Overview

overview

10

Static

static

1

4b9fed2912...11.exe

windows7-x64

8

4b9fed2912...11.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    190s
  • max time network
    193s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-12-2022 00:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4b9fed291230a554fb3885d1e3289111.exe

  • Size

    601KB

  • MD5

    4b9fed291230a554fb3885d1e3289111

  • SHA1

    5e0ca8ed4ceb45cbae58837ba95219fbb4c00ee2

  • SHA256

    afbdeed783327858a21dbd66af203bcde4415828557de7ec0615ec177b198ccb

  • SHA512

    a32d7bf227a4d51bc636a21b7095dd7e601943a438ffdea2510371b79df7555f5fd0c90b9c0fb95aa396fffd5e34c4f6680415f29b6f342ac944a6e73ad11444

  • SSDEEP

    12288:gQn76IMYGJq57woDY9GE68UPB/Gf+b+PNT0yonFZ4:gQn76RQ7vERUPB+WylGnF2

Score
10/10
formbookelhbratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

elhb

Decoy

BxGzoacPQ3mFBGhbtixjHOm2l30=

dTRqRkWfuBbGMmsPJA==

Pix+zpOG6+Gk

N+3dNZ0ZjOtrRnnj

xUv06VOm45P441HWCmmfSum2l30=

Sx5JuwMfaRrJdK3r

cgU6nPNKa14KC4K40cp4wbkm/KpzfwM=

rV8A2UGJrlbYxa48P40=

Gz3szbYLIYI6l+4=

QU3ru637P+U4itwRQ3n7n2c=

DdkGzbEPU4Fy4h2bZLVXNzz0

QPUo8R5qn9KUnhRRtmVY8/Zp5Xw=

q+EX7juJsVR79msRSnsUxg==

/34eEpvsLS8lw7uom5U=

HEVrEXHlHMlNNp9IlsY+0Q==

KZ/SIWnI7eeog+pwY9uAw+PmmhfjXQ==

Kdn7YMcoXYWjHId+0jhkHem2l30=

R7lnYeAfO1MUHIWyz9c/aoIvHxSvQA==

P7ZYVqmG6+Gk

hlk7m1hdnb0=

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Blocklisted process makes network request 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2692
    • C:\Users\Admin\AppData\Local\Temp\4b9fed291230a554fb3885d1e3289111.exe
      "C:\Users\Admin\AppData\Local\Temp\4b9fed291230a554fb3885d1e3289111.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4456
      • C:\Users\Admin\AppData\Local\Temp\cfvrr.exe
        "C:\Users\Admin\AppData\Local\Temp\cfvrr.exe" "C:\Users\Admin\AppData\Local\Temp\uyjqf.au3"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:4832
        • C:\Users\Admin\AppData\Local\Temp\cfvrr.exe
          "C:\Users\Admin\AppData\Local\Temp\cfvrr.exe"
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:4760
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\SysWOW64\cscript.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1656
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:2320

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\cfvrr.exe
      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\cfvrr.exe
      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\cfvrr.exe
      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nnufgxkd.e
      Filesize

      65KB

      MD5

      cae96b5d3536a87ecbd87b3466230a62

      SHA1

      e5e5ab5baa128be874aa743b8cfa715d104de22e

      SHA256

      b99e5052b5159fb8c821570b1f1c8ebc48c6cffd3703ac97759916a18ee72e55

      SHA512

      e5e5daa4b4aac2edd491234e4c7b0a0275f78de42c95fd37eef4fe87f38cd36997909b0ec2dac6ac995dd4b3421902b93c7ec66c9e8ba21fb848352eb02a4b8a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\uyjqf.au3
      Filesize

      7KB

      MD5

      0e79a764ddcf11db91c328384fea72e6

      SHA1

      c2c99d58fd94f2230879f953263ddc5056b311aa

      SHA256

      26f2d79fc51fd5ad1df3fe918b86fbe797b3129e9da94146891b1a8df06a84ff

      SHA512

      f190a32bf233d327139ae32c6172fc8528587af314ddca40d52810bd0c3e8e05d6876c8c271a36a37f1d98723fb4aabe93b866db132008eeb15fafd6aaeb45b9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\wuvsvacpqc.puv
      Filesize

      185KB

      MD5

      b9d61e2ca5480e2d583fbb85ca3bbfdf

      SHA1

      5eccfd09340fa7adad3edbebb618d0fb1c111e7d

      SHA256

      ac2d687ee6a1f519a957f36e2e2a01e2436c07cefa8bb489b2a900376bae9a5c

      SHA512

      17c87748640917a28f93a26c1c30f07520718e747838630b06f82e370a062d41736125cc308c0b8ebb9d3fb60f92377d9f83640569ed2c4b11c53e93f25d156d

      Download Submit
    • memory/1656-147-0x0000000000420000-0x000000000044D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/1656-152-0x0000000000420000-0x000000000044D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/1656-150-0x0000000002460000-0x00000000024EF000-memory.dmp
      Filesize

      572KB

      Download
    • memory/1656-149-0x0000000002550000-0x000000000289A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/1656-145-0x0000000000000000-mapping.dmp
      Download
    • memory/1656-146-0x0000000000590000-0x00000000005B7000-memory.dmp
      Filesize

      156KB

      Download
    • memory/2692-153-0x0000000009180000-0x00000000092D1000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2692-151-0x0000000009180000-0x00000000092D1000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2692-144-0x0000000008700000-0x00000000088AA000-memory.dmp
      Filesize

      1.7MB

      Download
    • memory/4760-137-0x0000000000000000-mapping.dmp
      Download
    • memory/4760-142-0x0000000000422000-0x0000000000424000-memory.dmp
      Filesize

      8KB

      Download
    • memory/4760-143-0x0000000000FB0000-0x0000000000FC0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4760-141-0x00000000012F0000-0x000000000163A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4760-140-0x0000000000401000-0x000000000042F000-memory.dmp
      Filesize

      184KB

      Download
    • memory/4760-139-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/4832-132-0x0000000000000000-mapping.dmp
      Download