Overview

overview

10

Static

static

1

862c17b77e...e3.exe

windows7-x64

8

862c17b77e...e3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-01-2023 11:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    862c17b77ece5eb013bbe5ced057f1a635a80d4a21c43356aed77e19fadcc0e3.exe

  • Size

    799KB

  • MD5

    dfde7866b2de880f117836aa8d5b8adc

  • SHA1

    66006bb4a7d2a35841bfea14abf1536b20f7a974

  • SHA256

    862c17b77ece5eb013bbe5ced057f1a635a80d4a21c43356aed77e19fadcc0e3

  • SHA512

    499f08d5830a9c55c1a3526f54d24247eb16a27145a438496dc7b42698dbb89ae8f1b2773609b2a928ec0843e4bb95778500f9fb97f4b62a2aafa31dadf9d9a6

  • SSDEEP

    12288:OGlaKpWkdJ9pQ15Hzj4WlhjWPPvCLyZ+RvugSrmhktjxGty20qTszOFk:XlppWw9pC4pPPpkR0ymtjxUBYz0k

Score
10/10
formbookm9aepersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

m9ae

Decoy

nWTQpX6TYm6dfT3Lcw==

7JaBLgMm8EKn2AlTy5Ksj4Jq

yWRJIhE3viQgqEpZS3o=

ES9dFo0bytF8vlvRcg==

aX/aBZn29pD+cg==

lU64sYOZV7ZVpUy1ag==

9BpOCYAPv8L8TyIFAiTp2PSqLg==

uEJ2RyQ1BcBXfFr8kT5Z1KV0

oVM42Ury9pD+cg==

0Zl3VkcuKaY+

OjZeGI8dw67Z6eWtnOoBfoI=

ytwFn9j4i+N8nKYRSgcfh3xn5LU=

xMb1+YkOyxmbxJ53JsP7Pg==

HODQpzTBS1gVoi4X0hStKQ==

fQ417ycwD+ziKt1u0hStKQ==

nsApOqE62sA8uS735uCXVP+YcrQ=

4aobG3oZ3AHqTPs=

P2LEwJatZbQZUTayTW0=

/bopO7NR6clCfT3Lcw==

bBxRRkFY01R+20pZS3o=

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2484
    • C:\Users\Admin\AppData\Local\Temp\862c17b77ece5eb013bbe5ced057f1a635a80d4a21c43356aed77e19fadcc0e3.exe
      "C:\Users\Admin\AppData\Local\Temp\862c17b77ece5eb013bbe5ced057f1a635a80d4a21c43356aed77e19fadcc0e3.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4700
      • C:\Users\Admin\AppData\Local\Temp\rsphjnyos.exe
        "C:\Users\Admin\AppData\Local\Temp\rsphjnyos.exe" "C:\Users\Admin\AppData\Local\Temp\ruegnseq.au3"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:4088
        • C:\Users\Admin\AppData\Local\Temp\rsphjnyos.exe
          "C:\Users\Admin\AppData\Local\Temp\rsphjnyos.exe"
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1804
    • C:\Windows\SysWOW64\autoconv.exe
      "C:\Windows\SysWOW64\autoconv.exe"
      2⤵
        PID:1316
      • C:\Windows\SysWOW64\WWAHost.exe
        "C:\Windows\SysWOW64\WWAHost.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2736
        • C:\Program Files\Mozilla Firefox\Firefox.exe
          "C:\Program Files\Mozilla Firefox\Firefox.exe"
          3⤵
            PID:4268

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\aomagrjhydq.zd
        Filesize

        185KB

        MD5

        3080cac6a6b54539b068349098d18bca

        SHA1

        b1b729e3f1f05a58322c60037c4a9b517119df07

        SHA256

        1d95bc52ccb1fefbef0fd922ed362a89c9124ff54dd4b8e88f260b88b07931fe

        SHA512

        1434959da256a74055a3be42884458b6cb261443a7bf75a85fd5acad9520076e5a8670d8bbf8929228398a3231f766af653786dad788c13154afd8de99bcc7b4

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\rsphjnyos.exe
        Filesize

        872KB

        MD5

        c56b5f0201a3b3de53e561fe76912bfd

        SHA1

        2a4062e10a5de813f5688221dbeb3f3ff33eb417

        SHA256

        237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

        SHA512

        195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\rsphjnyos.exe
        Filesize

        872KB

        MD5

        c56b5f0201a3b3de53e561fe76912bfd

        SHA1

        2a4062e10a5de813f5688221dbeb3f3ff33eb417

        SHA256

        237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

        SHA512

        195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\rsphjnyos.exe
        Filesize

        872KB

        MD5

        c56b5f0201a3b3de53e561fe76912bfd

        SHA1

        2a4062e10a5de813f5688221dbeb3f3ff33eb417

        SHA256

        237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

        SHA512

        195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\ruegnseq.au3
        Filesize

        6KB

        MD5

        933d6334c65c9c911cab800fee8d20d5

        SHA1

        7f737a264b4a32ea0415a2dffc4f885a2c01e45d

        SHA256

        9a247631b0a296e0ace077af15a6362299b7b2043c97d00ae79bafb42f58f3bb

        SHA512

        fad050e7283f766d88d5eea5609ee46121e9316a9f2f754eda48035e47ebc27fa5548b893432cf537d00c2568b026c858b09b4a962f55968a4e24f538bfe12bb

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\wdvgqo.u
        Filesize

        84KB

        MD5

        90107de2c92c5aae6b3d3aae5db5051d

        SHA1

        8711975380ec1ab309e1f3d280d0648111b103d8

        SHA256

        ff0121b718cdcc67dcd3dcc08c43a2578ceed445566d1d3e20a51ba4641b283d

        SHA512

        a0180382b6e5ab61a5f86455695c5cbaf7307926a55bae01415de1b036c1fc53c1c8a06e4e27d5d0a036448c481a6e1b5fc02e3e5a4d6b5e82f424483d2d68d0

        Download Submit
      • memory/1804-141-0x0000000001400000-0x000000000174A000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/1804-140-0x0000000000AA0000-0x0000000000ACF000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1804-143-0x0000000000AC2000-0x0000000000AC4000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1804-144-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1804-146-0x0000000000AA0000-0x0000000000ACF000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1804-138-0x0000000000000000-mapping.dmp
        Download
      • memory/2484-151-0x0000000008230000-0x0000000008324000-memory.dmp
        Filesize

        976KB

        Download
      • memory/2484-142-0x0000000008840000-0x00000000089CD000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2484-154-0x0000000008230000-0x0000000008324000-memory.dmp
        Filesize

        976KB

        Download
      • memory/2484-152-0x0000000008840000-0x00000000089CD000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2736-147-0x0000000000D00000-0x0000000000DDC000-memory.dmp
        Filesize

        880KB

        Download
      • memory/2736-149-0x0000000001F30000-0x000000000227A000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/2736-148-0x0000000000CC0000-0x0000000000CED000-memory.dmp
        Filesize

        180KB

        Download
      • memory/2736-150-0x0000000001DC0000-0x0000000001E4F000-memory.dmp
        Filesize

        572KB

        Download
      • memory/2736-145-0x0000000000000000-mapping.dmp
        Download
      • memory/2736-153-0x0000000000CC0000-0x0000000000CED000-memory.dmp
        Filesize

        180KB

        Download
      • memory/4088-132-0x0000000000000000-mapping.dmp
        Download