Overview

overview

10

Static

static

3

Ordem de c...23.exe

windows7-x64

10

Ordem de c...23.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-08-2023 17:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ordem de compra confirmada OC 215 Nortaluga Lda 08082023.exe

  • Size

    806KB

  • MD5

    5f41a9b656d58e1490e0689dfcbac025

  • SHA1

    4f604324498d3b23c410f50cb20f4c7d0077115d

  • SHA256

    b289fe67b0185e1ba0177f583675ce399772bf03fd813d47835c45427f71fbf0

  • SHA512

    4246060c3885ce954b70252f68d7bd293672940c75a2a3a2fed7179320256239bd2bda1daaf89ecaf8b54be89f211ce799acd41d6fd2481c2e2e6a1b3fdc5e4a

  • SSDEEP

    24576:Kik1oB0qnJjJuNXMJSCLAN548K7r26mgTlZ3:KikaBj7JYN548e26mi

Score
10/10
formbookjr22ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

jr22

Decoy

941zhe.com

lunarportal.space

xn--osmaniyeiek-t9ab.online

trejoscar.com

nrnursery.com

quizcannot.cfd

seedstockersthailand.com

watsonwindow.com

wjfholdings.com

weziclondon.com

naruot.xyz

yeji.plus

classicmenstore.com

oharatravel.com

therapyplankits.com

keviegreshonpt.com

qdlyner.com

seithupaarungal.com

casinorates.online

8ug4as.icu

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3092
    • C:\Users\Admin\AppData\Local\Temp\Ordem de compra confirmada OC 215 Nortaluga Lda 08082023.exe
      "C:\Users\Admin\AppData\Local\Temp\Ordem de compra confirmada OC 215 Nortaluga Lda 08082023.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4196
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Ordem de compra confirmada OC 215 Nortaluga Lda 08082023.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2296
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\lbAVIbuklDrX.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5000
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lbAVIbuklDrX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFD47.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:4564
      • C:\Users\Admin\AppData\Local\Temp\Ordem de compra confirmada OC 215 Nortaluga Lda 08082023.exe
        "C:\Users\Admin\AppData\Local\Temp\Ordem de compra confirmada OC 215 Nortaluga Lda 08082023.exe"
        3⤵
          PID:2828
        • C:\Users\Admin\AppData\Local\Temp\Ordem de compra confirmada OC 215 Nortaluga Lda 08082023.exe
          "C:\Users\Admin\AppData\Local\Temp\Ordem de compra confirmada OC 215 Nortaluga Lda 08082023.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:3820
      • C:\Windows\SysWOW64\cmmon32.exe
        "C:\Windows\SysWOW64\cmmon32.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3492
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\Ordem de compra confirmada OC 215 Nortaluga Lda 08082023.exe"
          3⤵
            PID:3832

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Persistence

      Scheduled Task/Job

      1
      T1053

      Privilege Escalation

      Scheduled Task/Job

      1
      T1053

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dholp4dv.fyn.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmpFD47.tmp
        Filesize

        1KB

        MD5

        dca51d1054c53aae044d890e0e42a82e

        SHA1

        4a02f1e7879755cd63d1f4cf9f709f72ec8e6dfa

        SHA256

        57e94c9aad343a0849feed9f75269e92e77f8b9fe396f8a2e760dad43dff9c36

        SHA512

        0ad2f9d9cf708125ed32b07df215349f1a662d96b8572b30d4597f9ed537b216072f1866ae2e4cbfea774a5244dcc1fac04db82d1b4b25200ae78868653daf3b

        Download Submit
      • memory/2296-228-0x0000000007C40000-0x0000000007C4A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/2296-186-0x0000000075040000-0x00000000757F0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/2296-191-0x0000000005580000-0x0000000005590000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2296-236-0x000000007EE90000-0x000000007EEA0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2296-187-0x0000000005580000-0x0000000005590000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2296-232-0x0000000007E40000-0x0000000007ED6000-memory.dmp
        Filesize

        600KB

        Download
      • memory/2296-231-0x0000000005580000-0x0000000005590000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2296-147-0x0000000075040000-0x00000000757F0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/2296-148-0x0000000005580000-0x0000000005590000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2296-149-0x0000000002F70000-0x0000000002FA6000-memory.dmp
        Filesize

        216KB

        Download
      • memory/2296-152-0x0000000005BC0000-0x00000000061E8000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/2296-226-0x00000000081F0000-0x000000000886A000-memory.dmp
        Filesize

        6.5MB

        Download
      • memory/2296-196-0x0000000006820000-0x000000000683E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/2296-240-0x0000000007F10000-0x0000000007F2A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/2296-161-0x00000000059D0000-0x0000000005A36000-memory.dmp
        Filesize

