Overview

overview

10

Static

static

3

Ordem de C...df.exe

windows7-x64

10

Ordem de C...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/05/2023, 14:49

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Ordem de Compra pdf.exe

  • Size

    691KB

  • MD5

    1261048d5ab92e3403dc1eaf43475572

  • SHA1

    79f4015b9633fb92a9f3624cb9863521fd54a2fc

  • SHA256

    312e247299af8e8376125bc4c6b43a6fd88315939b29ae507c5eea62fc26f567

  • SHA512

    817812d9d72f7cddf572e04b614134a0ae52438435493f049b68684cdd6ec22c232afccf06afee8339859f5f32f69eff99d81d1198339c9aa412c66881ad70ec

  • SSDEEP

    12288:UwGmzZBEP85Omp3/xC0ByTBDSV5FmtRL4lqsIi0Dkc/Z5XKS891:B9BEP8cmp3/x9BygVaI4sHo/zXKS

Score
10/10
formbookmd05ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

md05

Decoy

18873.biz

blparkinsons.uk

londonsanifloengineer.co.uk

hmstravelsllc.com

copietomb.online

driverrehab.store

ascent-social-labs.com

bulletsync.app

kirm.net

carys.online

c1u8z.com

37973.site

staizitto.com

by4388.com

heavenly-hideaways.co.uk

roobydog.co.uk

abuelitaskitchensupply.com

northmusic.africa

inning.one

solardance.net

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3212
    • C:\Users\Admin\AppData\Local\Temp\Ordem de Compra pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\Ordem de Compra pdf.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1648
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vBdjOEsuumpVj.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:348
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vBdjOEsuumpVj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2664.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:3460
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1980
    • C:\Windows\SysWOW64\autochk.exe
      "C:\Windows\SysWOW64\autochk.exe"
      2⤵
        PID:3108
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1960
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          3⤵
            PID:1696

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a4iu52le.1fo.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\tmp2664.tmp
              Filesize

              1KB

              MD5

              a1ccf4af5f670edd8fc4f6f57d433d44

              SHA1

              742204f5bb3406cfa2ade99cf9aac3e9d00b63b4

              SHA256

              d83a8f8a7b440aeb40a41a62f7f133869effca8fb67919f1bc302ec80e8cac0e

              SHA512

              72e604aca9d4769199e15424f63bee5a68395ae05a6a815a2840fafaa8ae79652c6c9802147dc1f3482b3b2cccba9e3d526792f76a3ab4008c6ec6c445ef1543

              Download Submit

            • memory/348-162-0x0000000005620000-0x0000000005686000-memory.dmp

              Filesize

              408KB

              Download

            • memory/348-194-0x0000000007130000-0x0000000007138000-memory.dmp

              Filesize

              32KB

              Download

            • memory/348-189-0x0000000007090000-0x0000000007126000-memory.dmp

              Filesize

              600KB

              Download

            • memory/348-188-0x0000000006E80000-0x0000000006E8A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/348-183-0x0000000006E10000-0x0000000006E2A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/348-144-0x0000000000D90000-0x0000000000DC6000-memory.dmp

              Filesize

              216KB

              Download

            • memory/348-193-0x0000000007150000-0x000000000716A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/348-146-0x0000000004D20000-0x0000000005348000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/348-182-0x0000000007460000-0x0000000007ADA000-memory.dmp

              Filesize

              6.5MB

              Download

            • memory/348-169-0x00000000710B0000-0x00000000710FC000-memory.dmp

              Filesize

              304KB

              Download

            • memory/348-149-0x0000000004CC0000-0x0000000004CE2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/348-156-0x0000000005440000-0x00000000054A6000-memory.dmp

              Filesize

              408KB

              Download

            • memory/348-157-0x0000000000F20000-0x0000000000F30000-memory.dmp

              Filesize

              64KB

              Download

            • memory/348-155-0x0000000000F20000-0x0000000000F30000-memory.dmp

              Filesize

              64KB

              Download

            • memory/348-192-0x0000000007040000-0x000000000704E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/348-164-0x0000000005B00000-0x0000000005B1E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/348-181-0x000000007F8F0000-0x000000007F900000-memory.dmp

              Filesize

              64KB

              Download

            • memory/348-180-0x0000000000F20000-0x0000000000F30000-memory.dmp

              Filesize

              64KB

              Download

            • memory/348-179-0x00000000060D0000-0x00000000060EE000-memory.dmp

              Filesize

              120KB

              Download

            • memory/348-168-0x0000000006AD0000-0x0000000006B02000-memory.dmp

              Filesize

              200KB

              Download

            • memory/1648-134-0x0000000005360000-0x0000000005904000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/1648-136-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1648-133-0x0000000000270000-0x0000000000324000-memory.dmp

              Filesize

              720KB

              Download

            • memory/1648-135-0x0000000004CD0000-0x0000000004D62000-memory.dmp

              Filesize

              584KB

              Download

            • memory/1648-139-0x0000000006DB0000-0x0000000006E4C000-memory.dmp

              Filesize

              624KB

              Download

            • memory/1648-138-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1648-137-0x0000000004CC0000-0x0000000004CCA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/1960-199-0x0000000001690000-0x0000000001723000-memory.dmp

              Filesize

              588KB

              Download

            • memory/1960-197-0x0000000000F70000-0x0000000000F9F000-memory.dmp

              Filesize

              188KB

              Download

            • memory/1960-184-0x0000000000B60000-0x0000000000B7E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/1960-187-0x0000000000B60000-0x0000000000B7E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/1960-190-0x0000000000F70000-0x0000000000F9F000-memory.dmp

              Filesize

              188KB

              Download

            • memory/1960-191-0x0000000001850000-0x0000000001B9A000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/1980-147-0x0000000000400000-0x000000000042F000-memory.dmp

              Filesize

              188KB

              Download

            • memory/1980-185-0x0000000000400000-0x000000000042F000-memory.dmp

              Filesize

              188KB

              Download

            • memory/1980-166-0x0000000001640000-0x0000000001654000-memory.dmp

              Filesize

              80KB

              Download

            • memory/1980-165-0x0000000001750000-0x0000000001A9A000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/3212-167-0x0000000008080000-0x00000000081B4000-memory.dmp

              Filesize

              1.2MB

              Download

            • memory/3212-200-0x00000000081C0000-0x000000000829F000-memory.dmp

              Filesize

              892KB

              Download

            • memory/3212-201-0x00000000081C0000-0x000000000829F000-memory.dmp

              Filesize

              892KB

              Download

            • memory/3212-203-0x00000000081C0000-0x000000000829F000-memory.dmp

              Filesize

              892KB

              Download