Overview

overview

10

Static

static

3

comutation order.exe

windows7-x64

10

comutation order.exe

windows10-2004-x64

10

Resubmissions

01-05-2023 15:19

230501-sqlmcshe83 10

01-05-2023 15:19

230501-sp67nsbb6t 10

Analysis

  • max time kernel
    152s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-05-2023 15:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    comutation order.exe

  • Size

    744KB

  • MD5

    d24b6d72e85c9b51bd5b39b9fe6d1ab5

  • SHA1

    b2c1c8c1988924942a231cf30dfc5222b031090e

  • SHA256

    e9ac57e43f65115bb0e5780178dae36d3a625cf21a21d6b9272d7a067c9c52a5

  • SHA512

    d37ff374ab0f381051e8e1c27d4b181a57e62fa3f8775616739421261b7032f94ec229b84c0f0a686bbbce95f69e7a2b2a0269239773c7dc76ff0f01ce8c9b6e

  • SSDEEP

    12288:iQu6zWFuIRiPLFuJVygB1VrQ6GSItioHVnwlb1:iSIuIwZwAgrVr6NHFwlb

Score
10/10
formbookn13eratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

n13e

Decoy

cowiemarketing.com

uniqueliquidz.co.uk

755259.com

7bw95.com

luxbarstools.co.uk

baccaratda.com

berkayakpinar.xyz

gistus.africa

hjd387.com

leave-fly.com

golfclubdaddy.com

engineeringea.buzz

countryrevisited.com

decoracioneskalite.com

imaginationlirbary.com

moneytransfer.africa

brainwaveproject.com

3039sjbqf2022.com

184hotels.com

aromamiaro.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 5 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2600
    • C:\Users\Admin\AppData\Local\Temp\comutation order.exe
      "C:\Users\Admin\AppData\Local\Temp\comutation order.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2132
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\urCbmGUnZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEBCC.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:1236
      • C:\Users\Admin\AppData\Local\Temp\comutation order.exe
        "{path}"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2096
    • C:\Windows\SysWOW64\autoconv.exe
      "C:\Windows\SysWOW64\autoconv.exe"
      2⤵
        PID:4052
      • C:\Windows\SysWOW64\cscript.exe
        "C:\Windows\SysWOW64\cscript.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5088
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\comutation order.exe"
          3⤵
            PID:1352

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmpEBCC.tmp
        Filesize

        1KB

        MD5

        15c6c27a92c01961802c16f901711cd2

        SHA1

        ca5c9bb271cbc447e9ec8e6ce2e28aacf85eb174

        SHA256

        f9e5a6d075d9819f2b522dc731a274b175626a5b605dabb0d23a62a687fb3c29

        SHA512

        7722c2293f693cf48ff5416e8ba73362c1a7bfabc501940a55ee6e0800d81fd5d8e240cf69c2ddaf0e790de6db426352901d6d6278995abe86ffaf06b23fac83

        Download Submit
      • memory/2096-151-0x0000000003670000-0x0000000003684000-memory.dmp
        Filesize

        80KB

        Download
      • memory/2096-147-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/2096-154-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/2096-148-0x0000000001CF0000-0x0000000001D04000-memory.dmp
        Filesize

        80KB

        Download
      • memory/2096-146-0x00000000019A0000-0x0000000001CEA000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/2096-143-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/2132-136-0x0000000004D80000-0x0000000004E1C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/2132-139-0x0000000004C90000-0x0000000004CA0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2132-138-0x0000000004C90000-0x0000000004CA0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2132-137-0x0000000004C70000-0x0000000004C7A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/2132-135-0x0000000004CE0000-0x0000000004D72000-memory.dmp
        Filesize

        584KB

        Download
      • memory/2132-133-0x0000000000220000-0x00000000002E0000-memory.dmp
        Filesize

        768KB

        Download
      • memory/2132-134-0x0000000005290000-0x0000000005834000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/2600-149-0x00000000025D0000-0x00000000026E2000-memory.dmp
        Filesize

        1.1MB

        Download
      • memory/2600-152-0x0000000007AB0000-0x0000000007C28000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/2600-161-0x0000000008910000-0x0000000008A4D000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2600-162-0x0000000008910000-0x0000000008A4D000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2600-164-0x0000000008910000-0x0000000008A4D000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/5088-153-0x0000000000DB0000-0x0000000000DD7000-memory.dmp
        Filesize

        156KB

        Download
      • memory/5088-155-0x0000000000DB0000-0x0000000000DD7000-memory.dmp
        Filesize

        156KB

        Download
      • memory/5088-156-0x0000000000970000-0x000000000099F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/5088-157-0x0000000002B40000-0x0000000002E8A000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/5088-158-0x0000000000970000-0x000000000099F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/5088-160-0x0000000002940000-0x00000000029D3000-memory.dmp
        Filesize

        588KB

        Download