Overview

overview

10

Static

static

СПЕШН...А.exe

windows7-x64

10

СПЕШН...А.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    02-12-2022 12:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    СПЕШНА ПОРЪЧКА ЗА ПОКУПКА.exe

  • Size

    722KB

  • MD5

    0aee1077971fda9cedfc570be5e2c822

  • SHA1

    21092ac3f3146688e8bf9b7613c8293b74824970

  • SHA256

    97bfd8737b330f409b85e67a43a20edcdc497a63ec9d663692aa8d11e323caf1

  • SHA512

    72eb237eb96309d537c70008bbf6fa592e805f6111561ea3370799d14ec61f88743359cd2f614f2ac314d3b625cfe2f32b5119a293dec974783a188f5672265a

  • SSDEEP

    12288:kLpeGieN1J53lWwlZ4r+cKkdm2oOJKk1wnjaXBnM33302IgFJN0V3foYcjZnbCkI:6PvN1Nyr+cHm2AMwOBnG30YCoBjZnbCx

Score
10/10
formbookd0a7ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

d0a7

Decoy

ngpjqd.top

provider1.net

themetaverseloyalties.com

tylpp.com

pmjewels.com

87napxxgz8x86a.com

djolobal.com

fmbmaiamelo.com

naijabam.online

networkingbits.com

beesweet.live

sexarab.homes

promptcompete.com

midsouthradio.com

23mk.top

bnhkit.xyz

2ozp56.bond

vehiclesgroups.com

healthycommunitynow.com

cwzmesr.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 5 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1344
    • C:\Users\Admin\AppData\Local\Temp\СПЕШНА ПОРЪЧКА ЗА ПОКУПКА.exe
      "C:\Users\Admin\AppData\Local\Temp\СПЕШНА ПОРЪЧКА ЗА ПОКУПКА.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1444
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\CFLiKwclbcBo.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2044
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CFLiKwclbcBo" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAF53.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:1244
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1952
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
        PID:516
      • C:\Windows\SysWOW64\msdt.exe
        "C:\Windows\SysWOW64\msdt.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:760
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          3⤵
            PID:604
        • C:\Windows\explorer.exe
          "C:\Windows\explorer.exe"
          2⤵
            PID:1564
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe"
            2⤵
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:1088
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6004f50,0x7fef6004f60,0x7fef6004f70
              3⤵
                PID:2036
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1028,8639049422449452160,11735682437769237138,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1020 /prefetch:2
                3⤵
                  PID:524
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1028,8639049422449452160,11735682437769237138,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1300 /prefetch:8
                  3⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:652
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1028,8639049422449452160,11735682437769237138,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1748 /prefetch:8
                  3⤵
                    PID:1636
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,8639049422449452160,11735682437769237138,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2012 /prefetch:1
                    3⤵
                      PID:1056
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,8639049422449452160,11735682437769237138,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2072 /prefetch:1
                      3⤵
                        PID:1464
                  • C:\Windows\system32\AUDIODG.EXE
                    C:\Windows\system32\AUDIODG.EXE 0x55c
                    1⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1188

                  Network

                  MITRE ATT&CK Matrix ATT&CK v6

                  Initial Access

                  Execution

                  Scheduled Task

                  1
                  T1053

                  Persistence

                  Scheduled Task

                  1
                  T1053

                  Privilege Escalation

                  Scheduled Task

                  1
                  T1053

                  Defense Evasion

                  Modify Registry

                  1
                  T1112

                  Credential Access

                  Discovery

                  System Information Discovery

                  1
                  T1082

                  Lateral Movement

                  Collection

                  Exfiltration

                  Command and Control

                  Impact

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\tmpAF53.tmp
                    Filesize

                    1KB

                    MD5

                    798c2e4d7ffb3481c6d16cfe54af5ce1

                    SHA1

                    1ad5aed9c0785f43dada21cf757ac5eefba9e71f

                    SHA256

                    8b1d6bf25e2f6a90b73caeaf277fe40d1bf25729cf3542da992ec0f0ae80e504

                    SHA512

                    f3c6378916dd4900b6a4ca0fe4b0756acd34b554830beacb32047c4d93cfa3b023156b9219f37809567f409a90ade9cbd5c4617de7e43057bef865141ddb5a7c

