Overview

overview

10

Static

static

70c2bfb3dd...a3.exe

windows7-x64

10

70c2bfb3dd...a3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2023 21:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    70c2bfb3dd7b6467020e6ca5d7f037a3.exe

  • Size

    340KB

  • MD5

    70c2bfb3dd7b6467020e6ca5d7f037a3

  • SHA1

    3fef1cb454c1760936795c94f4504bf0f9ee00ba

  • SHA256

    ab0b1f056d4030a9988c12df83064169e07f5cd2a9e7c51833ff057d2d8eedf3

  • SHA512

    e43b2c79e0aa5223a633d2018ca04b3371a4242dd1da4c41a2dd2b5e4d815557f0e2704f0ef47f937802abc19495f16260800c3c0ed009e9b8c7a524cc39f538

  • SSDEEP

    6144:vYa6TI+l4BN5yJ4PE7baks7hlP/WUC7NRXTLYaJqSSFvVDzqFGcGn13:vYB4BN4+87baF7XGUERjLYaJqXQGcGnN

Score
10/10
formbookw12eratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

w12e

Decoy

poshsalon.co.uk

ideeksha.net

eaglebreaks.com

exileine.me.uk

saveittoday.net

ceon.tech

estateagentswebsitedesign.uk

faropublicidade.com

depression-treatment-83678.com

informationdata16376.com

wirecreations.africa

coolsculpting-pros.life

ethoshabitats.com

amtindividual.com

gotoken.online

cherny-100-imec-msu.ru

historicaarcanum.com

gpsarhealthcare.com

kx1257.com

abdullahbinomar.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3056
    • C:\Users\Admin\AppData\Local\Temp\70c2bfb3dd7b6467020e6ca5d7f037a3.exe
      "C:\Users\Admin\AppData\Local\Temp\70c2bfb3dd7b6467020e6ca5d7f037a3.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:960
      • C:\Users\Admin\AppData\Local\Temp\tfqctjcgqi.exe
        "C:\Users\Admin\AppData\Local\Temp\tfqctjcgqi.exe" C:\Users\Admin\AppData\Local\Temp\oyteaj.af
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:3284
        • C:\Users\Admin\AppData\Local\Temp\tfqctjcgqi.exe
          "C:\Users\Admin\AppData\Local\Temp\tfqctjcgqi.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2324
    • C:\Windows\SysWOW64\mstsc.exe
      "C:\Windows\SysWOW64\mstsc.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3212
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\tfqctjcgqi.exe"
        3⤵
          PID:1804

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\acraquzzrv.wa
      Filesize

      205KB

      MD5

      ba5bb92e4cea6bf49ca73e365be9f960

      SHA1

      cbf53149f3e07623c7fc7fc3716d4a1c6b077380

      SHA256

      0ecd8a4f58319df5f2f5811a31041383871e7c45b5600c56efb20e818d2bff4b

      SHA512

      3d739b48fb9f6a9c94beffbefb226809c524e305d3f3c162897df64f4966259ea98b101f9e45bdccb9e9792a34c8c7e4071ed009a4e8e97df862fb79cb1f43ae

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\oyteaj.af
      Filesize

      5KB

      MD5

      d226323818b9d22aa10cf72eb9ed674f

      SHA1

      069a773dda5180ed9e5bf4f73281add4d2703363

      SHA256

      7b735eb480e6eedbe671dcba131bc226aafd4c9b039318944d45ed3470b968e3

      SHA512

      051a1de340d78040913a4d1845e0451cd33ae23e1d52c84f9ac419e2dcdfa7897e9b1b8f773ff8ae84c4722a3db14d085f19ce4e293d42518365320f7cba5a49

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tfqctjcgqi.exe
      Filesize

      253KB

      MD5

      a3a5342dc14b3a616bf978c7ceb71628

      SHA1

      d05bf9adf9a0c1dd454cff6391396b23f9ccf8c9

      SHA256

      9a074635bf9b3ff68c5e06e69a8a50538d753edfba99eb9ab9daf67c7bc2f504

      SHA512

      f088e782eea74be6b4792fa2c7540c81330e3bef3f0210f54ce9d74ed014caae9f44f9f46f0cd158378ccacecbade9cb249c0b9fae2fbd5511ab28f1f40a22ac

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tfqctjcgqi.exe
      Filesize

      253KB

      MD5

      a3a5342dc14b3a616bf978c7ceb71628

      SHA1

      d05bf9adf9a0c1dd454cff6391396b23f9ccf8c9

      SHA256

      9a074635bf9b3ff68c5e06e69a8a50538d753edfba99eb9ab9daf67c7bc2f504

      SHA512

      f088e782eea74be6b4792fa2c7540c81330e3bef3f0210f54ce9d74ed014caae9f44f9f46f0cd158378ccacecbade9cb249c0b9fae2fbd5511ab28f1f40a22ac

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tfqctjcgqi.exe
      Filesize

      253KB

      MD5

      a3a5342dc14b3a616bf978c7ceb71628

      SHA1

      d05bf9adf9a0c1dd454cff6391396b23f9ccf8c9

      SHA256

      9a074635bf9b3ff68c5e06e69a8a50538d753edfba99eb9ab9daf67c7bc2f504

      SHA512

      f088e782eea74be6b4792fa2c7540c81330e3bef3f0210f54ce9d74ed014caae9f44f9f46f0cd158378ccacecbade9cb249c0b9fae2fbd5511ab28f1f40a22ac

      Download Submit
    • memory/1804-145-0x0000000000000000-mapping.dmp
      Download
    • memory/2324-144-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/2324-137-0x0000000000000000-mapping.dmp
      Download
    • memory/2324-140-0x0000000000A10000-0x0000000000D5A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/2324-139-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/2324-141-0x00000000006D0000-0x00000000006E4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/3056-142-0x0000000002C70000-0x0000000002DBB000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3056-151-0x0000000008540000-0x00000000086C4000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/3056-152-0x0000000008540000-0x00000000086C4000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/3212-143-0x0000000000000000-mapping.dmp
      Download
    • memory/3212-146-0x00000000003D0000-0x000000000050A000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/3212-147-0x00000000009D0000-0x00000000009FF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/3212-148-0x0000000002C10000-0x0000000002F5A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/3212-149-0x0000000002980000-0x0000000002A13000-memory.dmp
      Filesize

      588KB

      Download
    • memory/3212-150-0x00000000009D0000-0x00000000009FF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/3284-132-0x0000000000000000-mapping.dmp
      Download