Overview

overview

10

Static

static

608aed0c05...a3.exe

windows7-x64

10

608aed0c05...a3.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    147s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    01-12-2022 18:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    608aed0c05c0bd3ff091e559c92093440f659cc8b6f98865ce907cd9d6885ba3.exe

  • Size

    894KB

  • MD5

    973a94d5f2fb8e7d4da718d074dfd9eb

  • SHA1

    707f58e7972ed3493b0bd62480e4ed9538eba93f

  • SHA256

    608aed0c05c0bd3ff091e559c92093440f659cc8b6f98865ce907cd9d6885ba3

  • SHA512

    9b5dac4e93ff472550e557b9ea6e3bc4ccdcefd861886403a4c3729b9070de30d507ce3d4dc341d671416b1f4bd6e1a7a3624e5f9cd0f9935b3c375b89595250

  • SSDEEP

    24576:EHryn040Nznszfdf0DYkmybe7hxtcPuDdEPf:6mp0SZfsgyOT6vP

Score
10/10
formbookcy28ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cy28

Decoy

100049723423.review

lovehealthcare.online

immuniversity.info

ihproductions.net

originatorsu.mobi

shxwjn.top

fivemeters.com

planettiki.site

berantaspinjol.online

oregonusedtrucks.com

darkstarkoi.com

izmirhaberci.world

41014.top

georgiaspanishgoats.com

dealstopstartups.click

ravmodeling.center

unsundayjesus.world

initialslash.site

shubaola.top

caserevision.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 5 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Users\Admin\AppData\Local\Temp\608aed0c05c0bd3ff091e559c92093440f659cc8b6f98865ce907cd9d6885ba3.exe
      "C:\Users\Admin\AppData\Local\Temp\608aed0c05c0bd3ff091e559c92093440f659cc8b6f98865ce907cd9d6885ba3.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1548
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IAFLNzOdgRR.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:904
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IAFLNzOdgRR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp870C.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:456
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1764
    • C:\Windows\SysWOW64\cmmon32.exe
      "C:\Windows\SysWOW64\cmmon32.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1020
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
          PID:1736

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp870C.tmp
      Filesize

      1KB

      MD5

      1894041f3a6d5074981138dd964194fb

      SHA1

      eb62a6627028facc6057da0f4de640a2a2170d10

      SHA256

      e48004346f999e1513d826b09ea3c7bbd9f4ee97e21ad1210cf7e5ee98138018

      SHA512

      75002f8ba1a6a6ba52f18868e4a4766171682f01636011e19a674128d1e432ec8bb178c9ee5ed628f0139b4a15d3501d0f68d876b07aacb11a7cf1939b8b3b5a

      Download Submit
    • memory/456-60-0x0000000000000000-mapping.dmp
      Download
    • memory/904-59-0x0000000000000000-mapping.dmp
      Download
    • memory/904-80-0x000000006EAA0000-0x000000006F04B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/904-70-0x000000006EAA0000-0x000000006F04B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1020-78-0x0000000000080000-0x00000000000AF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1020-83-0x0000000000080000-0x00000000000AF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1020-81-0x0000000001D60000-0x0000000001DF3000-memory.dmp
      Filesize

      588KB

      Download
    • memory/1020-79-0x0000000001F60000-0x0000000002263000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1020-77-0x0000000000470000-0x000000000047D000-memory.dmp
      Filesize

      52KB

      Download
    • memory/1020-74-0x0000000000000000-mapping.dmp
      Download
    • memory/1268-73-0x0000000004590000-0x000000000467C000-memory.dmp
      Filesize

      944KB

      Download
    • memory/1268-84-0x0000000004AB0000-0x0000000004BB5000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1268-82-0x0000000004AB0000-0x0000000004BB5000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1548-54-0x0000000000030000-0x0000000000116000-memory.dmp
      Filesize

      920KB

      Download
    • memory/1548-58-0x0000000005730000-0x00000000057D6000-memory.dmp
      Filesize

      664KB

      Download
    • memory/1548-57-0x0000000001E50000-0x0000000001E5E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/1548-63-0x00000000057D0000-0x000000000583C000-memory.dmp
      Filesize

      432KB

      Download
    • memory/1548-56-0x0000000000710000-0x0000000000726000-memory.dmp
      Filesize

      88KB

      Download
    • memory/1548-55-0x0000000075041000-0x0000000075043000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1736-76-0x0000000000000000-mapping.dmp
      Download
    • memory/1764-68-0x000000000041F140-mapping.dmp
      Download
    • memory/1764-72-0x0000000000390000-0x00000000003A4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1764-67-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1764-65-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1764-64-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1764-75-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1764-71-0x0000000000A20000-0x0000000000D23000-memory.dmp
      Filesize

      3.0MB

      Download