:3304
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2996
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\phduzwarfr.exe"
        3⤵
          PID:4500

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\ffxuxjbtdz.b
      Filesize

      185KB

      MD5

      ce0501d049b36b96e29f0187e0913405

      SHA1

      6703ba8426b90fe9f16f1282e7097d0dbdd55d35

      SHA256

      17b672ceb5d15ca6f3b6a740ab9ec92aefb998dac041523a3c53b7ff3d152a75

      SHA512

      77ee1d15271935e02b4f6715c8d31472765a997381cae9456edfff409b56626fd2fb923dc2e5b592f4359c3bf6753f11a8d0e4ce8491353a3c5d516d834b2120

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\phduzwarfr.exe
      Filesize

      58KB

      MD5

      b670630c7aa6f7e6951b5c76c744d4d9

      SHA1

      de350e75c9bafcd96a7d1d7d903f5a93bd1feac9

      SHA256

      29401b58e8e60b9263f1cf414ceb9d86ba008228398d102c98d9adbd914afa54

      SHA512

      ec639fe440a1b005df43e0ded88ced0db1d8bc88a10a7c1d150658911a32233246969ad1b6819618d02a00883ac5c13405978d67674f6a662e540cd3a87d4d7a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\phduzwarfr.exe
      Filesize

      58KB

      MD5

      b670630c7aa6f7e6951b5c76c744d4d9

      SHA1

      de350e75c9bafcd96a7d1d7d903f5a93bd1feac9

      SHA256

      29401b58e8e60b9263f1cf414ceb9d86ba008228398d102c98d9adbd914afa54

      SHA512

      ec639fe440a1b005df43e0ded88ced0db1d8bc88a10a7c1d150658911a32233246969ad1b6819618d02a00883ac5c13405978d67674f6a662e540cd3a87d4d7a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\phduzwarfr.exe
      Filesize

      58KB

      MD5

      b670630c7aa6f7e6951b5c76c744d4d9

      SHA1

      de350e75c9bafcd96a7d1d7d903f5a93bd1feac9

      SHA256

      29401b58e8e60b9263f1cf414ceb9d86ba008228398d102c98d9adbd914afa54

      SHA512

      ec639fe440a1b005df43e0ded88ced0db1d8bc88a10a7c1d150658911a32233246969ad1b6819618d02a00883ac5c13405978d67674f6a662e540cd3a87d4d7a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\zvqzaut.hws
      Filesize

      5KB

      MD5

      0e0ffbdced812efa2a46bf7031cde71f

      SHA1

      3d89adc82fc0176d929a74090a67bff18c81a2c6

      SHA256

      f073014d979689fa38acc7446e2197a970645c52252e1a49a35ad4810be97c80

      SHA512

      2b87dd9fe218bcd2c7f4d91e3e0d82beda125327582666dc4cf7c0d8dbb83502297ed913a876731542adb2e73b49bdd2e209baf6bbbd8f249e068b20910be76e

      Download Submit
    • memory/1300-153-0x0000000003550000-0x0000000003560000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1300-160-0x0000000001310000-0x0000000001320000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1300-164-0x0000000001310000-0x0000000001320000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1300-163-0x0000000001300000-0x0000000001310000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1300-162-0x0000000001310000-0x0000000001320000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1300-142-0x00000000091A0000-0x00000000092E4000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1300-159-0x0000000007CB0000-0x0000000007D72000-memory.dmp
      Filesize

      776KB

      Download
    • memory/1300-158-0x0000000007CB0000-0x0000000007D72000-memory.dmp
      Filesize

      776KB

      Download
    • memory/1300-156-0x0000000003550000-0x0000000003560000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1300-155-0x0000000003550000-0x0000000003560000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1300-154-0x0000000003550000-0x0000000003560000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1300-161-0x0000000003650000-0x0000000003660000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1300-149-0x0000000001310000-0x0000000001320000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1300-150-0x0000000001310000-0x0000000001320000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1300-151-0x0000000003550000-0x0000000003560000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1300-152-0x0000000003550000-0x0000000003560000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1300-165-0x0000000003650000-0x0000000003660000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2996-147-0x0000000000940000-0x000000000096F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/2996-146-0x0000000002B60000-0x0000000002EAA000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/2996-145-0x0000000000940000-0x000000000096F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/2996-157-0x00000000029E0000-0x0000000002A73000-memory.dmp
      Filesize

      588KB

      Download
    • memory/2996-144-0x0000000000400000-0x0000000000833000-memory.dmp
      Filesize

      4.2MB

      Download
    • memory/2996-143-0x0000000000000000-mapping.dmp
      Download
    • memory/3304-140-0x0000000000B10000-0x0000000000E5A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/3304-141-0x00000000005C0000-0x00000000005D4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/3304-139-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/3304-137-0x0000000000000000-mapping.dmp
      Download
    • memory/4500-148-0x0000000000000000-mapping.dmp
      Download
    • memory/4636-132-0x0000000000000000-mapping.dmp
      Download