Overview

overview

10

Static

static

1

Comprobant...20.exe

windows7-x64

10

Comprobant...20.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    21-03-2023 18:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Comprobante de pago INT_EMP221226 20230320_$2763320.exe

  • Size

    1.1MB

  • MD5

    12411b3710982c190df4993dfe2e3761

  • SHA1

    c66d8a7b15ed34380fde79e4cd2892f934e4b8bc

  • SHA256

    6fef888e6f662744463a37949ee1df183c279e42baf355319484293748ded41b

  • SHA512

    386a3e3036cd2317aaf1b984c13a49d1d678c82c46de9f2001aa4243892ebc330b6005a2490a3683efbf3d686bfee350c4afa1ea2851b86f3b52079bebc57ab2

  • SSDEEP

    24576:4qIRuN3c+/weL3uzxKPH1BYBWLv6QT6JdrD:4HRuNMqwYuzxKPfYIj6QGJdr

Score
10/10
formbookjr22ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

jr22

Decoy

941zhe.com

lunarportal.space

xn--osmaniyeiek-t9ab.online

trejoscar.com

nrnursery.com

quizcannot.cfd

seedstockersthailand.com

watsonwindow.com

wjfholdings.com

weziclondon.com

naruot.xyz

yeji.plus

classicmenstore.com

oharatravel.com

therapyplankits.com

keviegreshonpt.com

qdlyner.com

seithupaarungal.com

casinorates.online

8ug4as.icu

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 5 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1256
    • C:\Users\Admin\AppData\Local\Temp\Comprobante de pago INT_EMP221226 20230320_$2763320.exe
      "C:\Users\Admin\AppData\Local\Temp\Comprobante de pago INT_EMP221226 20230320_$2763320.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1308
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Comprobante de pago INT_EMP221226 20230320_$2763320.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1144
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\LeveKWtqgONPA.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:268
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LeveKWtqgONPA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3B5C.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:1808
      • C:\Users\Admin\AppData\Local\Temp\Comprobante de pago INT_EMP221226 20230320_$2763320.exe
        "C:\Users\Admin\AppData\Local\Temp\Comprobante de pago INT_EMP221226 20230320_$2763320.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:960
    • C:\Windows\SysWOW64\help.exe
      "C:\Windows\SysWOW64\help.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1092
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Comprobante de pago INT_EMP221226 20230320_$2763320.exe"
        3⤵
        • Deletes itself
        PID:876

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp3B5C.tmp
    Filesize

    1KB

    MD5

    63569d95ca9ba32f88aa5aafb7b817bd

    SHA1

    e385d3e7800112e1c0ae3702cec39f82c3699a54

    SHA256

    0ce2af01fbad9f711321b0f0e9eafcdad5795a4f8fa99a6447062b89281bd6ef

    SHA512

    bd50889e8a8c3dc72077a4395728bba1e7e805a70985c3d2726f3df6fa2f25ff39014ac632a7295d7b79724b03bd506762d8735f3ca565a83240aea902801551

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QJ64BLRLSL96MRF81K4U.temp
    Filesize

    7KB

    MD5

    8aca544e7c55248df56c3d973dfce020

    SHA1

    00d6beb3320b7841055dfef0c08565dec4faee4a

    SHA256

    2e85bb803d110c869ec0dcab1d3ec95c6166a9dee49964ea55adb87af7869188

    SHA512

    f309afe9a532cafbf706fe0d5ea834776ff0dae19e3a11537a56a3a0beb7010aef3d39f1c17ea9d0d39ae7f3baa71aa340fb0d4fc3964aa80d844ef3fe178a91

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    8aca544e7c55248df56c3d973dfce020

    SHA1

    00d6beb3320b7841055dfef0c08565dec4faee4a

    SHA256

    2e85bb803d110c869ec0dcab1d3ec95c6166a9dee49964ea55adb87af7869188

    SHA512

    f309afe9a532cafbf706fe0d5ea834776ff0dae19e3a11537a56a3a0beb7010aef3d39f1c17ea9d0d39ae7f3baa71aa340fb0d4fc3964aa80d844ef3fe178a91

    Download Submit

  • memory/268-80-0x0000000002700000-0x0000000002740000-memory.dmp

    Filesize

    256KB

    Download

  • memory/960-75-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/960-83-0x0000000000180000-0x0000000000194000-memory.dmp

    Filesize

    80KB

    Download

  • memory/960-82-0x0000000000C40000-0x0000000000F43000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/960-81-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/960-76-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/960-73-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/960-74-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1092-85-0x0000000000F50000-0x0000000000F56000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1092-88-0x0000000000750000-0x0000000000A53000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/1092-92-0x0000000000A60000-0x0000000000AF3000-memory.dmp

    Filesize

    588KB

    Download

  • memory/1092-89-0x0000000000080000-0x00000000000AF000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1092-86-0x0000000000F50000-0x0000000000F56000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1092-87-0x0000000000080000-0x00000000000AF000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1144-78-0x00000000001A0000-0x00000000001E0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1144-79-0x00000000001A0000-0x00000000001E0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1256-96-0x0000000006000000-0x0000000006141000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-94-0x0000000006000000-0x0000000006141000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-93-0x0000000006000000-0x0000000006141000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-84-0x0000000005E70000-0x0000000005FF6000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1256-90-0x0000000000010000-0x0000000000020000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1308-58-0x00000000002D0000-0x00000000002DC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1308-54-0x0000000000850000-0x0000000000966000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1308-55-0x0000000000300000-0x0000000000340000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1308-56-0x0000000000300000-0x0000000000340000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1308-57-0x00000000002C0000-0x00000000002D4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1308-72-0x0000000008280000-0x00000000082EA000-memory.dmp

    Filesize

    424KB

    Download

  • memory/1308-59-0x0000000005C90000-0x0000000005D70000-memory.dmp

    Filesize

    896KB

    Download