Overview

overview

10

Static

static

1

d99fdee30a...32.exe

windows7-x64

10

d99fdee30a...32.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-03-2023 01:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d99fdee30a323b0ed4cfbd9c4661530f45b368f829869604fb9a83debfff7a32.exe

  • Size

    1021KB

  • MD5

    921fba8af6c955c0fc7c8206e833bbe4

  • SHA1

    a2067d7a6b8c80ebebf0bbdbe4e593635ce6efda

  • SHA256

    d99fdee30a323b0ed4cfbd9c4661530f45b368f829869604fb9a83debfff7a32

  • SHA512

    9b4d690fcf7199c0d21b6d57d0746f7bc22d988dc617d8d78a2bf7e4ec00b5a2743d51853d0d94e63e4ca9b081787b13c163ddd6887d2c6f9a4c311457eceaca

  • SSDEEP

    12288:CD2iNo3XdJVZz5dB38fhR6MazqlmJgpTZsKGYMucdZ2/Rs47anmrK9U1AByOy:CD12zVZ97dMazqzpTZaYQPSeS1AXy

Score
10/10
formbookg2fgratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g2fg

Decoy

snowcrash.website

pointman.us

newheartvalve.care

drandl.com

sandspringsramblers.com

programagubernamental.online

boja.us

mvrsnike.com

mentallyillmotherhood.com

facom.us

programagubernamental.store

izivente.com

roller-v.fr

amazonbioactives.com

metaverseapple.xyz

5gt-mobilevsverizon.com

gtwebsolutions.co

scottdunn.life

usdp.trade

pikmin.run

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d99fdee30a323b0ed4cfbd9c4661530f45b368f829869604fb9a83debfff7a32.exe
    "C:\Users\Admin\AppData\Local\Temp\d99fdee30a323b0ed4cfbd9c4661530f45b368f829869604fb9a83debfff7a32.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4288
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XAEXefKaRG.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2836
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XAEXefKaRG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp706D.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1860
    • C:\Users\Admin\AppData\Local\Temp\d99fdee30a323b0ed4cfbd9c4661530f45b368f829869604fb9a83debfff7a32.exe
      "C:\Users\Admin\AppData\Local\Temp\d99fdee30a323b0ed4cfbd9c4661530f45b368f829869604fb9a83debfff7a32.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hkeitegq.iuk.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp706D.tmp
    Filesize

    1KB

    MD5

    8a0f716252d96287085779180e96faa9

    SHA1

    64a65c1f96f76080afcb907a33c8da8baba1e751

    SHA256

    dd13d91fd5b22cdf3e551dc279034f6c9f8498fa9fb7d9013a6ef39a70efc652

    SHA512

    beb284968daa9eb4ab14ce18c0e4c62451a01d8380ed7835131f75a530c1cbd398109850b8fd8930bb4164fcecb3a2431e8a631cc46d51dfd7cdd4470bf00601

    Download Submit
  • memory/2292-160-0x00000000012E0000-0x000000000162A000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/2292-147-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/2836-152-0x0000000005B10000-0x0000000005B76000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2836-178-0x0000000007BA0000-0x000000000821A000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/2836-185-0x0000000007850000-0x0000000007858000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2836-144-0x0000000002930000-0x0000000002966000-memory.dmp
    Filesize

    216KB

    Download
  • memory/2836-184-0x0000000007870000-0x000000000788A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2836-146-0x00000000054E0000-0x0000000005B08000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2836-148-0x0000000004EA0000-0x0000000004EB0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2836-149-0x0000000004EA0000-0x0000000004EB0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2836-183-0x0000000007760000-0x000000000776E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/2836-151-0x0000000005270000-0x0000000005292000-memory.dmp
    Filesize

    136KB

    Download
  • memory/2836-182-0x00000000077B0000-0x0000000007846000-memory.dmp
    Filesize

    600KB

    Download
  • memory/2836-153-0x0000000005BF0000-0x0000000005C56000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2836-181-0x00000000075A0000-0x00000000075AA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2836-180-0x0000000007540000-0x000000000755A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2836-164-0x0000000006230000-0x000000000624E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2836-165-0x0000000004EA0000-0x0000000004EB0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2836-166-0x0000000006810000-0x0000000006842000-memory.dmp
    Filesize

    200KB

    Download
  • memory/2836-167-0x0000000071200000-0x000000007124C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/2836-177-0x00000000067F0000-0x000000000680E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2836-179-0x000000007F210000-0x000000007F220000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4288-138-0x0000000005610000-0x0000000005620000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4288-134-0x0000000005790000-0x0000000005D34000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4288-135-0x00000000052E0000-0x0000000005372000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4288-133-0x0000000000830000-0x0000000000936000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4288-136-0x0000000005610000-0x0000000005620000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4288-137-0x0000000005390000-0x000000000539A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4288-139-0x0000000006E20000-0x0000000006EBC000-memory.dmp
    Filesize

    624KB

    Download