Overview

overview

10

Static

static

1

NR ZAMÓWI...df.exe

windows7-x64

10

NR ZAMÓWI...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    29-03-2023 06:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exe

  • Size

    561KB

  • MD5

    abb44d8629dbbae4b307b638fa35c921

  • SHA1

    91b9b648dfcc9261d3c0135eea5c4a9da4e87985

  • SHA256

    55d12f1706d497912ee1c846004edea135577d7e2eb2246e9c439740be365643

  • SHA512

    c6226f1c6634e11a48c79668df2229d43476d6dec9351da239bf9da58500751e584dccf3eea2aba77e881b2eb9c8b116843b0cee5a7d2af21db0561c4e1661a2

  • SSDEEP

    12288:KTMY1ltUnHhjgUciLJDrLmuychLXK8WEu:KThtejgUci9DvgcM8Wh

Score
10/10
formbookil23ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

il23

Decoy

woodlandwoodworking.net

kitchen-deals-69155.com

hiddendia.xyz

xelaxaste.uk

sproutstrive.com

avlulu124.xyz

g-starnetwork.com

a-avdeeva.com

filmart.top

bustime411.com

besyor.xyz

joulex.live

christmastempjobsfinder.life

cxrh-official.com

themuzzy.co.uk

joshisarena.africa

dental4family.com

dietsandsixpacks.co.uk

innovativedigest.com

flyingphoenix.club

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1212
    • C:\Users\Admin\AppData\Local\Temp\NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exe"
      2⤵
      • Checks QEMU agent file
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1052
      • C:\Users\Admin\AppData\Local\Temp\NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exe
        "C:\Users\Admin\AppData\Local\Temp\NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exe"
        3⤵
        • Checks QEMU agent file
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1160
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1500
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\NR ZAMÓWIENIA PRÓBNEGO 0001-pdf.exe"
        3⤵
        • Deletes itself
        PID:2004

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Music\krammets.lnk
    Filesize

    1KB

    MD5

    46deb8456dd0f1e1ea3a11fa60a54fa7

    SHA1

    56bbb6a41ab512379bd30ece0846a6f22f79c935

    SHA256

    b722fce651df53c145b9b39a9f391b8633c654ea2afd5ddf70211dc3e35d62c2

    SHA512

    5df6c6d3f798fc44dc746f9490c42b9a234096313c71c80e60fc6d2b1e525fcc982813c6135b0946f293ad04370be1aaf9da1cb9a00f2446647c899d6132535b

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nst1F36.tmp\System.dll
    Filesize

    12KB

    MD5

    a1da6788aeaf78ca4ae1dece8019e49d

    SHA1

    d770155e6e9aa69223be198c44a8da26a1756d89

    SHA256

    b7823a15e7b1866ba3d77248f750b66505859d264cfc39d8c8c5e812f8ae4a81

    SHA512

    eada9c1528563ddfe3d4d8ed5dbc52b85a9190765535b68da90e6d623288bf0090adac5118e1ed6e3cb3e0abb9af025d3a2a73121413a4471a90fd04bc861e18

    Download Submit
  • memory/1160-77-0x0000000001470000-0x0000000004885000-memory.dmp
    Filesize

    52.1MB

    Download
  • memory/1160-72-0x0000000000400000-0x0000000001462000-memory.dmp
    Filesize

    16.4MB

    Download
  • memory/1160-73-0x0000000001470000-0x0000000004885000-memory.dmp
    Filesize

    52.1MB

    Download
  • memory/1160-74-0x0000000034A80000-0x0000000034D83000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1160-75-0x00000000348D0000-0x00000000348E4000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1160-69-0x0000000000400000-0x0000000001462000-memory.dmp
    Filesize

    16.4MB

    Download
  • memory/1160-70-0x0000000000400000-0x0000000001462000-memory.dmp
    Filesize

    16.4MB

    Download
  • memory/1160-80-0x0000000000400000-0x0000000001462000-memory.dmp
    Filesize

    16.4MB

    Download
  • memory/1212-88-0x00000000001F0000-0x00000000002F0000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/1212-76-0x0000000003BF0000-0x0000000003CC0000-memory.dmp
    Filesize

    832KB

    Download
  • memory/1212-94-0x0000000004B70000-0x0000000004C07000-memory.dmp
    Filesize

    604KB

    Download
  • memory/1212-91-0x0000000004B70000-0x0000000004C07000-memory.dmp
    Filesize

    604KB

    Download
  • memory/1212-90-0x0000000004B70000-0x0000000004C07000-memory.dmp
    Filesize

    604KB

    Download
  • memory/1500-79-0x00000000005C0000-0x00000000005CE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1500-86-0x0000000000090000-0x00000000000BF000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1500-89-0x0000000000990000-0x0000000000A23000-memory.dmp
    Filesize

    588KB

    Download
  • memory/1500-85-0x0000000002110000-0x0000000002413000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1500-84-0x0000000000090000-0x00000000000BF000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1500-83-0x00000000005C0000-0x00000000005CE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1500-78-0x00000000005C0000-0x00000000005CE000-memory.dmp
    Filesize

    56KB

    Download