                    Download Submit
                  • \??\pipe\crashpad_1088_DMFEDLMAWGMFRKZM
                    MD5

                    d41d8cd98f00b204e9800998ecf8427e

                    SHA1

                    da39a3ee5e6b4b0d3255bfef95601890afd80709

                    SHA256

                    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                    SHA512

                    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                    Download Submit
                  • memory/516-57-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmp
                    Filesize

                    8KB

                    Download
                  • memory/604-79-0x0000000000000000-mapping.dmp
                    Download
                  • memory/760-77-0x0000000000000000-mapping.dmp
                    Download
                  • memory/760-84-0x0000000000080000-0x00000000000AF000-memory.dmp
                    Filesize

                    188KB

                    Download
                  • memory/760-83-0x0000000000BB0000-0x0000000000C44000-memory.dmp
                    Filesize

                    592KB

                    Download
                  • memory/760-82-0x00000000022B0000-0x00000000025B3000-memory.dmp
                    Filesize

                    3.0MB

                    Download
                  • memory/760-81-0x0000000000080000-0x00000000000AF000-memory.dmp
                    Filesize

                    188KB

                    Download
                  • memory/760-80-0x0000000000DB0000-0x0000000000EA4000-memory.dmp
                    Filesize

                    976KB

                    Download
                  • memory/1244-61-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1344-75-0x0000000007C90000-0x0000000007D7C000-memory.dmp
                    Filesize

                    944KB

                    Download
                  • memory/1344-86-0x00000000074A0000-0x00000000075A3000-memory.dmp
                    Filesize

                    1.0MB

                    Download
                  • memory/1344-85-0x00000000074A0000-0x00000000075A3000-memory.dmp
                    Filesize

                    1.0MB

                    Download
                  • memory/1444-56-0x00000000003C0000-0x00000000003D8000-memory.dmp
                    Filesize

                    96KB

                    Download
                  • memory/1444-59-0x00000000053E0000-0x0000000005450000-memory.dmp
                    Filesize

                    448KB

                    Download
                  • memory/1444-58-0x0000000000290000-0x000000000029C000-memory.dmp
                    Filesize

                    48KB

                    Download
                  • memory/1444-54-0x00000000002E0000-0x000000000039A000-memory.dmp
                    Filesize

                    744KB

                    Download
                  • memory/1444-64-0x0000000004560000-0x0000000004596000-memory.dmp
                    Filesize

                    216KB

                    Download
                  • memory/1444-55-0x0000000075D71000-0x0000000075D73000-memory.dmp
                    Filesize

                    8KB

                    Download
                  • memory/1564-87-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1952-65-0x0000000000400000-0x000000000042F000-memory.dmp
                    Filesize

                    188KB

                    Download
                  • memory/1952-71-0x0000000000400000-0x000000000042F000-memory.dmp
                    Filesize

                    188KB

                    Download
                  • memory/1952-74-0x0000000000150000-0x0000000000165000-memory.dmp
                    Filesize

                    84KB

                    Download
                  • memory/1952-68-0x0000000000400000-0x000000000042F000-memory.dmp
                    Filesize

                    188KB

                    Download
                  • memory/1952-73-0x0000000000980000-0x0000000000C83000-memory.dmp
                    Filesize

                    3.0MB

                    Download
                  • memory/1952-66-0x0000000000400000-0x000000000042F000-memory.dmp
                    Filesize

                    188KB

                    Download
                  • memory/1952-69-0x000000000041F040-mapping.dmp
                    Download
                  • memory/2044-76-0x000000006EAD0000-0x000000006F07B000-memory.dmp
                    Filesize

                    5.7MB

                    Download
                  • memory/2044-60-0x0000000000000000-mapping.dmp
                    Download
                  • memory/2044-72-0x000000006EAD0000-0x000000006F07B000-memory.dmp
                    Filesize

                    5.7MB

                    Download