Overview

overview

10

Static

static

1

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-12-2022 09:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    257KB

  • MD5

    db34b27822c1c7d80e7e59ed743ce22c

  • SHA1

    f888efab5bfd957947b95877b4c5c73067dad197

  • SHA256

    3cfd81b824673a6ba23d472bd09d5e7610a3346cce6f23956507af5eab63c012

  • SHA512

    860a92c61d02b1429853c529234ca0885cc37065503a14918ddfd722fd3281f1179fa036315a867eb36475e93db391307255e214b78733d8fd4ce7c93ed7a066

  • SSDEEP

    6144:QBn1+chufZq/1wTiFDMwMBUvosOPuoXK+qvcAYzy/:g+ciAyeUavOha+nAYI

Score
10/10
formbookpr28ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

pr28

Decoy

huaxinimg.com

baorungas.com

comercializadoramultimus.com

blr-batipro.com

wantagedfas.uk

1thingplan.one

cweilin.com

lorienconsultingllc.com

jdzsjwx.com

casafacil.site

hkacgt.com

hasid.africa

92dgr97k4hr9.com

cvbiop.xyz

1wbskm.top

fantasticmobility.com

goodchoice2022.com

hafizpower.com

familiajoya.com

fundscrahelp.info

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2864
    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:988
      • C:\Users\Admin\AppData\Local\Temp\rzjxgj.exe
        "C:\Users\Admin\AppData\Local\Temp\rzjxgj.exe" C:\Users\Admin\AppData\Local\Temp\okwqyzbx.uc
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:5028
        • C:\Users\Admin\AppData\Local\Temp\rzjxgj.exe
          "C:\Users\Admin\AppData\Local\Temp\rzjxgj.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:5024
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4936
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\rzjxgj.exe"
        3⤵
          PID:1812

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\jbenz.m
      Filesize

      185KB

      MD5

      4b4ce519a534f3436dbbc48d123b6e83

      SHA1

      d10796875fffdebd65a4fec5de8dda497d2fc981

      SHA256

      552b1709acc1df6fed2544cad9f85c7f715c8c7e1e48c94c6ee6607b24a1b114

      SHA512

      b8f38ee58c66bd4b982d26aba7ec7967cd0a96a9b58c7661ffe1835c0b9f2f4c55d1484c2a79ed67eed23cc412607bfb9f77bfc4276727d94fecf917aacd7225

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\okwqyzbx.uc
      Filesize

      5KB

      MD5

      e22f33b90450537ae0e9df382a3c87d2

      SHA1

      876eacd3ee12b0223c6c0564371f0e49ce5e5f29

      SHA256

      b9e9dcefcabf28d10c0a5cc8225b17444567e77a52bfd5b32f8f33a314129fc8

      SHA512

      16f3130d76b6df093022d6842e86136291bd7b28c87f8cd4ec8c903996b3823595f7df69d034f459b9cc26acff8d63c68dc002a7728bbeaf86a7892219a1ad14

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\rzjxgj.exe
      Filesize

      104KB

      MD5

      9d249d3a0088dd3e3b7cdc0068bcb9dc

      SHA1

      1a3e0934278243d4e7c82f69f77271426c18d23d

      SHA256

      292de2987a1b943bbfec1025d9bb571a8c8aa59dd0662565147952f8a2d3dc06

      SHA512

      14c48fffcca018aa32a2f98ef793b28084c1691d78aa7cd2de88f7f568a2b3340920c8eef0372bccd7167a3edd333fa78cdb37ce48b62657a5cb975c8fa7a2a8

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\rzjxgj.exe
      Filesize

      104KB

      MD5

      9d249d3a0088dd3e3b7cdc0068bcb9dc

      SHA1

      1a3e0934278243d4e7c82f69f77271426c18d23d

      SHA256

      292de2987a1b943bbfec1025d9bb571a8c8aa59dd0662565147952f8a2d3dc06

      SHA512

      14c48fffcca018aa32a2f98ef793b28084c1691d78aa7cd2de88f7f568a2b3340920c8eef0372bccd7167a3edd333fa78cdb37ce48b62657a5cb975c8fa7a2a8

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\rzjxgj.exe
      Filesize

      104KB

      MD5

      9d249d3a0088dd3e3b7cdc0068bcb9dc

      SHA1

      1a3e0934278243d4e7c82f69f77271426c18d23d

      SHA256

      292de2987a1b943bbfec1025d9bb571a8c8aa59dd0662565147952f8a2d3dc06

      SHA512

      14c48fffcca018aa32a2f98ef793b28084c1691d78aa7cd2de88f7f568a2b3340920c8eef0372bccd7167a3edd333fa78cdb37ce48b62657a5cb975c8fa7a2a8

      Download Submit
    • memory/1812-147-0x0000000000000000-mapping.dmp
      Download
    • memory/2864-142-0x0000000007B90000-0x0000000007C9C000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/2864-151-0x0000000007F20000-0x0000000008030000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/2864-152-0x0000000007F20000-0x0000000008030000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/4936-148-0x0000000003160000-0x00000000034AA000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4936-143-0x0000000000000000-mapping.dmp
      Download
    • memory/4936-145-0x00000000008D0000-0x00000000008E4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/4936-146-0x00000000012B0000-0x00000000012DF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/4936-149-0x0000000002FC0000-0x0000000003053000-memory.dmp
      Filesize

      588KB

      Download
    • memory/4936-150-0x00000000012B0000-0x00000000012DF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/5024-144-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/5024-137-0x0000000000000000-mapping.dmp
      Download
    • memory/5024-139-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/5024-141-0x00000000009E0000-0x00000000009F4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/5024-140-0x0000000000A40000-0x0000000000D8A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/5028-132-0x0000000000000000-mapping.dmp
      Download