Overview

overview

10

Static

static

1

NEW ORDERS...LE.exe

windows7-x64

10

NEW ORDERS...LE.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    27-03-2023 15:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEW ORDERS RIPLEY CHILE - WDSCHILE.exe

  • Size

    776KB

  • MD5

    39f0289d03e15ee2dc83e561645c4a6d

  • SHA1

    b20ed4c283b9af631ff89720f8242392c4b9543f

  • SHA256

    63e437a647e0cd76c38f1e73b5f1d5aa54c8e6a7f26cd31bd0fae9b1994751e9

  • SHA512

    63ecdbc41f9ad0939521e0120e1765320c262b1f47e0b869e47e3bd31fce5d4a10a9d78d6202c0cd6ce1f0d8708492685655e8d33974770c078ff39c3e3c9aad

  • SSDEEP

    24576:uMwf+m50w/dByz96NHuhR60AkJApfZ5ZM1P3A6YlBE5GwM:uMwf0w/dsEwRTApfrW93AXbENM

Score
10/10
formbooku34fratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

u34f

Decoy

carpool.bar

badburyparkbakery.co.uk

aigooglebot.com

arihantautogas.com

specmart.online

newschatgpt.net

mmcroberts.com

ativeerrtechnologies.com

pheonix-blog-lomg-1098.com

simplisetup.com

teorikatapublishing.com

stephanyvgrfingle.click

tropicoa.com

isystem.world

tiger-lion.space

mackenziefarms.net

tl8841.buzz

alfabank.credit

lockdaccesactolapqqk.com

directaccesspetroleum.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Loads dropped DLL 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1256
    • C:\Users\Admin\AppData\Local\Temp\NEW ORDERS RIPLEY CHILE - WDSCHILE.exe
      "C:\Users\Admin\AppData\Local\Temp\NEW ORDERS RIPLEY CHILE - WDSCHILE.exe"
      2⤵
      • Checks QEMU agent file
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:836
      • C:\Users\Admin\AppData\Local\Temp\NEW ORDERS RIPLEY CHILE - WDSCHILE.exe
        "C:\Users\Admin\AppData\Local\Temp\NEW ORDERS RIPLEY CHILE - WDSCHILE.exe"
        3⤵
        • Checks QEMU agent file
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:568
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\SysWOW64\wscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1736
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\NEW ORDERS RIPLEY CHILE - WDSCHILE.exe"
        3⤵
          PID:1064

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Web Service

    1
    T1102

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\nsdF9C.tmp\System.dll
      Filesize

      12KB

      MD5

      564bb0373067e1785cba7e4c24aab4bf

      SHA1

      7c9416a01d821b10b2eef97b80899d24014d6fc1

      SHA256

      7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

      SHA512

      22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

      Download Submit
    • memory/568-101-0x0000000000400000-0x0000000001462000-memory.dmp
      Filesize

      16.4MB

      Download
    • memory/568-70-0x0000000000400000-0x0000000001462000-memory.dmp
      Filesize

      16.4MB

      Download
    • memory/568-68-0x0000000000400000-0x0000000001462000-memory.dmp
      Filesize

      16.4MB

      Download
    • memory/568-98-0x0000000001470000-0x0000000005B28000-memory.dmp
      Filesize

      70.7MB

      Download
    • memory/568-94-0x0000000001470000-0x0000000005B28000-memory.dmp
      Filesize

      70.7MB

      Download
    • memory/568-95-0x0000000036020000-0x0000000036323000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/568-96-0x0000000035EF0000-0x0000000035F04000-memory.dmp
      Filesize

      80KB

      Download
    • memory/568-93-0x0000000000400000-0x0000000001462000-memory.dmp
      Filesize

      16.4MB

      Download
    • memory/568-69-0x0000000000400000-0x0000000001462000-memory.dmp
      Filesize

      16.4MB

      Download
    • memory/1256-109-0x0000000005E50000-0x0000000005FBB000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1256-97-0x0000000005E50000-0x0000000005FBB000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1256-107-0x0000000002B10000-0x0000000002B3B000-memory.dmp
      Filesize

      172KB

      Download
    • memory/1736-100-0x0000000000260000-0x0000000000286000-memory.dmp
      Filesize

      152KB

      Download
    • memory/1736-103-0x0000000000070000-0x000000000009F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1736-104-0x0000000001F20000-0x0000000002223000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1736-105-0x0000000000070000-0x000000000009F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1736-108-0x00000000022D0000-0x0000000002363000-memory.dmp
      Filesize

      588KB

      Download
    • memory/1736-99-0x0000000000260000-0x0000000000286000-memory.dmp
      Filesize

      152KB

      Download