Overview

overview

10

Static

static

1

Orden de c...23.exe

windows7-x64

10

Orden de c...23.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    27-03-2023 15:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Orden de compra del proveedor OC_No 1435 27-03-2023.exe

  • Size

    822KB

  • MD5

    91da3743bb05e6744e50fe749f5a9cc6

  • SHA1

    fbb00ec09354ded8bf1b7f18f2e9cb2ef0e3d3b3

  • SHA256

    b3811fa28d3e22cf5029476f6870c54e7fcd4d68da1342bb199ca6d41ed9ff56

  • SHA512

    08bb7e82f83aa4d5146838b8cdc2c40382656c8db8775792d850b3bf5426f53a4e5b9e3420c16e4b4140767a030e0eab9d3339f5182f6390def143d470f3f277

  • SSDEEP

    12288:LUJB0Oq8p2ZEtCgO27/mW9XqUjX5OFUuOWGt0p4VedclBeHlOrh1CuQvpAoJhZ:AZpTtV7fjc36veA1Gx9D

Score
10/10
formbookjr22ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

jr22

Decoy

941zhe.com

lunarportal.space

xn--osmaniyeiek-t9ab.online

trejoscar.com

nrnursery.com

quizcannot.cfd

seedstockersthailand.com

watsonwindow.com

wjfholdings.com

weziclondon.com

naruot.xyz

yeji.plus

classicmenstore.com

oharatravel.com

therapyplankits.com

keviegreshonpt.com

qdlyner.com

seithupaarungal.com

casinorates.online

8ug4as.icu

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1236
    • C:\Users\Admin\AppData\Local\Temp\Orden de compra del proveedor OC_No 1435 27-03-2023.exe
      "C:\Users\Admin\AppData\Local\Temp\Orden de compra del proveedor OC_No 1435 27-03-2023.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1724
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Orden de compra del proveedor OC_No 1435 27-03-2023.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1696
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YCNgsiXL.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1732
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YCNgsiXL" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEF4F.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:1736
      • C:\Users\Admin\AppData\Local\Temp\Orden de compra del proveedor OC_No 1435 27-03-2023.exe
        "C:\Users\Admin\AppData\Local\Temp\Orden de compra del proveedor OC_No 1435 27-03-2023.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1088
        • C:\Windows\SysWOW64\colorcpl.exe
          "C:\Windows\SysWOW64\colorcpl.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:948
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Users\Admin\AppData\Local\Temp\Orden de compra del proveedor OC_No 1435 27-03-2023.exe"
            5⤵
            • Deletes itself
            PID:1028
    • C:\Windows\SysWOW64\autochk.exe
      "C:\Windows\SysWOW64\autochk.exe"
      2⤵
        PID:1004
      • C:\Windows\SysWOW64\autochk.exe
        "C:\Windows\SysWOW64\autochk.exe"
        2⤵
          PID:696
        • C:\Windows\SysWOW64\autochk.exe
          "C:\Windows\SysWOW64\autochk.exe"
          2⤵
            PID:1528
          • C:\Windows\SysWOW64\autochk.exe
            "C:\Windows\SysWOW64\autochk.exe"
            2⤵
              PID:1412
            • C:\Windows\SysWOW64\autochk.exe
              "C:\Windows\SysWOW64\autochk.exe"
              2⤵
                PID:1388
              • C:\Windows\SysWOW64\autochk.exe
                "C:\Windows\SysWOW64\autochk.exe"
                2⤵
                  PID:1484
                • C:\Windows\SysWOW64\autochk.exe
                  "C:\Windows\SysWOW64\autochk.exe"
                  2⤵
                    PID:1968

                Network

                MITRE ATT&CK Matrix ATT&CK v6

                Initial Access

                Execution

                Scheduled Task

                1
                T1053

                Persistence

                Scheduled Task

                1
                T1053

                Privilege Escalation

                Scheduled Task

                1
                T1053

                Defense Evasion

                Credential Access

                Discovery

                System Information Discovery

                1
                T1082

                Lateral Movement

                Collection

                Exfiltration

                Command and Control

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\tmpEF4F.tmp
                  Filesize

                  1KB

                  MD5

                  caa9d361b5312dfb5fb8a1dda08c147f

                  SHA1

                  4070d956ab4b1053d5792478f41ebba4fe52ace8

                  SHA256

                  c92c06ce35abfaffdf1bc9f3beba82587050f68d274b1c99c3002afc81be8df7

                  SHA512

                  aad4d06fd13f8ee7f5181a6a52c3ec36024298029f891d68162f8133121f836073d5940c25b63d5ee9466dc2c3aef632db0a54e00c7ce7b722e242de8efede53

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\I7LTCI8O8QS0KRN20R9N.temp
                  Filesize

