formbook | 1f13b5415eeb928d53bebf18d722931f88318acf23aba61e8fdb237604fa31e4

Analysis

max time kernel
151s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
14-12-2022 16:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f6871902c55755cca82c3323edaa035b9aff50e7d22a98773e3a88c74834889.js
Size

587KB
MD5

5566e15bfef44a5fd758e80f6dcd2151
SHA1

3c624232ced09083c78e4ae0f188826b9a329ebb
SHA256

5f6871902c55755cca82c3323edaa035b9aff50e7d22a98773e3a88c74834889
SHA512

54ccac9c782a0d80b8e2e4cefd8263abc7bf95234b7e505eec352e7d9f29663719adfca16e6e8fd411293db32c021e49e711ae3679e32eb0d3220d322f05a000
SSDEEP

12288:pUBw3Cqaa0QxK8rVFsG2jUV+D22CyiGBFxpebbVZ5Px3Y4ke5:9nrPsGYDZhwr5

Score

10^/10

formbook vjw0rm ermr rat spyware stealer trojan worm

Malware Config

Extracted

Family

formbook

Campaign

ermr

Decoy

ErOK6LFCgNIAlQmH54oaYOL/CN29Z78=

qNSdDhu/PT/1fgafDagiCSZH1SY=

wLpPOAkYS8EABl3pHGc4hNT/Q1sHBrU=

jSxRvptHkeTGl7PT0SEmaZmjqzanuA==

b91oL+2wCcpyhnd6yvF6Pg==

mr81yp1/qqZX

hy7Xsz/PU/LWHMcGL4UYJx9n3A==

KlwrHt1gouPaXaWhoQ==

ng8M320IRJL9Ptw=

8GQbOXuaWxvKnNM=

XndOL7E5sNpVUNty4d/a

rryPBBC8PybYb+2h2MF3FHGL

kEoeyERSVCYO0g==

5/P+SBDby5hO

1fYXc30/h9W7iO17

34X+YKR+wRFE

8ir/X2MlVByh5lQ1ow8=

u9ikm2UMZ7J7hpCYow==

FLI+c3clp1BNDjVAfvC2Dnw=

t21Erq8/r09wAzAJTAH3Ng==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 9 IoCs

Processes:

wscript.execmd.exe

flow	pid	process
5	3040	wscript.exe
24	3040	wscript.exe
41	3040	wscript.exe
47	3040	wscript.exe
49	1944	cmd.exe
55	1944	cmd.exe
56	3040	wscript.exe
58	1944	cmd.exe
61	3040	wscript.exe

Executes dropped EXE 1 IoCs

Processes:

bin.exe

pid process

2036 bin.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exebin.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	bin.exe

Drops startup file 2 IoCs

Processes:

wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PEUuzreAeY.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PEUuzreAeY.js	wscript.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

bin.execmd.exe

description	pid	process	target process
PID 2036 set thread context of 2096	2036	bin.exe	Explorer.EXE
PID 1944 set thread context of 2096	1944	cmd.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bin.execmd.exe

pid	process
2036	bin.exe
2036	bin.exe
2036	bin.exe
2036	bin.exe
2036	bin.exe
2036	bin.exe
2036	bin.exe
2036	bin.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe
1944	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2096 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

bin.execmd.exe

pid process

2036 bin.exe
2036 bin.exe
2036 bin.exe
1944 cmd.exe
1944 cmd.exe

pid	process
2096	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

bin.execmd.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	2036	bin.exe
Token: SeDebugPrivilege	1944	cmd.exe
Token: SeShutdownPrivilege	2096	Explorer.EXE
Token: SeCreatePagefilePrivilege	2096	Explorer.EXE
Token: SeShutdownPrivilege	2096	Explorer.EXE
Token: SeCreatePagefilePrivilege	2096	Explorer.EXE
Token: SeShutdownPrivilege	2096	Explorer.EXE
Token: SeCreatePagefilePrivilege	2096	Explorer.EXE
Token: SeShutdownPrivilege	2096	Explorer.EXE
Token: SeCreatePagefilePrivilege	2096	Explorer.EXE
Token: SeShutdownPrivilege	2096	Explorer.EXE
Token: SeCreatePagefilePrivilege	2096	Explorer.EXE
Token: SeShutdownPrivilege	2096	Explorer.EXE
Token: SeCreatePagefilePrivilege	2096	Explorer.EXE
Token: SeShutdownPrivilege	2096	Explorer.EXE
Token: SeCreatePagefilePrivilege	2096	Explorer.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

wscript.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2780 wrote to memory of 3040	2780	wscript.exe	wscript.exe
PID 2780 wrote to memory of 3040	2780	wscript.exe	wscript.exe
PID 2780 wrote to memory of 2036	2780	wscript.exe	bin.exe
PID 2780 wrote to memory of 2036	2780	wscript.exe	bin.exe
PID 2780 wrote to memory of 2036	2780	wscript.exe	bin.exe
PID 2096 wrote to memory of 1944	2096	Explorer.EXE	cmd.exe
PID 2096 wrote to memory of 1944	2096	Explorer.EXE	cmd.exe
PID 2096 wrote to memory of 1944	2096	Explorer.EXE	cmd.exe
PID 1944 wrote to memory of 4060	1944	cmd.exe	cmd.exe
PID 1944 wrote to memory of 4060	1944	cmd.exe	cmd.exe
PID 1944 wrote to memory of 4060	1944	cmd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\5f6871902c55755cca82c3323edaa035b9aff50e7d22a98773e3a88c74834889.js
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PEUuzreAeY.js"
3⤵
- Blocklisted process makes network request
- Drops startup file
PID:3040

