Overview

overview

10

Static

static

1

dfdeda2af8...b0.exe

windows7-x64

10

dfdeda2af8...b0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2022 07:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dfdeda2af8f802749ea92a46f1a15eb0.exe

  • Size

    414KB

  • MD5

    dfdeda2af8f802749ea92a46f1a15eb0

  • SHA1

    1d4e20830f0059222251681524b8d04e2ef06b6c

  • SHA256

    1a0757646caa77704f3d029fa9abbb2d6846d134f7b29eb87f4eaaea134a84f5

  • SHA512

    207f6dd61ddbdeb216b5fe0385c406d4819475e99378930645bbd97add3832732b71a15fcfd80175478ad8d1b06234822699fc39a6fc5f6e06930a1e1393e114

  • SSDEEP

    6144:PBnxm/hZudIIuLpVS0GKkGhxi4Y9p8Q2GNpoWkzxVeQMXdipolitSnIFkAFWQ:LzdIZpQ0lk2x0KVzL8diClQq4kc

Score
10/10
formbookh3haratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

h3ha

Decoy

ideas-dulces.store

store1995.store

swuhn.com

ninideal.com

musiqhaus.com

quranchart.com

kszq26.club

lightfx.online

thetickettruth.com

meritloancubk.com

lawnforcement.com

sogeanetwork.com

thedinoexotics.com

kojima-ah.net

gr-myab3z.xyz

platiniuminestor.net

reviewsiske.com

stessil-lifestyle.com

goodqjourney.biz

cirimpianti.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 2 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:1076
    • C:\Users\Admin\AppData\Local\Temp\dfdeda2af8f802749ea92a46f1a15eb0.exe
      "C:\Users\Admin\AppData\Local\Temp\dfdeda2af8f802749ea92a46f1a15eb0.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1852
      • C:\Users\Admin\AppData\Local\Temp\acctrzf.exe
        "C:\Users\Admin\AppData\Local\Temp\acctrzf.exe" C:\Users\Admin\AppData\Local\Temp\dvfsb.ah
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:804
        • C:\Users\Admin\AppData\Local\Temp\acctrzf.exe
          "C:\Users\Admin\AppData\Local\Temp\acctrzf.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:4148
    • C:\Windows\SysWOW64\systray.exe
      "C:\Windows\SysWOW64\systray.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4448
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\acctrzf.exe"
        3⤵
          PID:2228

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\acctrzf.exe
      Filesize

      12KB

      MD5

      5df671fb2017fb9635b893743c8bea04

      SHA1

      b907492f85ec36f632c471b5acec7cd5a1bb6487

      SHA256

      7bdc4755f7bf0e566b69440fb54722b4a780d55a952ddab686eb174f47c8cabb

      SHA512

      ba9d9a0d078adb507bd737415704d9732e1e4658f21f7aca75929ffc33a7b7ad09130b48d60f19294c5b3d15df0ba5c578410258ec62116d764f669d764b7fef

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\acctrzf.exe
      Filesize

      12KB

      MD5

      5df671fb2017fb9635b893743c8bea04

      SHA1

      b907492f85ec36f632c471b5acec7cd5a1bb6487

      SHA256

      7bdc4755f7bf0e566b69440fb54722b4a780d55a952ddab686eb174f47c8cabb

      SHA512

      ba9d9a0d078adb507bd737415704d9732e1e4658f21f7aca75929ffc33a7b7ad09130b48d60f19294c5b3d15df0ba5c578410258ec62116d764f669d764b7fef

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\acctrzf.exe
      Filesize

      12KB

      MD5

      5df671fb2017fb9635b893743c8bea04

      SHA1

      b907492f85ec36f632c471b5acec7cd5a1bb6487

      SHA256

      7bdc4755f7bf0e566b69440fb54722b4a780d55a952ddab686eb174f47c8cabb

      SHA512

      ba9d9a0d078adb507bd737415704d9732e1e4658f21f7aca75929ffc33a7b7ad09130b48d60f19294c5b3d15df0ba5c578410258ec62116d764f669d764b7fef

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\dvfsb.ah
      Filesize

      5KB

      MD5

      11a7bbf818c66ff345b63a0382c1696f

      SHA1

      5fa8e53822f31d7fd03e6948c3207105ce07c59b

      SHA256

      9fc7eb7e06c9fd5a4d48406627f1acd38b8f26600c94a8b675b79b31164e9fb0

      SHA512

      f35290e495994286d5f09ded0f00f40dd36be12ecaf4e6bfe8cd4aaa83e7d1524f77a690539f14f2fe26c0870049a75e898a1545e7a3ed7d441aee470d0753ef

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\wcuwygjbwxy.sr
      Filesize

      185KB

      MD5

      a5490791e10f0649f71b7e9296426565

      SHA1

      30f3cad402dfec9ec12777685b417097b340d035

      SHA256

      12af2ff9d43b37956e860620f34977c9325b8f9945ef760dd531b00fbdbb0efd

      SHA512

      e251bc764952220382e5432fd89debc3d0f7c917ee8da18ab24a954fccc8b022b4cf603f667a7585d580cdea9fd65ae4980d3fb8a822d9366439c41052eb9235

      Download Submit
    • memory/804-132-0x0000000000000000-mapping.dmp
      Download
    • memory/1076-150-0x0000000002630000-0x0000000002790000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1076-148-0x0000000002630000-0x0000000002790000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1076-141-0x0000000007DE0000-0x0000000007F71000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2228-145-0x0000000000000000-mapping.dmp
      Download
    • memory/4148-140-0x0000000000D80000-0x0000000000D94000-memory.dmp
      Filesize

      80KB

      Download
    • memory/4148-139-0x0000000000F50000-0x000000000129A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4148-137-0x0000000000000000-mapping.dmp
      Download
    • memory/4448-143-0x0000000000C00000-0x0000000000C06000-memory.dmp
      Filesize

      24KB

      Download
    • memory/4448-144-0x0000000000CD0000-0x0000000000CFF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/4448-142-0x0000000000000000-mapping.dmp
      Download
    • memory/4448-146-0x0000000002B50000-0x0000000002E9A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4448-147-0x00000000029F0000-0x0000000002A83000-memory.dmp
      Filesize

      588KB

      Download
    • memory/4448-149-0x0000000000CD0000-0x0000000000CFF000-memory.dmp
      Filesize

      188KB

      Download