Overview

overview

10

Static

static

1

roror9983.exe

windows7-x64

10

roror9983.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-03-2023 01:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    roror9983.exe

  • Size

    260KB

  • MD5

    8f974c18e52474d38b4eed8a7dfe8490

  • SHA1

    4375371f00c0e2121a6b6902ad6ddd6f13836c23

  • SHA256

    2df9699c284bbd4241206481258a4c7e0a21eec0b4a88ab41cfd58de8d65154a

  • SHA512

    6b8739c43f2bc91de08990565fba3056fc8a881bdacd5d72df23ef2b8f9aff2854437cc0f439c91d868ae47b39248b791ae78cc293823eda345768c2872ccded

  • SSDEEP

    6144:PYa6W4IR3lE+7kCU7iUsrVSHs+Q8SpuccoPQuGKDTpIha:PY44I9d7kCbSHsWSpu3wHTSha

Score
10/10
formbookre29ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

re29

Decoy

barnstorm-music.com

gazzettadellapuglia.com

baratieistore.space

cdrjdkj.com

carlissablog.com

langlalang.com

2886365.com

aq993.cyou

jwjwjwjw.com

car-deals-80304.com

dikevolesas.info

buycialistablets.online

theplantgranny.net

detoxshopbr.store

imans.biz

fightingcock.co.uk

loveforfurbabies.com

eastcoastbeveragegroup.com

alaaeldinsoft.com

microshel.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3164
    • C:\Users\Admin\AppData\Local\Temp\roror9983.exe
      "C:\Users\Admin\AppData\Local\Temp\roror9983.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1380
      • C:\Users\Admin\AppData\Local\Temp\mlbwddtyb.exe
        "C:\Users\Admin\AppData\Local\Temp\mlbwddtyb.exe" C:\Users\Admin\AppData\Local\Temp\gxtunhjm.u
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:4652
        • C:\Users\Admin\AppData\Local\Temp\mlbwddtyb.exe
          "C:\Users\Admin\AppData\Local\Temp\mlbwddtyb.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1412
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3616
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\mlbwddtyb.exe"
        3⤵
          PID:2496

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\gxtunhjm.u
      Filesize

      5KB

      MD5

      9c6bd0bb30c225029b33b9a622676edf

      SHA1

      a620616fcf43069ee9e20b3b0238dfea46418562

      SHA256

      7c0546fa875f83435511e59b7b4ea542aa1c5e52b7f19690096b44870d80c85d

      SHA512

      e955ec6842ffad66c1f06264acc6bc66f32ba7e1e885a91679874e732ec07941fdd27189a5ca2d552f43a662158c5a571a908777e6aed321ab6af2685ae5899b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\mlbwddtyb.exe
      Filesize

      53KB

      MD5

      558d56d5c47921642a7a268c43f9c98f

      SHA1

      454006005090f57886a4a4cba6e5473bfc5b16b3

      SHA256

      55dbcca3e82e51a7697b94a25f6502bb8eb556276800634a2ada357b323fd06f

      SHA512

      e248a202287b65c4825e3c4699ef3eda46602e9796bc068cc47ef3193a24834dc3a75055453730e1644eba674454e7c4319274982e6d0905e91f13bc5231f1c6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\mlbwddtyb.exe
      Filesize

      53KB

      MD5

      558d56d5c47921642a7a268c43f9c98f

      SHA1

      454006005090f57886a4a4cba6e5473bfc5b16b3

      SHA256

      55dbcca3e82e51a7697b94a25f6502bb8eb556276800634a2ada357b323fd06f

      SHA512

      e248a202287b65c4825e3c4699ef3eda46602e9796bc068cc47ef3193a24834dc3a75055453730e1644eba674454e7c4319274982e6d0905e91f13bc5231f1c6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\mlbwddtyb.exe
      Filesize

      53KB

      MD5

      558d56d5c47921642a7a268c43f9c98f

      SHA1

      454006005090f57886a4a4cba6e5473bfc5b16b3

      SHA256

      55dbcca3e82e51a7697b94a25f6502bb8eb556276800634a2ada357b323fd06f

      SHA512

      e248a202287b65c4825e3c4699ef3eda46602e9796bc068cc47ef3193a24834dc3a75055453730e1644eba674454e7c4319274982e6d0905e91f13bc5231f1c6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\wmxdaktwrjk.c
      Filesize

      205KB

      MD5

      6a9c839430bc4a8ecab76552ad0870b8

      SHA1

      13e246d8142b26d8da57b38eeab511ff21eb2413

      SHA256

      d24ede35fca57acde825da02bdfb3181ddb454f487e727a853650892ac58fe21

      SHA512

      449f4033c67602d717e443bc290860bca97ead17ab3d141728ed4891c6f7b4715edd390ab9d917cb6e847ba7a51d48ff6c69e9fe624814ac67a50d4a5648983a

      Download Submit

    • memory/1412-146-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1412-147-0x00000000012D0000-0x000000000161A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1412-148-0x0000000000E40000-0x0000000000E54000-memory.dmp

      Filesize

      80KB

      Download

    • memory/1412-142-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/3164-160-0x00000000091C0000-0x00000000092CF000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3164-149-0x0000000008FC0000-0x00000000090CD000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3164-163-0x00000000091C0000-0x00000000092CF000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3164-161-0x00000000091C0000-0x00000000092CF000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3616-150-0x0000000000C30000-0x0000000000C42000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3616-156-0x0000000002870000-0x0000000002BBA000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3616-157-0x00000000008B0000-0x00000000008DF000-memory.dmp

      Filesize

      188KB

      Download

    • memory/3616-159-0x00000000026B0000-0x0000000002743000-memory.dmp

      Filesize

      588KB

      Download

    • memory/3616-155-0x00000000008B0000-0x00000000008DF000-memory.dmp

      Filesize

      188KB

      Download

    • memory/3616-154-0x0000000000C30000-0x0000000000C42000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3616-152-0x0000000000C30000-0x0000000000C42000-memory.dmp

      Filesize

      72KB

      Download