C:\Users\Admin\AppData\Local\Temp\bin.exe
"C:\Users\Admin\AppData\Local\Temp\bin.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:992

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:5028

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1772

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:5044

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:636

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1880

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:3064

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\bin.exe"
3⤵
PID:4060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bin.exe
Filesize
177KB

MD5
847f96edff4362a11a17a55a0f777394

SHA1
213b8bd653acaf9749af503b936fde0d9effdff4

SHA256
b7f9d8c856f2a427668235d49710a8ac3caa7bcaf5e317a064205127df431061

SHA512
6aed480e2aca2414e47d44e87ddce59da4809de9629c5fbc9c3e3bd1665a173efec1f13a3275d95ffcc63394b854caf9d2cd7e80af2868a08d0f8885b5470227

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin.exe
Filesize
177KB

MD5
847f96edff4362a11a17a55a0f777394

SHA1
213b8bd653acaf9749af503b936fde0d9effdff4

SHA256
b7f9d8c856f2a427668235d49710a8ac3caa7bcaf5e317a064205127df431061

SHA512
6aed480e2aca2414e47d44e87ddce59da4809de9629c5fbc9c3e3bd1665a173efec1f13a3275d95ffcc63394b854caf9d2cd7e80af2868a08d0f8885b5470227

Download Submit
C:\Users\Admin\AppData\Roaming\PEUuzreAeY.js
Filesize
98KB

MD5
29e26335e11a3dd5711f04c656a77cce

SHA1
2d816b08438757735204b4393eb690c28d8be31d

SHA256
e340fc4a6738ea2dd109b67be979b987a3b46e0c5f604fdf6e002632d92ae594

SHA512
3914f03fe8988648d2cef0b4be5f89db23419e7b681a02c6360de3a6641a7598b86f657093ae3d913776f2e43b48b8ad7b1a05751404936d854814cadd09589e

Download Submit
memory/1944-145-0x0000000001660000-0x00000000016F0000-memory.dmp

Filesize
576KB

Download
memory/1944-140-0x0000000000000000-mapping.dmp

Download
memory/1944-142-0x00000000002C0000-0x000000000031A000-memory.dmp

Filesize
360KB

Download
memory/1944-146-0x0000000000F80000-0x0000000000FAD000-memory.dmp

Filesize
180KB

Download
memory/1944-143-0x00000000018C0000-0x0000000001C0A000-memory.dmp

Filesize
3.3MB

Download
memory/1944-144-0x0000000000F80000-0x0000000000FAD000-memory.dmp

Filesize
180KB

Download
memory/2036-134-0x0000000000000000-mapping.dmp

Download
memory/2036-137-0x0000000001580000-0x00000000018CA000-memory.dmp

Filesize
3.3MB

Download
memory/2036-138-0x0000000001560000-0x0000000001571000-memory.dmp

Filesize
68KB

Download
memory/2096-175-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-180-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-215-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/2096-148-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-149-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-150-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-151-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-152-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-153-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-154-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-155-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-156-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-157-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-158-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-159-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-160-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-161-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-162-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-163-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-164-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-165-0x0000000002A30000-0x0000000002A40000-memory.dmp

Filesize
64KB

Download
memory/2096-166-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/2096-167-0x0000000007E80000-0x0000000007E90000-memory.dmp

Filesize
64KB

Download
memory/2096-168-0x0000000007E80000-0x0000000007E90000-memory.dmp

Filesize
64KB

Download
memory/2096-169-0x0000000008250000-0x0000000008387000-memory.dmp

Filesize
1.2MB

Download
memory/2096-170-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/2096-171-0x0000000007E80000-0x0000000007E90000-memory.dmp

Filesize
64KB

Download
memory/2096-172-0x0000000007E80000-0x0000000007E90000-memory.dmp

Filesize
64KB

Download
memory/2096-173-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-174-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-139-0x00000000027F0000-0x0000000002975000-memory.dmp

Filesize
1.5MB

Download
memory/2096-176-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-177-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-178-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-179-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-147-0x0000000008250000-0x0000000008387000-memory.dmp

Filesize
1.2MB

Download
memory/2096-181-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-182-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-183-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-184-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-185-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-186-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-187-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-188-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-189-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-190-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2096-191-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/2096-192-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/2096-193-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2096-194-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/2096-195-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/2096-196-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-197-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-198-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-199-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-200-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-201-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-202-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-203-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-204-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-205-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-206-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-207-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-208-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-209-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-210-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-211-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-212-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-213-0x0000000000A40000-0x0000000000A50000-memory.dmp

Filesize
64KB

Download
memory/2096-214-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/3040-132-0x0000000000000000-mapping.dmp

Download
memory/4060-141-0x0000000000000000-mapping.dmp

Download