Overview

overview

10

Static

static

Confirmati...92.exe

windows7-x64

10

Confirmati...92.exe

windows10-2004-x64

10

Resubmissions

01-12-2022 14:27

221201-rseq6abe4t 10

01-12-2022 14:22

221201-rpvcfafh52 10

Analysis

  • max time kernel
    1801s
  • max time network
    1805s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-12-2022 14:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Confirmation transfer Ref No_0033463247892.exe

  • Size

    890KB

  • MD5

    03c738a9106a7ba9bad7f4995d52f028

  • SHA1

    204762dbb01579ea39295660d86085591578e0a1

  • SHA256

    aa6874a63646474141e2928b094c5dc15a1fc2ea610ece7ca7f95b80ec856be5

  • SHA512

    d87e427aa177cd28b989e00a4bb382679054009a55021834319ee78bcc181b91d72b639c78fceb7e89584aef552af2fbb7cd90ec76719fb8cc81b18acf4e8c8d

  • SSDEEP

    24576:jmRx3Gdhk0yClxNwArBMQm8i9eXiDdEPf:jmr32hkGFxBlmFezP

Score
10/10
formbookq4k5persistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

q4k5

Decoy

ZXN4RZ1db9JIzC7mhQ==

5+KpXZWys/DewpGQbChh6uPT5SNzFQ==

A8YuEKESXrzBhw==

uYH/9+Amwe1ZMkaR

KAusoWlA4I1Rt0P0jA==

AgIBy9IHiq8cdo4h47hB

PsX/0DrQRr+0hQ==

3z4v9UwXBjNTf48h47hB

bySPUkT+SFuT

VsQK5NkDks06l5z+TUG3eetd/twx2Mcjlg==

3+DcnQWuXG84sOphj5LEHIv/hA==

TOZXSDkjSHDoLk/pl2HYpOXJ

q7GGZ9KJrss/oTNwyxI=

2+O/k7y22Qo=

Joatk/qnSoO3q48h47hB

KT1UQcQ9yxWFQzCI

onRBEIHmYIl9XzhAIMtPLFAh5SNzFQ==

a8IY/+/oCDOj2TuM4Ohc

UlIOzyniF1sRnTNwyxI=

8UJiR6gijbvt+exXo7oCvdNV4BE=

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Blocklisted process makes network request 8 IoCs
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 41 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2376
    • C:\Users\Admin\AppData\Local\Temp\Confirmation transfer Ref No_0033463247892.exe
      "C:\Users\Admin\AppData\Local\Temp\Confirmation transfer Ref No_0033463247892.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1800
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eSdygJSxTrIOo.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:536
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eSdygJSxTrIOo" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC8ED.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:1192
      • C:\Users\Admin\AppData\Local\Temp\Confirmation transfer Ref No_0033463247892.exe
        "C:\Users\Admin\AppData\Local\Temp\Confirmation transfer Ref No_0033463247892.exe"
        3⤵
          PID:3128
        • C:\Users\Admin\AppData\Local\Temp\Confirmation transfer Ref No_0033463247892.exe
          "C:\Users\Admin\AppData\Local\Temp\Confirmation transfer Ref No_0033463247892.exe"
          3⤵
          • Checks computer location settings
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:632
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\SysWOW64\rundll32.exe"
        2⤵
        • Adds policy Run key to start application
        • Blocklisted process makes network request
        • Suspicious use of SetThreadContext
        • Drops file in Program Files directory
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:1552
        • C:\Program Files\Mozilla Firefox\Firefox.exe
          "C:\Program Files\Mozilla Firefox\Firefox.exe"
          3⤵
            PID:1452
        • C:\Program Files (x86)\B0hlpj\Cookiesnnsdur5.exe
          "C:\Program Files (x86)\B0hlpj\Cookiesnnsdur5.exe"
          2⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4544
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eSdygJSxTrIOo.exe"
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1528
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eSdygJSxTrIOo" /XML "C:\Users\Admin\AppData\Local\Temp\tmp930E.tmp"
            3⤵
            • Creates scheduled task(s)
            PID:4840
          • C:\Program Files (x86)\B0hlpj\Cookiesnnsdur5.exe
            "C:\Program Files (x86)\B0hlpj\Cookiesnnsdur5.exe"
            3⤵
            • Executes dropped EXE
            PID:3392
          • C:\Program Files (x86)\B0hlpj\Cookiesnnsdur5.exe
            "C:\Program Files (x86)\B0hlpj\Cookiesnnsdur5.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:3708

