Overview

overview

10

Static

static

3580ae39b6...871.js

windows7-x64

10

3580ae39b6...871.js

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    01-12-2022 07:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3580ae39b6b33aa67838c5c1ca91b6aebf91e470360fb13072497e85df748871.js

  • Size

    341KB

  • MD5

    59b4d0fb62bea58db86b5f9b82382f21

  • SHA1

    57bae158e509b8e23c3347efeaf00553920b8bf6

  • SHA256

    3580ae39b6b33aa67838c5c1ca91b6aebf91e470360fb13072497e85df748871

  • SHA512

    d09975b8ecf9de689bf7e9cebfa9430940b6f465e00a15b4baeb839c598c61cac380263db96f027ef4328b705a773c3a4543961ba1806cc31c86a2fd82f29e6e

  • SSDEEP

    6144:D9w3fOYrR6SInG2u3Wp4cwRDyTlMiAaJ/jpPiWUiSFtroVSSM1tZQfm:YWaR6SInGj3WN6DyhMiASjpPhSFtroVI

Score
10/10
formbookvjw0rma24eratspywarestealertrojanworm

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

a24e

Decoy

flormarine.co.uk

theglazingsquad.uk

konarkpharma.com

maxpropertyfinanceuk.co.uk

jackson-ifc.com

yvonneazevedoimoveis.net

baystella.com

arexbaba.online

trihgd.xyz

filth520571.com

cikpkg.cfd

jakesupport.com

8863365.com

duniaslot777.online

lop3a.com

berkut-clan.ru

lernnavigator.com

elenaisaprincess.co.uk

daimadaquan.xyz

mychirocart.net

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Formbook payload 4 IoCs
    rat
  • Blocklisted process makes network request 5 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1192
    • C:\Windows\system32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Local\Temp\3580ae39b6b33aa67838c5c1ca91b6aebf91e470360fb13072497e85df748871.js
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\SfehVeXIsQ.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        PID:936
      • C:\Users\Admin\AppData\Local\Temp\BIG BRO.exe
        "C:\Users\Admin\AppData\Local\Temp\BIG BRO.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1324
    • C:\Windows\SysWOW64\raserver.exe
      "C:\Windows\SysWOW64\raserver.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1784
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\BIG BRO.exe"
        3⤵
          PID:1348

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\BIG BRO.exe
      Filesize

      185KB

      MD5

      a20ea9350fa5aa4d9641723f3dfc1b31

      SHA1

      c23cf2953ea071eac81740a687473442c66e73de

      SHA256

      01afe1517575e1fd7f60e86702fc11a97cfc74718e520c6016eef42fa164b4ae

      SHA512

      296b4ace0af1f33abb8c3c0262999b07c8ad6e9a4c075959b43335992f1058865581b2c7d362dc824ed787f61dc9c62338778cd28e12add2ac34b086ca62e035

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\BIG BRO.exe
      Filesize

      185KB

      MD5

      a20ea9350fa5aa4d9641723f3dfc1b31

      SHA1

      c23cf2953ea071eac81740a687473442c66e73de

      SHA256

      01afe1517575e1fd7f60e86702fc11a97cfc74718e520c6016eef42fa164b4ae

      SHA512

      296b4ace0af1f33abb8c3c0262999b07c8ad6e9a4c075959b43335992f1058865581b2c7d362dc824ed787f61dc9c62338778cd28e12add2ac34b086ca62e035

      Download Submit
    • C:\Users\Admin\AppData\Roaming\SfehVeXIsQ.js
      Filesize

      5KB

      MD5

      ef7a0bcfc54e28b9a81af747b834c898

      SHA1

      47f605a45958a0beab476be0ef3b97434f7b999e

      SHA256

      24fc05651edf06401a27a583f1dbe295881a16f9f98a04321319f3873a8569a4

      SHA512

      c975ac3784e346a0ed4f754177f25d256b41bd0bf707f37f0e04e3d15022db5e6d9bfbe50719b8ac483f9b7406a0a3a2782a28f279a046f61faffb863ec5da31

      Download Submit
    • memory/936-55-0x0000000000000000-mapping.dmp
      Download
    • memory/1192-61-0x0000000004B40000-0x0000000004C30000-memory.dmp
      Filesize

      960KB

      Download
    • memory/1192-73-0x0000000004C30000-0x0000000004D45000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/1192-71-0x0000000004C30000-0x0000000004D45000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/1324-57-0x0000000000000000-mapping.dmp
      Download
    • memory/1324-59-0x0000000000BB0000-0x0000000000EB3000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1324-60-0x0000000000140000-0x0000000000154000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1348-66-0x0000000000000000-mapping.dmp
      Download
    • memory/1784-63-0x0000000000000000-mapping.dmp
      Download
    • memory/1784-67-0x0000000000400000-0x000000000041C000-memory.dmp
      Filesize

      112KB

      Download
    • memory/1784-68-0x0000000000080000-0x00000000000AF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1784-69-0x0000000001FD0000-0x00000000022D3000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1784-70-0x0000000001D00000-0x0000000001D93000-memory.dmp
      Filesize

      588KB

      Download
    • memory/1784-64-0x0000000076141000-0x0000000076143000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1784-72-0x0000000000080000-0x00000000000AF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1992-54-0x000007FEFBE81000-0x000007FEFBE83000-memory.dmp
      Filesize

      8KB

      Download