Overview

overview

10

Static

static

fcc21d800f...d01.js

windows7-x64

10

fcc21d800f...d01.js

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-11-2022 16:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fcc21d800f2cd942cbb2777c40a8ebf831e7fce2e6c8c77d5fa8fd4e3709bd01.js

  • Size

    346KB

  • MD5

    21199ca311ff9236a22bc04871f49361

  • SHA1

    14bf80cebe0fe6945ab146eb481a40d62df5f1d1

  • SHA256

    fcc21d800f2cd942cbb2777c40a8ebf831e7fce2e6c8c77d5fa8fd4e3709bd01

  • SHA512

    2696c74bae8749f26af0483807395356a0224c2124ac956cbb48e8026a705cc3bc1cc8056991385284636e4982dbaefb5a4887901459e41ff02bd0975f5927a0

  • SSDEEP

    6144:So6tITpn1wYXxLJCZQk5s1TAriIgnywLzTp1vQo:76tSJ1tXGaka1TArinBHtZ/

Score
10/10
formbookvjw0rmc0e5ratspywarestealertrojanworm

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

c0e5

Decoy

educao.pet

e-race.store

clitzhyper.com

webcheetahtech.online

akkarr.online

odevillage.fit

yaignav.site

191u.us

misionartv.store

leadingpastor.com

claudio-vega.store

9mck753.com

system-reminder.live

landsharesfg.net

lmcsf.top

mkstoreacesse.com

2023.domains

yb8.mobi

2q02f4fyxg7ybb18.digital

logtray.shop

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Formbook payload 4 IoCs
    rat
  • Blocklisted process makes network request 6 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3004
    • C:\Windows\system32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Local\Temp\fcc21d800f2cd942cbb2777c40a8ebf831e7fce2e6c8c77d5fa8fd4e3709bd01.js
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2228
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\VeuzKgGKjI.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        PID:2212
      • C:\Users\Admin\AppData\Local\Temp\bin.exe
        "C:\Users\Admin\AppData\Local\Temp\bin.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2876
    • C:\Windows\SysWOW64\wlanext.exe
      "C:\Windows\SysWOW64\wlanext.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4048
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\bin.exe"
        3⤵
          PID:900
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k netsvcs -p
      1⤵
      • Drops file in System32 directory
      • Checks processor information in registry
      • Enumerates system info in registry
      PID:4580

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\bin.exe
      Filesize

      185KB

      MD5

      d3ac8e00dd791752d47327d53cdb2515

      SHA1

      5f820ebe7772a56d71096356443b858ae0b52276

      SHA256

      e3bdaf1daee2ad35479c213122391cb3d27f193896aef414ce6edb516c0133aa

      SHA512

      4f181b863e792212507b48374b232ccffa0528a915f3f41529205a3da5c6ce2c8063ad50b57f5ec2bb0e1126eb4d2ab9eb34036d014d633c0eecf3771fff3579

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\bin.exe
      Filesize

      185KB

      MD5

      d3ac8e00dd791752d47327d53cdb2515

      SHA1

      5f820ebe7772a56d71096356443b858ae0b52276

      SHA256

      e3bdaf1daee2ad35479c213122391cb3d27f193896aef414ce6edb516c0133aa

      SHA512

      4f181b863e792212507b48374b232ccffa0528a915f3f41529205a3da5c6ce2c8063ad50b57f5ec2bb0e1126eb4d2ab9eb34036d014d633c0eecf3771fff3579

      Download Submit
    • C:\Users\Admin\AppData\Roaming\VeuzKgGKjI.js
      Filesize

      5KB

      MD5

      3c661d811eda2031bebf350dc0f16603

      SHA1

      75ef6bda3f82dd858b1a4b768f24189aa10b94f1

      SHA256

      c15eb52fe816bba6b41b2bec0c7f7e08d6e2dfefff39201bc36f6b4e6fd711b8

      SHA512

      b66e03028f723307382092fe3d9683c8599a0227f50d46839ec70f6479c38af05514136c22e5cc03d72e2923384b08aebd699c9f0dfe92b738e667f306e4eb4f

      Download Submit
    • memory/900-141-0x0000000000000000-mapping.dmp
      Download
    • memory/2212-132-0x0000000000000000-mapping.dmp
      Download
    • memory/2876-134-0x0000000000000000-mapping.dmp
      Download
    • memory/2876-137-0x0000000000DB0000-0x00000000010FA000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/2876-138-0x0000000000D70000-0x0000000000D85000-memory.dmp
      Filesize

      84KB

      Download
    • memory/3004-147-0x0000000008B40000-0x0000000008CA3000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/3004-139-0x00000000036A0000-0x000000000376E000-memory.dmp
      Filesize

      824KB

      Download
    • memory/3004-148-0x0000000008B40000-0x0000000008CA3000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/4048-140-0x0000000000000000-mapping.dmp
      Download
    • memory/4048-144-0x0000000000E00000-0x0000000000E2F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/4048-145-0x00000000013C0000-0x0000000001454000-memory.dmp
      Filesize

      592KB

      Download
    • memory/4048-143-0x0000000000BE0000-0x0000000000BF7000-memory.dmp
      Filesize

      92KB

      Download
    • memory/4048-146-0x0000000000E00000-0x0000000000E2F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/4048-142-0x0000000001720000-0x0000000001A6A000-memory.dmp
      Filesize

      3.3MB

      Download