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\B0hlpj\Cookiesnnsdur5.exe
        Filesize

        890KB

        MD5

        03c738a9106a7ba9bad7f4995d52f028

        SHA1

        204762dbb01579ea39295660d86085591578e0a1

        SHA256

        aa6874a63646474141e2928b094c5dc15a1fc2ea610ece7ca7f95b80ec856be5

        SHA512

        d87e427aa177cd28b989e00a4bb382679054009a55021834319ee78bcc181b91d72b639c78fceb7e89584aef552af2fbb7cd90ec76719fb8cc81b18acf4e8c8d

        Download Submit
      • C:\Program Files (x86)\B0hlpj\Cookiesnnsdur5.exe
        Filesize

        890KB

        MD5

        03c738a9106a7ba9bad7f4995d52f028

        SHA1

        204762dbb01579ea39295660d86085591578e0a1

        SHA256

        aa6874a63646474141e2928b094c5dc15a1fc2ea610ece7ca7f95b80ec856be5

        SHA512

        d87e427aa177cd28b989e00a4bb382679054009a55021834319ee78bcc181b91d72b639c78fceb7e89584aef552af2fbb7cd90ec76719fb8cc81b18acf4e8c8d

        Download Submit
      • C:\Program Files (x86)\B0hlpj\Cookiesnnsdur5.exe
        Filesize

        890KB

        MD5

        03c738a9106a7ba9bad7f4995d52f028

        SHA1

        204762dbb01579ea39295660d86085591578e0a1

        SHA256

        aa6874a63646474141e2928b094c5dc15a1fc2ea610ece7ca7f95b80ec856be5

        SHA512

        d87e427aa177cd28b989e00a4bb382679054009a55021834319ee78bcc181b91d72b639c78fceb7e89584aef552af2fbb7cd90ec76719fb8cc81b18acf4e8c8d

        Download Submit
      • C:\Program Files (x86)\B0hlpj\Cookiesnnsdur5.exe
        Filesize

        890KB

        MD5

        03c738a9106a7ba9bad7f4995d52f028

        SHA1

        204762dbb01579ea39295660d86085591578e0a1

        SHA256

        aa6874a63646474141e2928b094c5dc15a1fc2ea610ece7ca7f95b80ec856be5

        SHA512

        d87e427aa177cd28b989e00a4bb382679054009a55021834319ee78bcc181b91d72b639c78fceb7e89584aef552af2fbb7cd90ec76719fb8cc81b18acf4e8c8d

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        968cb9309758126772781b83adb8a28f

        SHA1

        8da30e71accf186b2ba11da1797cf67f8f78b47c

        SHA256

        92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

        SHA512

        4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        18KB

        MD5

        ab7173fcf4d2032c51435daa76f21300

        SHA1

        38859fc6309c48e908792b32a16052ed4e220ff9

        SHA256

        8ef09b5b709b3164c0d820bb20fbdcc0884d9aa4fb8a0514a8e0c09ca9e740f0

        SHA512

        607ba19fdade1249da4995773fd08e968083faec42122c95e2a753636d54dedd539601d7361779fa996eeaa6f0fdfc2b1b4086d9cbbbf22b455ca2a474f5d039

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmp930E.tmp
        Filesize

        1KB

        MD5

        23d5d396b04fdb946c3819e123ee6d17

        SHA1

        167ca44bb92aaa1d73fe5eb300a76de7191c902f

        SHA256

        c7656888e06ef8018a7a0f8d4922744e2b8ae9c61aba7a700a5f4bf17bcb5a0a

        SHA512

        0c775f4a6e37ab25c3beceb6e436b53bce3b2a4650732bd6634bb0f7bf119617035f17751a14260eedc88673302d11f43dbff14c5600feab9ee2dcdff6ac0bc4

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmpC8ED.tmp
        Filesize

        1KB

        MD5

        23d5d396b04fdb946c3819e123ee6d17

        SHA1

        167ca44bb92aaa1d73fe5eb300a76de7191c902f

        SHA256

        c7656888e06ef8018a7a0f8d4922744e2b8ae9c61aba7a700a5f4bf17bcb5a0a

        SHA512

        0c775f4a6e37ab25c3beceb6e436b53bce3b2a4650732bd6634bb0f7bf119617035f17751a14260eedc88673302d11f43dbff14c5600feab9ee2dcdff6ac0bc4