                  7KB

                  MD5

                  2df9384a65630c2c3f113c61018b613b

                  SHA1

                  5cbaeaf8e2120eae11a9351513a0d483550806a1

                  SHA256

                  ada5cd6a9b3b66c0d7c294678dbe0aab7eb28e44598f062995e0ae425b4b542b

                  SHA512

                  ceb20c0791958dd70b110f3adbefe8aac8d1884449cb37cac69894aade9b499199dacf8509b7bb681392a270acf98e212e1508772860f10b1d5c98a625694364

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
                  Filesize

                  7KB

                  MD5

                  2df9384a65630c2c3f113c61018b613b

                  SHA1

                  5cbaeaf8e2120eae11a9351513a0d483550806a1

                  SHA256

                  ada5cd6a9b3b66c0d7c294678dbe0aab7eb28e44598f062995e0ae425b4b542b

                  SHA512

                  ceb20c0791958dd70b110f3adbefe8aac8d1884449cb37cac69894aade9b499199dacf8509b7bb681392a270acf98e212e1508772860f10b1d5c98a625694364

                  Download Submit
                • memory/948-90-0x0000000000F10000-0x0000000000F28000-memory.dmp
                  Filesize

                  96KB

                  Download
                • memory/948-94-0x0000000000960000-0x00000000009F3000-memory.dmp
                  Filesize

                  588KB

                  Download
                • memory/948-88-0x0000000000F10000-0x0000000000F28000-memory.dmp
                  Filesize

                  96KB

                  Download
                • memory/948-91-0x00000000000C0000-0x00000000000EF000-memory.dmp
                  Filesize

                  188KB

                  Download
                • memory/948-92-0x0000000000B40000-0x0000000000E43000-memory.dmp
                  Filesize

                  3.0MB

                  Download
                • memory/1088-73-0x0000000000400000-0x000000000042F000-memory.dmp
                  Filesize

                  188KB

                  Download
                • memory/1088-89-0x0000000000400000-0x000000000042F000-memory.dmp
                  Filesize

                  188KB

                  Download
                • memory/1088-81-0x0000000000400000-0x000000000042F000-memory.dmp
                  Filesize

                  188KB

                  Download
                • memory/1088-74-0x0000000000400000-0x000000000042F000-memory.dmp
                  Filesize

                  188KB

                  Download
                • memory/1088-75-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/1088-76-0x0000000000400000-0x000000000042F000-memory.dmp
                  Filesize

                  188KB

                  Download
                • memory/1088-86-0x0000000000190000-0x00000000001A4000-memory.dmp
                  Filesize

                  80KB

                  Download
                • memory/1088-83-0x0000000000140000-0x0000000000154000-memory.dmp
                  Filesize

                  80KB

                  Download
                • memory/1088-82-0x0000000000A80000-0x0000000000D83000-memory.dmp
                  Filesize

                  3.0MB

                  Download
                • memory/1236-87-0x0000000004D60000-0x0000000004E1A000-memory.dmp
                  Filesize

                  744KB

                  Download
                • memory/1236-84-0x00000000064C0000-0x00000000065A3000-memory.dmp
                  Filesize

                  908KB

                  Download
                • memory/1236-99-0x0000000004890000-0x000000000493F000-memory.dmp
                  Filesize

                  700KB

                  Download
                • memory/1236-97-0x0000000004890000-0x000000000493F000-memory.dmp
                  Filesize

                  700KB

                  Download
                • memory/1236-95-0x0000000004890000-0x000000000493F000-memory.dmp
                  Filesize

                  700KB

                  Download
                • memory/1696-80-0x0000000002380000-0x00000000023C0000-memory.dmp
                  Filesize

                  256KB

                  Download
                • memory/1724-58-0x0000000000670000-0x000000000067C000-memory.dmp
                  Filesize

                  48KB

                  Download
                • memory/1724-59-0x0000000005140000-0x00000000051F0000-memory.dmp
                  Filesize

                  704KB

                  Download
                • memory/1724-57-0x0000000004CA0000-0x0000000004CE0000-memory.dmp
                  Filesize

                  256KB

                  Download
                • memory/1724-56-0x0000000000640000-0x0000000000660000-memory.dmp
                  Filesize

                  128KB

                  Download
                • memory/1724-55-0x0000000004CA0000-0x0000000004CE0000-memory.dmp
                  Filesize

                  256KB

                  Download
                • memory/1724-72-0x0000000005F50000-0x0000000005F88000-memory.dmp
                  Filesize

                  224KB

                  Download
                • memory/1724-54-0x00000000009A0000-0x0000000000A74000-memory.dmp
                  Filesize

                  848KB

                  Download
                • memory/1732-79-0x0000000002730000-0x0000000002770000-memory.dmp
                  Filesize

                  256KB

                  Download