Overview

overview

10

Static

static

1

Betalnings...ab.exe

windows7-x64

10

Betalnings...ab.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    08-12-2022 20:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Betalningsaviseringsanmärkning - 0000274553.cab.exe

  • Size

    535KB

  • MD5

    5c6d494467d89ff50a77cc878c8c9539

  • SHA1

    11618f354cc30d7a5716a687b9384138a0f46b5b

  • SHA256

    306e86d6c586c3a6a52ed61b426b1e2520671b95b54510fb3faede2f499801d0

  • SHA512

    6ed42edf100c076f422231c55e5df1ca9d1dda8c139fe7a19748f97685469c2a3042b9b23d222ea26c68a216c596b5084d4dc16238382cc7c3d0bad9e82c9394

  • SSDEEP

    6144:/kw+0xk6e96C2U/2aqg9JBP/gr0TdFpyI7a5SQ/GBQDLJCoF7PdcUFauRugGcSnu:slzAKpgCb7kSQKQXJ7tF34gNV

Score
10/10
formbookm9aepersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

m9ae

Decoy

nWTQpX6TYm6dfT3Lcw==

7JaBLgMm8EKn2AlTy5Ksj4Jq

yWRJIhE3viQgqEpZS3o=

ES9dFo0bytF8vlvRcg==

aX/aBZn29pD+cg==

lU64sYOZV7ZVpUy1ag==

9BpOCYAPv8L8TyIFAiTp2PSqLg==

uEJ2RyQ1BcBXfFr8kT5Z1KV0

oVM42Ury9pD+cg==

0Zl3VkcuKaY+

OjZeGI8dw67Z6eWtnOoBfoI=

ytwFn9j4i+N8nKYRSgcfh3xn5LU=

xMb1+YkOyxmbxJ53JsP7Pg==

HODQpzTBS1gVoi4X0hStKQ==

fQ417ycwD+ziKt1u0hStKQ==

nsApOqE62sA8uS735uCXVP+YcrQ=

4aobG3oZ3AHqTPs=

P2LEwJatZbQZUTayTW0=

/bopO7NR6clCfT3Lcw==

bBxRRkFY01R+20pZS3o=

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1236
    • C:\Users\Admin\AppData\Local\Temp\Betalningsaviseringsanmärkning - 0000274553.cab.exe
      "C:\Users\Admin\AppData\Local\Temp\Betalningsaviseringsanmärkning - 0000274553.cab.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1672
      • C:\Users\Admin\AppData\Local\Temp\tqlhmoflq.exe
        "C:\Users\Admin\AppData\Local\Temp\tqlhmoflq.exe" C:\Users\Admin\AppData\Local\Temp\pmxskx.hap
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1624
        • C:\Users\Admin\AppData\Local\Temp\tqlhmoflq.exe
          "C:\Users\Admin\AppData\Local\Temp\tqlhmoflq.exe"
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:552
    • C:\Windows\SysWOW64\wuapp.exe
      "C:\Windows\SysWOW64\wuapp.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:560
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:1280

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\glolpx.d
      Filesize

      185KB

      MD5

      8da1a70786ac6e4f3dfb388eb1fd8afc

      SHA1

      5ba11c38ed1053aeaac158dff30a803a4d4410a8

      SHA256

      63eb014dd1a10b91067357e5692397ab1464bf3b146ba9baf199fe48ec5ac7c6

      SHA512

      b57314d2bd94d93b635f8c14aa67259915153b2aa238c1445e5d5b00a5cd6cd7dc250ea9ac499169ee85c99c9cf4e3e6bce986cfaa97c865afd2d6813d5efffc

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\pmxskx.hap
      Filesize

      7KB

      MD5

      418b6039126a6cbb2921062ad20f4647

      SHA1

      505d64913e58eedfdbe0adc5d88385d36f3470fd

      SHA256

      6c069ae01b50d2553e568d274dbcb015f9ec95f3ef25283a7182f6c532cf9435

      SHA512

      4cf5e5e57d0352231bddf83b3f335d6ca359cb48480fb974dfe0133eba8171a5745fa65e22b8cbdfcaafc6e77ac366ee0d71aea7bcc27682ae67bcf9434cadeb

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tqlhmoflq.exe
      Filesize

      287KB

      MD5

      b1710f487cd6c24bd3eaa637f90198ab

      SHA1

      0c9b0b875ffc7497a25236c50dd17e676c8aa098

      SHA256

      443c686a4a3eae981c5dce9b6f56ec291aec1bc52fce378fca7f67c4723e9cb0

      SHA512

      26b38d31b5e4ca4dc84749428cb443669547a5e0300479aa83c6ca4072aaef34fca3bf3d53b86a6b01268d378a62432cdd2c22b90fcb16473803d6fc48eeb3c9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tqlhmoflq.exe
      Filesize

