Overview

overview

10

Static

static

1

7015892.exe

windows7-x64

10

7015892.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-12-2022 15:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7015892.exe

  • Size

    252KB

  • MD5

    19990004ebbc8bf180d02aeda8246db9

  • SHA1

    52ec8c08e69bc87e65388341a633670da979de48

  • SHA256

    8f2f6e6735e483a6d8c6aac9817f9bf908e7e63f60a552bb64f8ca77d6c38d0e

  • SHA512

    e1ef258c3b4f6335100c18ab5143785fa6c74575370db64f31eb4e5751bb160f01763f111bf85f4b61b955c8446a3d9a21237cc7a32b9ff17d58df3329f82f06

  • SSDEEP

    6144:7kw+Uw9SO9UWxHVHl4NON8lk1ycJxRqvROk2sf5:kH9P+Wl4k86ykBnsf5

Score
10/10
formbookyurmpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

yurm

Decoy

X06d1tis1GUX/R0g87Ud

BKiZ33D1P766GVXO1ZwV

lAFdjB7CSxGX8Trz

Gc7dWizTVxWX8Trz

tDkr9JAfi1OHAW1PGOageIp4

bCpMtHKU3mVp8BY5sQ==

7WKpsMWt8nsrhJClJeOZNg==

0A9KTlETQ86Cmd8k0o5NP5RwCg==

aJ61paNJztSp42c=

CrgoA8ySIOsytCbO1ZwV

i46SnHYDD9tTIHI=

XFRCRCjtFZeU3x4Rn3xfD5BnPz+RDA==

c4CZghuHvzW9A31gEz0d

QAjzz9qyRRWBNYseAI4M

Jpbmu4A1YvBvN3ruZgiRmJA5BCFd

PfoFXGNFhhuX8Trz

bqCfk0m8ApAl+Tm1Ms5Tb23IT7tS

z7INff7HNALxc5HWq2/ftrVR6A7R1zvTUQ==

m7IShV4LSFxbqxhrVsZ1Ig==

BHRp7q0gtoRuqBRnVsZ1Ig==

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2576
    • C:\Users\Admin\AppData\Local\Temp\7015892.exe
      "C:\Users\Admin\AppData\Local\Temp\7015892.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:960
      • C:\Users\Admin\AppData\Local\Temp\xaxzqjgnle.exe
        "C:\Users\Admin\AppData\Local\Temp\xaxzqjgnle.exe" C:\Users\Admin\AppData\Local\Temp\dzwpvwcrqj.oj
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1928
        • C:\Users\Admin\AppData\Local\Temp\xaxzqjgnle.exe
          "C:\Users\Admin\AppData\Local\Temp\xaxzqjgnle.exe"
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:400
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\SysWOW64\cscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4796
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:4404

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\dzwpvwcrqj.oj
      Filesize

      7KB

      MD5

      2916b6d518c3bdf5e075d4d508a1c018

      SHA1

      915b289191f4e7b047d227d4fd5a12f2248516e8

      SHA256

      d8a93bd1e22142c40e94c6d8194dc0d042dd812512a5ac5dbd90c0fe7e2dcb81

      SHA512

      2d2e8f4d8a8fd2babaa790cdcf60b526c1183857d8cf697258cd3ffb314c66f28c2f57abd351ead45b7078c0502092a4b5a1d8453f36789238c19e0dab25cc33

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\xaxzqjgnle.exe
      Filesize

      49KB

      MD5

      3c1561af162e360c5c30261cf146e1a7

      SHA1

      20f9c82d73ca27fca387cee2325cfe4a37bb7fc7

      SHA256

      11e2b64630e91db573dc2b8d8a3320bcc951bacd2e18be39ea3cc33fa0741a8b

      SHA512

      61c9ea3710c4cd3e824c9fd1abc9dd22aa804113383ef776790f9dc84b3e1d518325d6e99fa8c3f168460c5f12e5de7373ab03829b2e69a8b216caf26c873bcb

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\xaxzqjgnle.exe
      Filesize

      49KB

      MD5

      3c1561af162e360c5c30261cf146e1a7

      SHA1

      20f9c82d73ca27fca387cee2325cfe4a37bb7fc7

      SHA256

      11e2b64630e91db573dc2b8d8a3320bcc951bacd2e18be39ea3cc33fa0741a8b

      SHA512

      61c9ea3710c4cd3e824c9fd1abc9dd22aa804113383ef776790f9dc84b3e1d518325d6e99fa8c3f168460c5f12e5de7373ab03829b2e69a8b216caf26c873bcb

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\xaxzqjgnle.exe
      Filesize

      49KB

      MD5

      3c1561af162e360c5c30261cf146e1a7

      SHA1

      20f9c82d73ca27fca387cee2325cfe4a37bb7fc7

      SHA256

      11e2b64630e91db573dc2b8d8a3320bcc951bacd2e18be39ea3cc33fa0741a8b

      SHA512

      61c9ea3710c4cd3e824c9fd1abc9dd22aa804113383ef776790f9dc84b3e1d518325d6e99fa8c3f168460c5f12e5de7373ab03829b2e69a8b216caf26c873bcb

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\yimkomsixc.nuc
      Filesize

      185KB

      MD5

      104a836621fab39a6d275bf55d1d0b7a

      SHA1

      a0b4cb1172a79529f6c23df706008183cadd3acb

      SHA256

      adfbdaa609481911932ba98dcbacbdbd02feca772617461c7c0eada07f5f5e64

      SHA512

      2029ab05a88c83f672b2ace0f38eaeefc006fb51f14f6908b4124c6eaa6279a79e04d7f35f558a2eedc4d24ca8f1b2e8efa0562f5b6fac72701746fc6e286cac

      Download Submit
    • memory/400-142-0x00000000001F0000-0x0000000000200000-memory.dmp
      Filesize

      64KB

      Download
    • memory/400-139-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/400-140-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/400-141-0x0000000000A30000-0x0000000000D7A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/400-137-0x0000000000000000-mapping.dmp
      Download
    • memory/1928-132-0x0000000000000000-mapping.dmp
      Download
    • memory/2576-149-0x0000000008300000-0x0000000008469000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/2576-143-0x0000000007260000-0x00000000073B9000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2576-151-0x0000000008300000-0x0000000008469000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/4796-144-0x0000000000000000-mapping.dmp
      Download
    • memory/4796-146-0x0000000000940000-0x000000000096D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/4796-148-0x0000000002820000-0x00000000028AF000-memory.dmp
      Filesize

      572KB

      Download
    • memory/4796-147-0x00000000029F0000-0x0000000002D3A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4796-150-0x0000000000940000-0x000000000096D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/4796-145-0x00000000003F0000-0x0000000000417000-memory.dmp
      Filesize

      156KB

      Download