        Download Submit
      • memory/536-145-0x00000000056A0000-0x0000000005CC8000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/536-149-0x0000000005620000-0x0000000005686000-memory.dmp
        Filesize

        408KB

        Download
      • memory/536-137-0x0000000000000000-mapping.dmp
        Download
      • memory/536-174-0x0000000007B70000-0x0000000007B78000-memory.dmp
        Filesize

        32KB

        Download
      • memory/536-160-0x0000000006B10000-0x0000000006B42000-memory.dmp
        Filesize

        200KB

        Download
      • memory/536-173-0x0000000007B80000-0x0000000007B9A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/536-172-0x0000000007A90000-0x0000000007A9E000-memory.dmp
        Filesize

        56KB

        Download
      • memory/536-148-0x0000000005580000-0x00000000055A2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/536-150-0x0000000005F00000-0x0000000005F66000-memory.dmp
        Filesize

        408KB

        Download
      • memory/536-139-0x0000000002C30000-0x0000000002C66000-memory.dmp
        Filesize

        216KB

        Download
      • memory/536-169-0x0000000007AA0000-0x0000000007B36000-memory.dmp
        Filesize

        600KB

        Download
      • memory/536-168-0x00000000078B0000-0x00000000078BA000-memory.dmp
        Filesize

        40KB

        Download
      • memory/536-166-0x0000000007840000-0x000000000785A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/536-164-0x0000000007E90000-0x000000000850A000-memory.dmp
        Filesize

        6.5MB

        Download
      • memory/536-156-0x00000000052A0000-0x00000000052BE000-memory.dmp
        Filesize

        120KB

        Download
      • memory/536-162-0x0000000006AF0000-0x0000000006B0E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/536-161-0x0000000071080000-0x00000000710CC000-memory.dmp
        Filesize

        304KB

        Download
      • memory/632-146-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/632-147-0x0000000000401000-0x000000000042F000-memory.dmp
        Filesize

        184KB

        Download
      • memory/632-158-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/632-142-0x0000000000000000-mapping.dmp
        Download
      • memory/632-154-0x0000000000F20000-0x0000000000F30000-memory.dmp
        Filesize

        64KB

        Download
      • memory/632-159-0x0000000000401000-0x000000000042F000-memory.dmp
        Filesize

        184KB

        Download
      • memory/632-153-0x0000000000422000-0x0000000000424000-memory.dmp
        Filesize

        8KB

        Download
      • memory/632-152-0x00000000013A0000-0x00000000016EA000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/632-143-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1192-138-0x0000000000000000-mapping.dmp
        Download
      • memory/1528-192-0x0000000071400000-0x000000007144C000-memory.dmp
        Filesize

        304KB

        Download
      • memory/1528-180-0x0000000000000000-mapping.dmp
        Download
      • memory/1552-165-0x0000000000B30000-0x0000000000B5D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/1552-163-0x0000000000AE0000-0x0000000000AF4000-memory.dmp
        Filesize

        80KB

        Download
      • memory/1552-157-0x0000000000000000-mapping.dmp
        Download
      • memory/1552-175-0x0000000000B30000-0x0000000000B5D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/1552-167-0x0000000002C30000-0x0000000002F7A000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/1552-170-0x0000000002B50000-0x0000000002BDF000-memory.dmp
        Filesize

        572KB

        Download
      • memory/1800-132-0x0000000000870000-0x0000000000954000-memory.dmp
        Filesize

        912KB

        Download
      • memory/1800-133-0x0000000005930000-0x0000000005ED4000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/1800-134-0x00000000052D0000-0x0000000005362000-memory.dmp
        Filesize

        584KB

        Download
      • memory/1800-135-0x0000000005410000-0x000000000541A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/1800-136-0x0000000007EF0000-0x0000000007F8C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/2376-155-0x00000000033C0000-0x00000000034FA000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2376-176-0x00000000084E0000-0x00000000085E4000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/2376-171-0x00000000084E0000-0x00000000085E4000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/3128-141-0x0000000000000000-mapping.dmp
        Download
      • memory/3392-184-0x0000000000000000-mapping.dmp
        Download
      • memory/3708-186-0x0000000000000000-mapping.dmp
        Download
      • memory/3708-191-0x0000000001700000-0x0000000001A4A000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/4544-177-0x0000000000000000-mapping.dmp
        Download
      • memory/4840-181-0x0000000000000000-mapping.dmp
        Download