Overview

overview

10

Static

static

a1c968590d...ad.exe

windows7-x64

10

a1c968590d...ad.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    173s
  • max time network
    185s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-12-2022 02:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a1c968590da09ecc1af225059c8b86af05f84465ff069b5327ea9c25172201ad.exe

  • Size

    913KB

  • MD5

    7a37f59f86f494bd672237e660b3389c

  • SHA1

    811bc7fb1a470ca91165e2450a0fd33e0ee663af

  • SHA256

    a1c968590da09ecc1af225059c8b86af05f84465ff069b5327ea9c25172201ad

  • SHA512

    8217869012dbc876b900d55c971228e9eabe1171b20c75ac7c0129f74229588fd455135e5155bcd1c751c37e8f369bacb7c9a2201646f218a11c6adffd8b644b

  • SSDEEP

    12288:T5zlrGP6oP8qZExrT9sg98NBXdAyq+RDN+3bZY+:PiPn5ZwrpH85A9+RDo

Score
10/10
formbookbwe0ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

bwe0

Decoy

GA8abA96SLI=

RjM/QAsrNyRPlNEjahNMdKXlPtbXpQ==

rOQ4ySihIKVFhRnhZxfZ

iSnyAlGXQBSBwz1C

SYfcQ54ijGWAuQq1UQTE

XRcVgsQIO8FVnvCOiHLvE3k=

K2XLULRJuod6I3dO

S4oH5i5i3+expw==

4hZdto3RgCY9esve1k7T5x9YPw==

fkpgXDuEv2NzvxCcq2AxMnE=

13czFGvtsco1gf8=

ub4KhXCsZ/qnnvYTijN3dA==

WD5IRIcJB51Hfs8grBnldA==

YqxA1LPudXGKyP1FlQ==

MZHXMBdZ8Mf2X3ZjSVY=

7mLLNhchknqdLVbz+6ci4VeD

66OK6kmRv8N6I3dO

+97y8jK5vTnIn8crIwyHnRxv03Kp

PC1PqPJ6573fH0aUnGAxMnE=

3BFlt4nJcA3Inb3TGO02bq++XzWRMVg=

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2080
    • C:\Users\Admin\AppData\Local\Temp\a1c968590da09ecc1af225059c8b86af05f84465ff069b5327ea9c25172201ad.exe
      "C:\Users\Admin\AppData\Local\Temp\a1c968590da09ecc1af225059c8b86af05f84465ff069b5327ea9c25172201ad.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1076
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FBZUkDpXKX.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4952
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FBZUkDpXKX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA6E9.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:4712
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:5088
    • C:\Windows\SysWOW64\mstsc.exe
      "C:\Windows\SysWOW64\mstsc.exe"
      2⤵
        PID:4608

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpA6E9.tmp
      Filesize

      1KB

      MD5

      c51ae6daedcbcb29cb568ad81aa73ffb

      SHA1

      64a4153689df71cd042e7835240bdbb271604bfd

      SHA256

      f35befaa8e1dcf19ee09bdfe443a7831f2a1f019694422fe6e8a9621d0cf07b5

      SHA512

      45eeecac1cdeb1498e67cf31dfb9e21ab3f627bd79b38b8efa6a805239e5a4938f910f63144a9eb85ace71dc4dfb874c5ac2a33274493a171a1c67219e0ea859

      Download Submit

    • memory/1076-137-0x00000000091E0000-0x0000000009246000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1076-133-0x0000000005A40000-0x0000000005FE4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1076-134-0x00000000053D0000-0x0000000005462000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1076-136-0x0000000008D80000-0x0000000008E1C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/1076-132-0x0000000000950000-0x0000000000A3A000-memory.dmp

      Filesize

      936KB

      Download

    • memory/1076-135-0x0000000005490000-0x000000000549A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2080-151-0x0000000003310000-0x0000000003468000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/4608-153-0x0000000000000000-mapping.dmp

      Download

    • memory/4608-155-0x0000000000BA0000-0x0000000000BCB000-memory.dmp

      Filesize

      172KB

      Download

    • memory/4608-154-0x0000000000610000-0x000000000074A000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4712-139-0x0000000000000000-mapping.dmp

      Download

    • memory/4952-146-0x0000000005320000-0x0000000005386000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4952-141-0x0000000004C10000-0x0000000005238000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4952-140-0x0000000002120000-0x0000000002156000-memory.dmp

      Filesize

      216KB

      Download

    • memory/4952-152-0x0000000005A90000-0x0000000005AAE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4952-138-0x0000000000000000-mapping.dmp

      Download

    • memory/4952-144-0x0000000005280000-0x00000000052A2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/5088-148-0x0000000000400000-0x000000000042B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/5088-149-0x0000000001730000-0x0000000001A7A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/5088-143-0x0000000000000000-mapping.dmp

      Download

    • memory/5088-150-0x0000000001290000-0x00000000012A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5088-145-0x0000000000400000-0x000000000042B000-memory.dmp

      Filesize

      172KB

      Download