Overview

overview

10

Static

static

3

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-10-2023 09:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    310KB

  • MD5

    da83ec739bfe2751dadf73b88a2d4de3

  • SHA1

    5122f9be87149ad355f0cbf33ca3ae603432b5d2

  • SHA256

    dc999aa2db84e4f91022be10a55e971c49da82960027b7482b44856fee46f9cc

  • SHA512

    358679f4da6265685f6d41aa159220a3dc80e6a76b0dc4e57bc548394acf6507622dfc09ef86dcb892e32d72c6be5af1fce57b3562d4bc8d3bc646ae3afee8c3

  • SSDEEP

    6144:LnPdudwDzV7hvMwtSPqGas8x0UAHsvEt57FFUxgbddgAcuWm5M2:LnPdvhsZyAEEvFFUxgbRM2

Score
10/10
formbooksy22ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sy22

Decoy

vinteligencia.com

displayfridges.fun

completetip.com

giallozafferrano.com

jizihao1.com

mysticheightstrail.com

fourseasonslb.com

kjnala.shop

mosiacwall.com

vandistreet.com

gracefullytouchedartistry.com

hbiwhwr.shop

mfmz.net

hrmbrillianz.com

funwarsztat.com

polewithcandy.com

ourrajasthan.com

wilhouettteamerica.com

johnnystintshop.com

asgnelwin.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:748
    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4912
      • C:\Users\Admin\AppData\Local\Temp\bdmuxzu.exe
        "C:\Users\Admin\AppData\Local\Temp\bdmuxzu.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:112
        • C:\Users\Admin\AppData\Local\Temp\bdmuxzu.exe
          "C:\Users\Admin\AppData\Local\Temp\bdmuxzu.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:3492
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2096
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\bdmuxzu.exe"
        3⤵
          PID:2568

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\bdmuxzu.exe
      Filesize

      171KB

      MD5

      4b59d30a0dfe2ef576a684738840836f

      SHA1

      2648e01c6e47e0878df86d07e6171de62c2bf6db

      SHA256

      5ab248198de9803f51b17aaa8401a293219f8199699f6ebe6152ad33c7b11a8b

      SHA512

      bba64225181183edfd7514ca46ab3102e47411ff47fe957d12873cc1d175b916afdc467dd0377ecfc112f66c6cc9234949574e0dfe28ed53803341a4b165e508

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\bdmuxzu.exe
      Filesize

      171KB

      MD5

      4b59d30a0dfe2ef576a684738840836f

      SHA1

      2648e01c6e47e0878df86d07e6171de62c2bf6db

      SHA256

      5ab248198de9803f51b17aaa8401a293219f8199699f6ebe6152ad33c7b11a8b

      SHA512

      bba64225181183edfd7514ca46ab3102e47411ff47fe957d12873cc1d175b916afdc467dd0377ecfc112f66c6cc9234949574e0dfe28ed53803341a4b165e508

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\bdmuxzu.exe
      Filesize

      171KB

      MD5

      4b59d30a0dfe2ef576a684738840836f

      SHA1

      2648e01c6e47e0878df86d07e6171de62c2bf6db

      SHA256

      5ab248198de9803f51b17aaa8401a293219f8199699f6ebe6152ad33c7b11a8b

      SHA512

      bba64225181183edfd7514ca46ab3102e47411ff47fe957d12873cc1d175b916afdc467dd0377ecfc112f66c6cc9234949574e0dfe28ed53803341a4b165e508

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\fnpwl.ufx
      Filesize

      205KB

      MD5

      80405658fbbf7c2bde5c54656cc3282b

      SHA1

      96c9716132a64388609b103c3e32385653153366

      SHA256

      a1b2102fc79de307f0a816f3c0cc3a0807f25517db6dff4194c2d7e7bf5ba693

      SHA512

      c5e899b93a7efe2a823c3324236deda97d4354d7b5058be89b22a310942a26acb095847276c89dd90b1cba8ee33210839b590c08cc8eec03c2e5687c1f3d01fa

      Download Submit

    • memory/112-5-0x0000000000BB0000-0x0000000000BB2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/748-21-0x0000000006C20000-0x0000000006CD3000-memory.dmp

      Filesize

      716KB

      Download

    • memory/748-24-0x0000000008250000-0x000000000835C000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/748-27-0x0000000008250000-0x000000000835C000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/748-25-0x0000000008250000-0x000000000835C000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/748-14-0x0000000006C20000-0x0000000006CD3000-memory.dmp

      Filesize

      716KB

      Download

    • memory/2096-18-0x0000000000AA0000-0x0000000000ACF000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2096-17-0x00000000003C0000-0x00000000003D4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2096-19-0x0000000002950000-0x0000000002C9A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2096-20-0x0000000000AA0000-0x0000000000ACF000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2096-23-0x00000000027F0000-0x0000000002883000-memory.dmp

      Filesize

      588KB

      Download

    • memory/2096-15-0x00000000003C0000-0x00000000003D4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/3492-10-0x0000000001240000-0x000000000158A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3492-7-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/3492-13-0x0000000000D60000-0x0000000000D74000-memory.dmp

      Filesize

      80KB

      Download

    • memory/3492-12-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download