Overview

overview

10

Static

static

1

a0c275ebd1...cb.exe

windows7-x64

8

a0c275ebd1...cb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2022 14:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a0c275ebd1005a313b20dd27ea739dcb.exe

  • Size

    414KB

  • MD5

    a0c275ebd1005a313b20dd27ea739dcb

  • SHA1

    4c7fb52d3129f485919cf8dd2d8ea3f665e0a6b9

  • SHA256

    3077abc4b785271fc43389f94cee024de4fd4d3d7f4ada5c569a9aca09374a9d

  • SHA512

    19746c6270d4e54827488b31fa856286e81370c124c2f99b6fddc07311b62baf8969f5bbe433c891f921771e2aa912ad79e5015b97d247600b13eb844c467e6b

  • SSDEEP

    6144:PBnxm/hZudIIuLplWND4YOSAsRJVWMmH/w/dv4e6Hc+2u:LzdIZplW94YzAIJ0MT/ucPu

Score
10/10
formbookh3haratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

h3ha

Decoy

ideas-dulces.store

store1995.store

swuhn.com

ninideal.com

musiqhaus.com

quranchart.com

kszq26.club

lightfx.online

thetickettruth.com

meritloancubk.com

lawnforcement.com

sogeanetwork.com

thedinoexotics.com

kojima-ah.net

gr-myab3z.xyz

platiniuminestor.net

reviewsiske.com

stessil-lifestyle.com

goodqjourney.biz

cirimpianti.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 2 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:1124
    • C:\Users\Admin\AppData\Local\Temp\a0c275ebd1005a313b20dd27ea739dcb.exe
      "C:\Users\Admin\AppData\Local\Temp\a0c275ebd1005a313b20dd27ea739dcb.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4696
      • C:\Users\Admin\AppData\Local\Temp\zgovbtz.exe
        "C:\Users\Admin\AppData\Local\Temp\zgovbtz.exe" C:\Users\Admin\AppData\Local\Temp\ahbdus.k
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:5036
        • C:\Users\Admin\AppData\Local\Temp\zgovbtz.exe
          "C:\Users\Admin\AppData\Local\Temp\zgovbtz.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:3136
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      2⤵
        PID:1284
      • C:\Windows\SysWOW64\wscript.exe
        "C:\Windows\SysWOW64\wscript.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4320
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\zgovbtz.exe"
          3⤵
            PID:1480

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\ahbdus.k
        Filesize

        5KB

        MD5

        533b564dd4c64c19e3b7d860f03801a6

        SHA1

        745a017c6f1e58a6b7bea787eb3a20597c17fb62

        SHA256

        25a5b8a00567719024844286427f3fd986a6f72b4ed826bbae58d882c20fd3cd

        SHA512

        e1450a5ea0156db8cb02f359964ba1d279fcd0b8e60c30b8b39b51771e7da0b823a39fa2edcd184bc00152612fa1ae50e1304e7a8fb337102f33455df6372ddf

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\nnfoo.p
        Filesize

        185KB

        MD5

        0fd8fad06f5a97c481fbbb60828d686e

        SHA1

        eab488ae696a31dbd02c959662e356612d5c4c40

        SHA256

        e3a937e8170b273687231c76c7539d1282a6c904df8b44aa249fc52dd09ab518

        SHA512

        b1151c9a8ce0b516879afc6838cb453d68d820ec4743b731974291d402fa0f0416b515b489ee7758de6c975402bd78bb016e9d8342a849157cce4ebc904de7f4

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\zgovbtz.exe
        Filesize

        13KB

        MD5

        f15812c468166ad85fda4223195da140

        SHA1

        4ed0da8b9e738f3d08a0f00270e92a0539e32136

        SHA256

        ac7ebc8987bb3712e198213a0e1fd7f96608b488dc8602f094a7bf4bc0f38e04

        SHA512

        bfcf6d30f1efa8c0a6f8d500782a5b314b0ac811fa4b7a5ebcfb479ca302ca0d8de8fc2c827155def08750d11297974d081781d0dcd4badc01534eb5aaeebdaa

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\zgovbtz.exe
        Filesize

        13KB

        MD5

        f15812c468166ad85fda4223195da140

        SHA1

        4ed0da8b9e738f3d08a0f00270e92a0539e32136

        SHA256

        ac7ebc8987bb3712e198213a0e1fd7f96608b488dc8602f094a7bf4bc0f38e04

        SHA512

        bfcf6d30f1efa8c0a6f8d500782a5b314b0ac811fa4b7a5ebcfb479ca302ca0d8de8fc2c827155def08750d11297974d081781d0dcd4badc01534eb5aaeebdaa

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\zgovbtz.exe
        Filesize

        13KB

        MD5

        f15812c468166ad85fda4223195da140

        SHA1

        4ed0da8b9e738f3d08a0f00270e92a0539e32136

        SHA256

        ac7ebc8987bb3712e198213a0e1fd7f96608b488dc8602f094a7bf4bc0f38e04

        SHA512

        bfcf6d30f1efa8c0a6f8d500782a5b314b0ac811fa4b7a5ebcfb479ca302ca0d8de8fc2c827155def08750d11297974d081781d0dcd4badc01534eb5aaeebdaa

        Download Submit
      • memory/1124-143-0x0000000009150000-0x00000000092F8000-memory.dmp
        Filesize

        1.7MB

        Download
      • memory/1124-151-0x00000000030C0000-0x0000000003173000-memory.dmp
        Filesize

        716KB

        Download
      • memory/1124-150-0x00000000030C0000-0x0000000003173000-memory.dmp
        Filesize

        716KB

        Download
      • memory/1124-141-0x0000000009150000-0x00000000092F8000-memory.dmp
        Filesize

        1.7MB

        Download
      • memory/1480-147-0x0000000000000000-mapping.dmp
        Download
      • memory/3136-137-0x0000000000000000-mapping.dmp
        Download
      • memory/3136-140-0x0000000000C40000-0x0000000000C54000-memory.dmp
        Filesize

        80KB

        Download
      • memory/3136-139-0x0000000000C90000-0x0000000000FDA000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/4320-142-0x0000000000000000-mapping.dmp
        Download
      • memory/4320-144-0x00000000006B0000-0x00000000006D7000-memory.dmp
        Filesize

        156KB

        Download
      • memory/4320-145-0x0000000001030000-0x000000000105F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/4320-146-0x00000000030B0000-0x00000000033FA000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/4320-148-0x0000000001030000-0x000000000105F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/4320-149-0x0000000002EF0000-0x0000000002F83000-memory.dmp
        Filesize

        588KB

        Download
      • memory/5036-132-0x0000000000000000-mapping.dmp
        Download