Overview

overview

10

Static

static

1

32398cba36...33.exe

windows7-x64

10

32398cba36...33.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-12-2022 14:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    32398cba360318425a3f1ba57676cba07546d5419e4d5f041752273ea389da33.exe

  • Size

    213KB

  • MD5

    ace23ae0a5524989a50081e0416cd06f

  • SHA1

    d5ee9183be486bf153d7666ca4301e600ea06087

  • SHA256

    32398cba360318425a3f1ba57676cba07546d5419e4d5f041752273ea389da33

  • SHA512

    9ae64c7e067d123357887951cbb4e5dfa1876a4a8febb41f6e9065e9c0cf0aaf68f4c0a449fe89ec46d51a807c545609b005bdbe4efdc34128a1c1de2287ed4f

  • SSDEEP

    6144:QBn17YpPP72F3ApRMkW5lYeXzYMXAkqs1ZOcABcqGKq:g7YpH1RepXACZGAN

Score
10/10
formbookje14ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

je14

Decoy

innervisionbuildings.com

theenergysocialite.com

565548.com

panghr.com

onlyonesolutions.com

stjohnzone6.com

cnotes.rest

helfeb.online

xixi-s-inc.club

easilyentered.com

theshopx.store

mrclean-ac.com

miamibeachwateradventures.com

jpearce.co.uk

seseragi-bunkou.com

minimaddie.com

commbank-help-849c3.com

segohandelsonderneming.com

namthanhreal.com

fototerapi.online

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 2 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2832
    • C:\Users\Admin\AppData\Local\Temp\32398cba360318425a3f1ba57676cba07546d5419e4d5f041752273ea389da33.exe
      "C:\Users\Admin\AppData\Local\Temp\32398cba360318425a3f1ba57676cba07546d5419e4d5f041752273ea389da33.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4648
      • C:\Users\Admin\AppData\Local\Temp\vpxpxta.exe
        "C:\Users\Admin\AppData\Local\Temp\vpxpxta.exe" C:\Users\Admin\AppData\Local\Temp\rdsdqatpbhs.z
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:4320
        • C:\Users\Admin\AppData\Local\Temp\vpxpxta.exe
          "C:\Users\Admin\AppData\Local\Temp\vpxpxta.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2020
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:848
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\vpxpxta.exe"
        3⤵
          PID:4524

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\gvffc.ytu
      Filesize

      185KB

      MD5

      0259fde3e396b0abdf865d2227a3e1b6

      SHA1

      d9d03d8050e968b192bb1fc112fe28d53df4bded

      SHA256

      ca6c0d21f3ea9f6a8c67f0ba534ab394fd05b3ecfa6576428cea4ce42adb6861

      SHA512

      8ba17292d2fb3a0324e49bd5c490c3a2139c7079290399709582131d26d061f1eaddb5c8e5363bf79797bf55e34f791b3c0c7eb64eb3756fc8bdd00e79c3dd9c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\rdsdqatpbhs.z
      Filesize

      6KB

      MD5

      b34b9ffd1150f121d29fcd48c89d7de4

      SHA1

      fe76263983ef50bb1f46c44e3ee1d85c87cb56d9

      SHA256

      ecc775d058ed2b1f6746748a3e28e3117188225e3c63766250e3b4287c6fe538

      SHA512

      a820cf2892b3569af35477f2bd26d7e44121f165214ca9dec9de0d26e8831751f04e57d3409e9cdfb3dc81b1c2b21072b0c8a73caa4fa2a24fd53c324054e476

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\vpxpxta.exe
      Filesize

      12KB

      MD5

      d5a51803072a4fc064ba840fa97b052c

      SHA1

      29b163435bb0e4d7e7532108af9fdf2d346ad204

      SHA256

      52f984ff112c1b873209cacafecf5e774bb4100083a9049e741b93baaa63b75b

      SHA512

      c9f15cefd8a002dbba8a1cf80299b227e82a867824346739521ca1d671908842f29aa837b8da01e7c42a11af39597a8969a055a0ef87076ca1dccfea82f8da73

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\vpxpxta.exe
      Filesize

      12KB

      MD5

      d5a51803072a4fc064ba840fa97b052c

      SHA1

      29b163435bb0e4d7e7532108af9fdf2d346ad204

      SHA256

      52f984ff112c1b873209cacafecf5e774bb4100083a9049e741b93baaa63b75b

      SHA512

      c9f15cefd8a002dbba8a1cf80299b227e82a867824346739521ca1d671908842f29aa837b8da01e7c42a11af39597a8969a055a0ef87076ca1dccfea82f8da73

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\vpxpxta.exe
      Filesize

      12KB

      MD5

      d5a51803072a4fc064ba840fa97b052c

      SHA1

      29b163435bb0e4d7e7532108af9fdf2d346ad204

      SHA256

      52f984ff112c1b873209cacafecf5e774bb4100083a9049e741b93baaa63b75b

      SHA512

      c9f15cefd8a002dbba8a1cf80299b227e82a867824346739521ca1d671908842f29aa837b8da01e7c42a11af39597a8969a055a0ef87076ca1dccfea82f8da73

      Download Submit
    • memory/848-143-0x0000000000DA0000-0x0000000000DB4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/848-150-0x00000000007B0000-0x00000000007DF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/848-148-0x0000000002750000-0x00000000027E3000-memory.dmp
      Filesize

      588KB

      Download
    • memory/848-145-0x0000000002AC0000-0x0000000002E0A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/848-144-0x00000000007B0000-0x00000000007DF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/848-142-0x0000000000000000-mapping.dmp
      Download
    • memory/2020-137-0x0000000000000000-mapping.dmp
      Download
    • memory/2020-140-0x0000000000860000-0x0000000000874000-memory.dmp
      Filesize

      80KB

      Download
    • memory/2020-139-0x0000000000BC0000-0x0000000000F0A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/2832-141-0x0000000002970000-0x0000000002A7A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/2832-147-0x0000000002970000-0x0000000002A7A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/2832-149-0x00000000081A0000-0x0000000008321000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/2832-151-0x00000000081A0000-0x0000000008321000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/4320-132-0x0000000000000000-mapping.dmp
      Download
    • memory/4524-146-0x0000000000000000-mapping.dmp
      Download