      287KB

      MD5

      b1710f487cd6c24bd3eaa637f90198ab

      SHA1

      0c9b0b875ffc7497a25236c50dd17e676c8aa098

      SHA256

      443c686a4a3eae981c5dce9b6f56ec291aec1bc52fce378fca7f67c4723e9cb0

      SHA512

      26b38d31b5e4ca4dc84749428cb443669547a5e0300479aa83c6ca4072aaef34fca3bf3d53b86a6b01268d378a62432cdd2c22b90fcb16473803d6fc48eeb3c9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tqlhmoflq.exe
      Filesize

      287KB

      MD5

      b1710f487cd6c24bd3eaa637f90198ab

      SHA1

      0c9b0b875ffc7497a25236c50dd17e676c8aa098

      SHA256

      443c686a4a3eae981c5dce9b6f56ec291aec1bc52fce378fca7f67c4723e9cb0

      SHA512

      26b38d31b5e4ca4dc84749428cb443669547a5e0300479aa83c6ca4072aaef34fca3bf3d53b86a6b01268d378a62432cdd2c22b90fcb16473803d6fc48eeb3c9

      Download Submit
    • \Users\Admin\AppData\Local\Temp\sqlite3.dll
      Filesize

      841KB

      MD5

      5fc6cd5d5ca1489d2a3c361717359a95

      SHA1

      5c630e232cd5761e7a611e41515be4afa3e7a141

      SHA256

      85c8b8a648c56cf5f063912e0e26ecebb90e0caf2f442fd5cdd8287301fe7e81

      SHA512

      5f9124a721f6b463d4f980920e87925098aa753b0fa2a59a3ff48b48d2b1a45d760fd46445414d84fb66321181cd2c82a4194361811114c15e35b42f838ab792

      Download Submit
    • \Users\Admin\AppData\Local\Temp\tqlhmoflq.exe
      Filesize

      287KB

      MD5

      b1710f487cd6c24bd3eaa637f90198ab

      SHA1

      0c9b0b875ffc7497a25236c50dd17e676c8aa098

      SHA256

      443c686a4a3eae981c5dce9b6f56ec291aec1bc52fce378fca7f67c4723e9cb0

      SHA512

      26b38d31b5e4ca4dc84749428cb443669547a5e0300479aa83c6ca4072aaef34fca3bf3d53b86a6b01268d378a62432cdd2c22b90fcb16473803d6fc48eeb3c9

      Download Submit
    • \Users\Admin\AppData\Local\Temp\tqlhmoflq.exe
      Filesize

      287KB

      MD5

      b1710f487cd6c24bd3eaa637f90198ab

      SHA1

      0c9b0b875ffc7497a25236c50dd17e676c8aa098

      SHA256

      443c686a4a3eae981c5dce9b6f56ec291aec1bc52fce378fca7f67c4723e9cb0

      SHA512

      26b38d31b5e4ca4dc84749428cb443669547a5e0300479aa83c6ca4072aaef34fca3bf3d53b86a6b01268d378a62432cdd2c22b90fcb16473803d6fc48eeb3c9

      Download Submit
    • memory/552-67-0x0000000000860000-0x0000000000B63000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/552-65-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/552-66-0x0000000000401000-0x000000000042F000-memory.dmp
      Filesize

      184KB

      Download
    • memory/552-68-0x0000000000422000-0x0000000000424000-memory.dmp
      Filesize

      8KB

      Download
    • memory/552-69-0x00000000000F0000-0x0000000000100000-memory.dmp
      Filesize

      64KB

      Download
    • memory/552-63-0x00000000004012B0-mapping.dmp
      Download
    • memory/560-74-0x0000000000990000-0x0000000000C93000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/560-75-0x0000000000860000-0x00000000008EF000-memory.dmp
      Filesize

      572KB

      Download
    • memory/560-71-0x0000000000000000-mapping.dmp
      Download
    • memory/560-72-0x0000000000D20000-0x0000000000D2B000-memory.dmp
      Filesize

      44KB

      Download
    • memory/560-73-0x0000000000090000-0x00000000000BD000-memory.dmp
      Filesize

      180KB

      Download
    • memory/1236-70-0x00000000040A0000-0x0000000004162000-memory.dmp
      Filesize

      776KB

      Download
    • memory/1236-76-0x0000000005F10000-0x000000000606C000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1236-78-0x0000000005F10000-0x000000000606C000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1624-56-0x0000000000000000-mapping.dmp
      Download
    • memory/1672-54-0x0000000075111000-0x0000000075113000-memory.dmp
      Filesize

      8KB

      Download