Overview

overview

10

Static

static

1

tmp.exe

windows7-x64

8

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    203s
  • max time network
    240s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-12-2022 17:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    782KB

  • MD5

    c7b62f9ed3ec7b9208acc7fafda076db

  • SHA1

    4e8e86971dcc2e418b109bacfd6170c947e4eb58

  • SHA256

    5f8e9ae71eba679754663351ebaf0668bee3ef9ac7c95ad0261fe97bc3424753

  • SHA512

    d6110de8c343785f0804b9a3223735d60de387b159283fdc55a3e515e335a7502776784ee229829d21d153919ac6b2fb8abf48e67d02123a5cf6a01aeda4fd68

  • SSDEEP

    24576:vfpSX/iG4AdBfw+Px1y2l8N3ykaNh1sT/M:3EXKOdBBPx1y2lgDCo/M

Score
10/10
formbookdqupratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

dqup

Decoy

RBFKWV5uGrUdf6hN

jGcsTVbthgGRPm1nWzyE

omvIH2jxGd0Sn12CYeAAIvEODy/o

LLuzSX53kGpef9bObGSZ

P7qPqZmVr42VH9LObGSZ

EeWGEWEDxEDd5U1TxRw=

c5/8gdte657s7yo=

kQyJz9WGgKAWCTU=

94EXa2L/gCuXTwVF

QwngPG0f95paVrPd/TEdsg==

AZ0qhZ0icV3HJCS8tw==

tYe83vwj5a8uN3OSZEC+iZW/

aCkNaXAMOwxp+/X+MA9RYTs=

RDOfhwk2ysWuvw==

L79DjZhLdk7AqW/ObGSZ

eAP0idjnAen1II6+8TATqw==

d+/2mB+UWxTV2F4IsdJS5DE=

ZR9aco6xbRNvaehuqA==

zJVFYGnffyUV75T6phA=

yV3K3+jViRAtzJDNQThu0lZp+2FeyA==

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Blocklisted process makes network request 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4620
      • C:\Users\Admin\AppData\Local\Temp\inmzt.exe
        "C:\Users\Admin\AppData\Local\Temp\inmzt.exe" "C:\Users\Admin\AppData\Local\Temp\wiwva.au3"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:4372
        • C:\Users\Admin\AppData\Local\Temp\inmzt.exe
          "C:\Users\Admin\AppData\Local\Temp\inmzt.exe" "C:\Users\Admin\AppData\Local\Temp\wiwva.au3"
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:5080
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:804
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:1400

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\inmzt.exe
      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\inmzt.exe
      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\inmzt.exe
      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\jgiyzxytc.yr
      Filesize

      38KB

      MD5

      b0a8eb29773affdc9d53a1dda86e18b4

      SHA1

      b0ffd4d94a08728c350ec16d6a1c969b725dd9d6

      SHA256

      e9f6eb4d9378ab177589f71acdff5b004b816143246f27e0a588046a727518ef

      SHA512

      98acfc6cae748347b19eabc5099f6989de67a5febfe41958714bfe6f9d5a15c1e45b80dae7205da353495d2c0527463575ee7b171e8b745d684dbd60433f5b0e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\rfajfcfpief.ze
      Filesize

      184KB

      MD5

      b9e5050d924f1bd1a99d41aa995d97d5

      SHA1

      7a4e0729164c31f8f8e92fc811c30d4889feb78f

      SHA256

      93e5c6fa4508f2237f87c26d3a0a8e9c2593256ce9820560d9df8a0ab015c0a7

      SHA512

      fd15426a9959f569d216f016b62810162734d687f2edc846aed5828e86931e953b0a25b6a483cea8f35d1a3da45de2654bd7be19d6eaf8d491a9381e6186cd6d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\wiwva.au3
      Filesize

      6KB

      MD5

      9f25a8959253b91eb216dfac56ecd518

      SHA1

      74d81ecc1e5c22cdfcfad86f90d6bb6007e4c318

      SHA256

      7c56a35e8ddaf8f14ba6b1a7d35ccdaa665213c606d023c758f73aeb3d5c7ba9

      SHA512

      91dbfe0d728b08267ab2ea75618736311cb1546ed3591d34f37c9f1cced0a9f3e2f5509d1f623555451d33f7bcc9dc35276b0a634d179f725bf12d47ec2cfa43

      Download Submit
    • memory/804-152-0x0000000000C30000-0x0000000000C5D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/804-150-0x0000000002A60000-0x0000000002AEF000-memory.dmp
      Filesize

      572KB

      Download
    • memory/804-149-0x0000000002AF0000-0x0000000002E3A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/804-145-0x0000000000000000-mapping.dmp
      Download
    • memory/804-146-0x0000000000080000-0x0000000000094000-memory.dmp
      Filesize

      80KB

      Download
    • memory/804-148-0x0000000000C30000-0x0000000000C5D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/2432-153-0x00000000025E0000-0x0000000002687000-memory.dmp
      Filesize

      668KB

      Download
    • memory/2432-151-0x00000000025E0000-0x0000000002687000-memory.dmp
      Filesize

      668KB

      Download
    • memory/2432-144-0x00000000076F0000-0x000000000785E000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/4372-132-0x0000000000000000-mapping.dmp
      Download
    • memory/5080-137-0x0000000000000000-mapping.dmp
      Download
    • memory/5080-143-0x00000000018B0000-0x00000000018C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/5080-142-0x0000000000422000-0x0000000000424000-memory.dmp
      Filesize

      8KB

      Download
    • memory/5080-141-0x0000000001D30000-0x000000000207A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/5080-140-0x0000000000401000-0x000000000042E000-memory.dmp
      Filesize

      180KB

      Download
    • memory/5080-139-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download