Overview

overview

10

Static

static

Quotation ...22.exe

windows7-x64

10

Quotation ...22.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/01/2023, 02:22

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Quotation RF181-2022.exe

  • Size

    753KB

  • MD5

    26d76b2a70a33f7d5a80e7508c281dcb

  • SHA1

    0de31ba488c53a8220590f2cfc94fde22b10e96b

  • SHA256

    3bdedad14e8d65032fccc3e16af3107b17fa664afb2f4c0cf081a8cdfb196f05

  • SHA512

    be7a9aa6b431ce601a4969252d67843a1d30b2151be83d7bd6c1bd9406d7955756d1577acfb86eb5343e9d94d1d25ab9d421f3f0d7a3ecaa7cb99239c765df44

  • SSDEEP

    12288:0JKsuO5p809sj0xMY6IIy4PryaZSQ8ORO1oTznmbhMWg3g43XR8:0JK+p8xjRfsuNwUEiTznmbng3R3XR8

Score
10/10
formbookoi05ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

oi05

Decoy

fluidavail.online

blchain.tech

kyocera.website

sangmine.xyz

thepolicyjacket.info

ssvhelpman.net

y-t-design.com

eminentabroad.com

codingcamp.store

bester.capital

tanjiya23.site

bheniamyn.dev

top5monitor.com

bit-prim.trade

airstreamsocialclub.com

darkwarspod.com

zazisalesdistribution.com

vivolentlo.online

daftburo.net

elemangelsin.xyz

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3044
    • C:\Users\Admin\AppData\Local\Temp\Quotation RF181-2022.exe
      "C:\Users\Admin\AppData\Local\Temp\Quotation RF181-2022.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4260
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\orLJIiAOHl.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4632
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\orLJIiAOHl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp56DA.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:4368
      • C:\Users\Admin\AppData\Local\Temp\Quotation RF181-2022.exe
        "C:\Users\Admin\AppData\Local\Temp\Quotation RF181-2022.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:744
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\SysWOW64\wscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3332
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Quotation RF181-2022.exe"
        3⤵
          PID:2840

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\tmp56DA.tmp
            Filesize

            1KB

            MD5

            72f5039a8f5e730b2d107a7b8bdd6189

            SHA1

            3ec70d5782f626e5f2cb478b81af54e9432e26d7

            SHA256

            ddc2ee3e4e8cac20a00df4b838cf3f2a0f1edbcf4c746b6dcbe848f810a8950d

            SHA512

            8ef53cba07b818871357c8531d32ebca923f50b4a3d93b0f174211348c34149eabf7fb8ad9c313d0289f3f7c44635aef75d113b59c074a3db0d36d945c713456

            Download Submit

          • memory/744-156-0x0000000000400000-0x000000000042F000-memory.dmp

            Filesize

            188KB

            Download

          • memory/744-150-0x0000000001720000-0x0000000001734000-memory.dmp

            Filesize

            80KB

            Download

          • memory/744-149-0x0000000001840000-0x0000000001B8A000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/744-143-0x0000000000400000-0x000000000042F000-memory.dmp

            Filesize

            188KB

            Download

          • memory/3044-171-0x0000000007E80000-0x0000000007F53000-memory.dmp

            Filesize

            844KB

            Download

          • memory/3044-169-0x0000000007E80000-0x0000000007F53000-memory.dmp

            Filesize

            844KB

            Download

          • memory/3044-151-0x0000000007D10000-0x0000000007E71000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/3332-163-0x0000000000990000-0x00000000009BF000-memory.dmp

            Filesize

            188KB

            Download

          • memory/3332-168-0x0000000002930000-0x00000000029C3000-memory.dmp

            Filesize

            588KB

            Download

          • memory/3332-170-0x0000000000990000-0x00000000009BF000-memory.dmp

            Filesize

            188KB

            Download

          • memory/3332-162-0x0000000002A20000-0x0000000002D6A000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/3332-161-0x0000000000ED0000-0x0000000000EF7000-memory.dmp

            Filesize

            156KB

            Download

          • memory/4260-136-0x0000000008090000-0x000000000812C000-memory.dmp

            Filesize

            624KB

            Download

          • memory/4260-135-0x00000000055B0000-0x00000000055BA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/4260-132-0x0000000000AC0000-0x0000000000B82000-memory.dmp

            Filesize

            776KB

            Download

          • memory/4260-134-0x0000000005500000-0x0000000005592000-memory.dmp

            Filesize

            584KB

            Download

          • memory/4260-133-0x0000000005BC0000-0x0000000006164000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/4632-141-0x0000000005760000-0x0000000005D88000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/4632-154-0x0000000007460000-0x000000000747E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/4632-157-0x0000000007E40000-0x00000000084BA000-memory.dmp

            Filesize

            6.5MB

            Download

          • memory/4632-158-0x00000000077F0000-0x000000000780A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/4632-153-0x0000000071100000-0x000000007114C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/4632-160-0x0000000007870000-0x000000000787A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/4632-152-0x00000000074A0000-0x00000000074D2000-memory.dmp

            Filesize

            200KB

            Download

          • memory/4632-148-0x00000000064F0000-0x000000000650E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/4632-146-0x0000000005E70000-0x0000000005ED6000-memory.dmp

            Filesize

            408KB

            Download

          • memory/4632-164-0x0000000007A70000-0x0000000007B06000-memory.dmp

            Filesize

            600KB

            Download

          • memory/4632-165-0x0000000007A20000-0x0000000007A2E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/4632-166-0x0000000007B30000-0x0000000007B4A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/4632-167-0x0000000007B10000-0x0000000007B18000-memory.dmp

            Filesize

            32KB

            Download

          • memory/4632-145-0x0000000005D90000-0x0000000005DF6000-memory.dmp

            Filesize

            408KB

            Download

          • memory/4632-144-0x0000000005560000-0x0000000005582000-memory.dmp

            Filesize

            136KB

            Download

          • memory/4632-139-0x0000000002BD0000-0x0000000002C06000-memory.dmp

            Filesize

            216KB

            Download