        408KB

        Download
      • memory/2296-224-0x0000000006E50000-0x0000000006E6E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/2296-206-0x0000000071530000-0x000000007157C000-memory.dmp
        Filesize

        304KB

        Download
      • memory/2296-160-0x0000000005960000-0x00000000059C6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/2296-241-0x0000000007EF0000-0x0000000007EF8000-memory.dmp
        Filesize

        32KB

        Download
      • memory/2296-203-0x000000007EE90000-0x000000007EEA0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2296-204-0x0000000006E70000-0x0000000006EA2000-memory.dmp
        Filesize

        200KB

        Download
      • memory/2296-199-0x0000000005580000-0x0000000005590000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2296-244-0x0000000075040000-0x00000000757F0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/3092-167-0x0000000002C30000-0x0000000002D2A000-memory.dmp
        Filesize

        1000KB

        Download
      • memory/3092-197-0x0000000002C30000-0x0000000002D2A000-memory.dmp
        Filesize

        1000KB

        Download
      • memory/3092-230-0x0000000002910000-0x00000000029BA000-memory.dmp
        Filesize

        680KB

        Download
      • memory/3092-234-0x0000000002910000-0x00000000029BA000-memory.dmp
        Filesize

        680KB

        Download
      • memory/3092-239-0x0000000002910000-0x00000000029BA000-memory.dmp
        Filesize

        680KB

        Download
      • memory/3492-190-0x0000000000190000-0x00000000001BF000-memory.dmp
        Filesize

        188KB

        Download
      • memory/3492-195-0x00000000022C0000-0x000000000260A000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/3492-189-0x00000000007B0000-0x00000000007BC000-memory.dmp
        Filesize

        48KB

        Download
      • memory/3492-229-0x00000000021E0000-0x0000000002273000-memory.dmp
        Filesize

        588KB

        Download
      • memory/3492-198-0x0000000000190000-0x00000000001BF000-memory.dmp
        Filesize

        188KB

        Download
      • memory/3492-188-0x00000000007B0000-0x00000000007BC000-memory.dmp
        Filesize

        48KB

        Download
      • memory/3820-157-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/3820-162-0x0000000001990000-0x0000000001CDA000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/3820-166-0x0000000001420000-0x0000000001434000-memory.dmp
        Filesize

        80KB

        Download
      • memory/3820-165-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/4196-137-0x00000000006F0000-0x00000000007C0000-memory.dmp
        Filesize

        832KB

        Download
      • memory/4196-138-0x00000000056C0000-0x0000000005C64000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/4196-163-0x0000000075040000-0x00000000757F0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/4196-144-0x0000000005400000-0x0000000005410000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4196-139-0x00000000051B0000-0x0000000005242000-memory.dmp
        Filesize

        584KB

        Download
      • memory/4196-140-0x0000000005400000-0x0000000005410000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4196-141-0x0000000005190000-0x000000000519A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/4196-136-0x0000000075040000-0x00000000757F0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/4196-142-0x0000000005410000-0x00000000054AC000-memory.dmp
        Filesize

        624KB

        Download
      • memory/4196-143-0x0000000075040000-0x00000000757F0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/5000-202-0x000000007FA20000-0x000000007FA30000-memory.dmp
        Filesize

        64KB

        Download
      • memory/5000-235-0x000000007FA20000-0x000000007FA30000-memory.dmp
        Filesize

        64KB

        Download
      • memory/5000-154-0x0000000002C10000-0x0000000002C20000-memory.dmp
        Filesize

        64KB

        Download
      • memory/5000-155-0x0000000002C10000-0x0000000002C20000-memory.dmp
        Filesize

        64KB

        Download
      • memory/5000-227-0x0000000006AC0000-0x0000000006ADA000-memory.dmp
        Filesize

        104KB

        Download
      • memory/5000-233-0x0000000002C10000-0x0000000002C20000-memory.dmp
        Filesize

        64KB

        Download
      • memory/5000-153-0x0000000075040000-0x00000000757F0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/5000-192-0x0000000075040000-0x00000000757F0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/5000-159-0x00000000054B0000-0x00000000054D2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/5000-238-0x0000000007940000-0x000000000794E000-memory.dmp
        Filesize

        56KB

        Download
      • memory/5000-205-0x0000000071530000-0x000000007157C000-memory.dmp
        Filesize

        304KB

        Download
      • memory/5000-194-0x0000000002C10000-0x0000000002C20000-memory.dmp
        Filesize

        64KB

        Download
      • memory/5000-200-0x0000000002C10000-0x0000000002C20000-memory.dmp
        Filesize

        64KB

        Download
      • memory/5000-193-0x0000000002C10000-0x0000000002C20000-memory.dmp
        Filesize

        64KB

        Download
      • memory/5000-245-0x0000000075040000-0x00000000757F0000-memory.dmp
        Filesize

        7.7MB

        Download