Overview

overview

10

Static

static

1

bfbb813e9a...31.exe

windows7-x64

10

bfbb813e9a...31.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-02-2023 12:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bfbb813e9a05c15ec2bc9aa9088bf82c7f5d57e7bfafee7c197944e339d16431.exe

  • Size

    302KB

  • MD5

    e092974dbde1ddbcd359bda0538e611a

  • SHA1

    4069e96dd291156f0ba5060bc58c7cefd2ec04a5

  • SHA256

    bfbb813e9a05c15ec2bc9aa9088bf82c7f5d57e7bfafee7c197944e339d16431

  • SHA512

    c03c8d0a5f09dcb27b86b98df862321a0a93e2b6307b714ae590b00fee38fb17466ab72db1bda2c3dcbea740145b0a7343ade4372dea78eeecc07a0b784c334c

  • SSDEEP

    6144:/Ya6TfVC7xXKhPQ7HWpHFHZq1A7tynn9LSXHUBbPv/LsDB9FiZeoQ:/YxfVC7xXcwHWplH468nwkh/LNeoQ

Score
10/10
formbookscseratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

scse

Decoy

SKpYFyVNT2zunKf0uuM=

FlEHUseI7I5XbrO8fR/XBcS9ZA==

FPuxoUOxkLiATugw

VKdxsDSk0jdT5Kw=

FpqHf9iI/1tl97E=

YGI6sIl3UIxfZvlD+JiUuuLR

oBAEO0suBEAD5aK00A==

RKJqTzg4gQ/Q6DYSuTjDGkwuyl0ik5Kb8w==

VFg9s3W0/Ype8A3cZb+D7g==

hwD+VNd6014nrsaTWm4FBcS9ZA==

zkAdUq1soKYUfZaTqLmL

XVQ9WbRivUIQ477a/hKv+g==

QireF2geizAwmp674AGc5g==

PSTUQxs6j8OATugw

LHJhyy2VbX8NEqf0uuM=

MiY1vg6T3HqATugw

wqkUjaVXnGgBqA==

jUr/eUtSIT01Wegt

PjQidcqKzAbSZICUZb+D7g==

OkAmcv12sUEAIHwFHakzdIo2FPHw

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2708
    • C:\Users\Admin\AppData\Local\Temp\bfbb813e9a05c15ec2bc9aa9088bf82c7f5d57e7bfafee7c197944e339d16431.exe
      "C:\Users\Admin\AppData\Local\Temp\bfbb813e9a05c15ec2bc9aa9088bf82c7f5d57e7bfafee7c197944e339d16431.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2480
      • C:\Users\Admin\AppData\Local\Temp\tuwfrr.exe
        "C:\Users\Admin\AppData\Local\Temp\tuwfrr.exe" C:\Users\Admin\AppData\Local\Temp\snisehuiukr.aft
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1084
        • C:\Users\Admin\AppData\Local\Temp\tuwfrr.exe
          "C:\Users\Admin\AppData\Local\Temp\tuwfrr.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:4788
    • C:\Windows\SysWOW64\control.exe
      "C:\Windows\SysWOW64\control.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4768
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:804

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\snisehuiukr.aft
      Filesize

      6KB

      MD5

      d6c5e174d28e544e5e071382225ebe84

      SHA1

      e15d24a8f257adf5dfd1d9dc16d4b1dcac790e0f

      SHA256

      60364186214ad7a04975e1517d1da8659aabcbb10c83383d6a0fe5e175f5c83d

      SHA512

      929444323c4e95fb9f9036f3bfd3393a1a2d4d890b4285baba469cd75cd7221e48c75f876f34990c691b7e7795b7359206eae553eda557ebcd0a84f7f7020fea

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tuwfrr.exe
      Filesize

      113KB

      MD5

      ad42d120fd479de41ccf8357f3975d1c

      SHA1

      e991f08d0794d34ba5c2705b80e02655cd181972

      SHA256

      452adc9e852b8443ecd044f8f6d7de9441e462d25c5ef91bb9f7c4d909e62a81

      SHA512

      612300ae7b61716918d901622082b820446a585a6de6d75ee5f2fa838701270573241398317654b4c49d55279fdce742600511ea559338ee7b69b65b0b6785ca

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tuwfrr.exe
      Filesize

      113KB

      MD5

      ad42d120fd479de41ccf8357f3975d1c

      SHA1

      e991f08d0794d34ba5c2705b80e02655cd181972

      SHA256

      452adc9e852b8443ecd044f8f6d7de9441e462d25c5ef91bb9f7c4d909e62a81

      SHA512

      612300ae7b61716918d901622082b820446a585a6de6d75ee5f2fa838701270573241398317654b4c49d55279fdce742600511ea559338ee7b69b65b0b6785ca

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tuwfrr.exe
      Filesize

      113KB

      MD5

      ad42d120fd479de41ccf8357f3975d1c

      SHA1

      e991f08d0794d34ba5c2705b80e02655cd181972

      SHA256

      452adc9e852b8443ecd044f8f6d7de9441e462d25c5ef91bb9f7c4d909e62a81

      SHA512

      612300ae7b61716918d901622082b820446a585a6de6d75ee5f2fa838701270573241398317654b4c49d55279fdce742600511ea559338ee7b69b65b0b6785ca

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\zbayzgtwi.t
      Filesize

      204KB

      MD5

      5eadf17dd6c25fcd1f02d714ce57194b

      SHA1

      d8416661eb026e01cd88a08175a1e1fb3018d0b0

      SHA256

      cfd858fa13304caa5757bfa26628d170c7fc9d9e0265ad3a014380d43691e650

      SHA512

      133f9899e47a3dda720f38f1e70322fda539e49590284857de9844bc73574a57c4c45a1da076e318eee87fa20d681a8c9ed6a6d82a9e70c855203b16fbb97d5f

      Download Submit
    • memory/1084-132-0x0000000000000000-mapping.dmp
      Download
    • memory/2708-143-0x0000000002E80000-0x0000000002FF0000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/2708-151-0x0000000002BF0000-0x0000000002C96000-memory.dmp
      Filesize

      664KB

      Download
    • memory/2708-149-0x0000000002BF0000-0x0000000002C96000-memory.dmp
      Filesize

      664KB

      Download
    • memory/4768-147-0x0000000002850000-0x0000000002B9A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4768-144-0x0000000000000000-mapping.dmp
      Download
    • memory/4768-146-0x0000000000A00000-0x0000000000A2D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/4768-145-0x0000000000160000-0x0000000000187000-memory.dmp
      Filesize

      156KB

      Download
    • memory/4768-148-0x00000000026F0000-0x000000000277F000-memory.dmp
      Filesize

      572KB

      Download
    • memory/4768-150-0x0000000000A00000-0x0000000000A2D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/4788-141-0x0000000000AD0000-0x0000000000E1A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4788-142-0x00000000004E0000-0x00000000004F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4788-140-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/4788-139-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/4788-137-0x0000000000000000-mapping.dmp
      Download