Overview

overview

10

Static

static

REVISED_.exe

windows7-x64

10

REVISED_.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-12-2022 19:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    REVISED_.exe

  • Size

    573KB

  • MD5

    0e27fab3f710b0b524091aba6ed455c7

  • SHA1

    2b6aca7bc31a565f0cb1e00d9daab463b570f269

  • SHA256

    40f511e420e73d2cb620d782e9ed31dbd1dabe4103b31e025a4158d39a209a5e

  • SHA512

    d795b666ec53c9ed058c8fa77dac06e6e77f9d4871dfea8d59ebe49653b9b0620d292677482a88e81b276893948780db6ecc7b7e67ebb1c2a1995fc16876ba2a

  • SSDEEP

    6144:/+qpqSmgUZtFUaJqMJ3iwyoqAnrHxC4AbUkO0dDW8P4SATkU6Uk5dWXwzlf7Tvm:GqgSmdzUZAUndDWE4pkFv5DzA

Score
10/10
formbookf9r5ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

f9r5

Decoy

teknotimur.com

zuliboo.com

remmingtoncampbell.com

vehicletitleloansphoenix.com

sen-computer.com

98731.biz

shelikesblu.com

canis-totem.com

metaversemedianetwork.com

adsdu.com

vanishmediasystems.com

astewaykebede.com

wszhongxue.com

gacha-animator-free.com

papatyadekorasyon.com

mqc168.top

simplebrilliantsolutions.com

jubileehawkesprairie.com

ridflab.com

conboysfilm.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2616
    • C:\Users\Admin\AppData\Local\Temp\REVISED_.exe
      "C:\Users\Admin\AppData\Local\Temp\REVISED_.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4712
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GlzwuZ.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1752
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GlzwuZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3BD0.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:2044
      • C:\Users\Admin\AppData\Local\Temp\REVISED_.exe
        "C:\Users\Admin\AppData\Local\Temp\REVISED_.exe"
        3⤵
          PID:4676
        • C:\Users\Admin\AppData\Local\Temp\REVISED_.exe
          "C:\Users\Admin\AppData\Local\Temp\REVISED_.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2088
      • C:\Windows\SysWOW64\cmmon32.exe
        "C:\Windows\SysWOW64\cmmon32.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3348
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\REVISED_.exe"
          3⤵
            PID:3184

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp3BD0.tmp
        Filesize

        1KB

        MD5

        ad4c708a289312d4cc590431e3613309

        SHA1

        95b6218d9a4518492d9eb2aa9e5da0e44f5bbbd8

        SHA256

        862a750edcde0e0410398db965ac7d54e69c696bf03f3ce061196289f25a05b8

        SHA512

        ab5a1b5f0731f19e453236a3244e6e8105ebcd14177a17efa313d405475541a46e7670f3e3460e89393e8abb1cfcc8ca2af8637ef3b899fe7f09abb6c93b9b82

        Download Submit
      • memory/1752-146-0x0000000006070000-0x00000000060D6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/1752-160-0x0000000073390000-0x00000000733DC000-memory.dmp
        Filesize

        304KB

        Download
      • memory/1752-161-0x00000000077C0000-0x00000000077DE000-memory.dmp
        Filesize

        120KB

        Download
      • memory/1752-169-0x0000000007E00000-0x0000000007E96000-memory.dmp
        Filesize

        600KB

        Download
      • memory/1752-137-0x0000000000000000-mapping.dmp
        Download
      • memory/1752-159-0x00000000077E0000-0x0000000007812000-memory.dmp
        Filesize

        200KB

        Download
      • memory/1752-139-0x00000000051B0000-0x00000000051E6000-memory.dmp
        Filesize

        216KB

        Download
      • memory/1752-140-0x0000000005820000-0x0000000005E48000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/1752-172-0x0000000007DF0000-0x0000000007DF8000-memory.dmp
        Filesize

        32KB

        Download
      • memory/1752-142-0x0000000005E50000-0x0000000005E72000-memory.dmp
        Filesize

        136KB

        Download
      • memory/1752-168-0x0000000007BD0000-0x0000000007BDA000-memory.dmp
        Filesize

        40KB

        Download
      • memory/1752-147-0x0000000006190000-0x00000000061F6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/1752-170-0x0000000007DB0000-0x0000000007DBE000-memory.dmp
        Filesize

        56KB

        Download
      • memory/1752-171-0x0000000007EA0000-0x0000000007EBA000-memory.dmp
        Filesize

        104KB

        Download
      • memory/1752-166-0x00000000081B0000-0x000000000882A000-memory.dmp
        Filesize

        6.5MB

        Download
      • memory/1752-167-0x0000000007B70000-0x0000000007B8A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/1752-152-0x0000000006140000-0x000000000615E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/2044-138-0x0000000000000000-mapping.dmp
        Download
      • memory/2088-150-0x0000000001370000-0x0000000001384000-memory.dmp
        Filesize

        80KB

        Download
      • memory/2088-149-0x00000000013B0000-0x00000000016FA000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/2088-154-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/2088-144-0x0000000000000000-mapping.dmp
        Download
      • memory/2088-145-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/2616-151-0x0000000007C00000-0x0000000007D11000-memory.dmp
        Filesize

        1.1MB

        Download
      • memory/2616-165-0x0000000008BD0000-0x0000000008D5F000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2616-164-0x0000000008BD0000-0x0000000008D5F000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3184-158-0x0000000000000000-mapping.dmp
        Download
      • memory/3348-153-0x0000000000000000-mapping.dmp
        Download
      • memory/3348-162-0x0000000000980000-0x00000000009AF000-memory.dmp
        Filesize

        188KB

        Download
      • memory/3348-163-0x0000000002970000-0x0000000002A03000-memory.dmp
        Filesize

        588KB

        Download
      • memory/3348-157-0x0000000002B00000-0x0000000002E4A000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/3348-156-0x0000000000980000-0x00000000009AF000-memory.dmp
        Filesize

        188KB

        Download
      • memory/3348-155-0x0000000000A30000-0x0000000000A3C000-memory.dmp
        Filesize

        48KB

        Download
      • memory/4676-143-0x0000000000000000-mapping.dmp
        Download
      • memory/4712-132-0x0000000000BB0000-0x0000000000C46000-memory.dmp
        Filesize

        600KB

        Download
      • memory/4712-136-0x00000000092F0000-0x000000000938C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/4712-135-0x0000000005690000-0x000000000569A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/4712-134-0x00000000055E0000-0x0000000005672000-memory.dmp
        Filesize

        584KB

        Download
      • memory/4712-133-0x0000000005C60000-0x0000000006204000-memory.dmp
        Filesize

        5.6MB

        Download