Overview

overview

10

Static

static

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/01/2023, 13:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    913KB

  • MD5

    debe170f50f06aebab1d2f73f38c7e1c

  • SHA1

    4cb00e909a171eaf77e95ec8beace8940d9256bd

  • SHA256

    bb4e86fa92499e118e502b2e0bc81d0389048c678e2ce9b2ffef5c81f489eb05

  • SHA512

    f56cad6bb311fde24294f39450e0fe75a70c9cffbd6ac525b554e11006401b51b18fef1c686f78da32dc29207b5e315b97fdb1c03a7b2f4b2b19a4164438f390

  • SSDEEP

    24576:sb8FUqa9ywhtVZWKqINBKXJCPXgVOKPPPD:/5a9B/bqIi8/gAiPD

Score
10/10
formbookg2fgratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g2fg

Decoy

snowcrash.website

pointman.us

newheartvalve.care

drandl.com

sandspringsramblers.com

programagubernamental.online

boja.us

mvrsnike.com

mentallyillmotherhood.com

facom.us

programagubernamental.store

izivente.com

roller-v.fr

amazonbioactives.com

metaverseapple.xyz

5gt-mobilevsverizon.com

gtwebsolutions.co

scottdunn.life

usdp.trade

pikmin.run

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2080
    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rQEtqJzJtbIAJ.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4288
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rQEtqJzJtbIAJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp918.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:3952
      • C:\Users\Admin\AppData\Local\Temp\tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:4656
    • C:\Windows\SysWOW64\control.exe
      "C:\Windows\SysWOW64\control.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2364
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
        3⤵
          PID:1252

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp918.tmp
      Filesize

      1KB

      MD5

      493df40b408fdda8c9a3a6d56918cec5

      SHA1

      f9482ed40cd05d67f43049e241881e33799287ba

      SHA256

      15497bf6e640f686577111d2566a96b6b243b5717a8cc46ce0b1ae20f0a4246d

      SHA512

      df8b1905bfdb7e85ee40f4030f16e35bf7ad05c5054b9ccdc797da563edae2f99670bfac8aad677203562b46663ad27f365d23029b90ad556650ee266bf66ff3

      Download Submit

    • memory/2016-136-0x00000000076B0000-0x000000000774C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/2016-135-0x0000000004F20000-0x0000000004F2A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2016-132-0x0000000000490000-0x000000000057A000-memory.dmp

      Filesize

      936KB

      Download

    • memory/2016-134-0x0000000004F90000-0x0000000005022000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2016-133-0x0000000005540000-0x0000000005AE4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2080-151-0x0000000002FA0000-0x000000000305D000-memory.dmp

      Filesize

      756KB

      Download

    • memory/2080-171-0x0000000003310000-0x0000000003460000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2080-170-0x0000000003310000-0x0000000003460000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2364-164-0x0000000000AF0000-0x0000000000B1F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2364-163-0x0000000000FF0000-0x0000000001017000-memory.dmp

      Filesize

      156KB

      Download

    • memory/2364-168-0x0000000000AF0000-0x0000000000B1F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2364-162-0x00000000029D0000-0x0000000002D1A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2364-169-0x0000000002900000-0x0000000002993000-memory.dmp

      Filesize

      588KB

      Download

    • memory/4288-160-0x0000000007950000-0x00000000079E6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/4288-146-0x0000000005E50000-0x0000000005EB6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4288-152-0x0000000006980000-0x00000000069B2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4288-153-0x0000000071130000-0x000000007117C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4288-154-0x0000000006950000-0x000000000696E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4288-155-0x0000000007D10000-0x000000000838A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/4288-156-0x00000000076D0000-0x00000000076EA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4288-157-0x0000000007740000-0x000000000774A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4288-139-0x0000000002AB0000-0x0000000002AE6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/4288-148-0x00000000063C0000-0x00000000063DE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4288-142-0x00000000055C0000-0x0000000005BE8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4288-145-0x0000000005BF0000-0x0000000005C56000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4288-144-0x0000000005400000-0x0000000005422000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4288-167-0x00000000079F0000-0x00000000079F8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4288-165-0x0000000007900000-0x000000000790E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4288-166-0x0000000007A10000-0x0000000007A2A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4656-143-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/4656-149-0x0000000001840000-0x0000000001B8A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4656-159-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/4656-150-0x0000000001790000-0x00000000017A4000-memory.dmp

      Filesize

      80KB

      Download