Overview

overview

10

Static

static

3

ordem de c...df.exe

windows7-x64

10

ordem de c...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    12/10/2023, 12:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ordem de compra xxx50922 pdf.exe

  • Size

    690KB

  • MD5

    28993f4b93647dabe6603cbb21a7adb3

  • SHA1

    c2b2a34e7f52d5c173e8982f27783b74347d7e78

  • SHA256

    92901e1afa61d81882eaf7e1bc51fb693adce114a24e769cf234e1ad15109398

  • SHA512

    d8da8a4e5bdafef7f0a15b948bf632d2538bc360120b5d4ed1fa64b581bea8ab66f07bb329947ccec039401f976a229b39245e86860a42794680bfcbce0c65d6

  • SSDEEP

    12288:y06gea2iNP1UF+fSTk+UJtZheVI1m1i65w4BV61RdpNmMEeyxbkN8mZ65+:1Tf1FQUqMhtq75wlpNRBpNcI

Score
10/10
formbookm0d5ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

m0d5

Decoy

thedaintydesign.com

floramiracle.com

k-runimport.com

aquafoodsupply.com

smultipleslogistics.com

althard.com

nicklawsoncreative.com

mting.link

salvadorsdream.com

vijmas.xyz

thornspeakers.com

dsales-academy.com

yesquw.xyz

shosjhdj.sbs

erasmusplusprojects.com

infinity506.com

lojaalphaelite.com

pixelmagicpath.top

primeshiftemporium.site

hssk1k4y.top

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ordem de compra xxx50922 pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\ordem de compra xxx50922 pdf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3056
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\nkmcwV.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2540
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nkmcwV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp16EA.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2460
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2564
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 36
        3⤵
        • Program crash
        PID:1288

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp16EA.tmp
    Filesize

    1KB

    MD5

    d72d77c2b8367ad6c1869cc9baaf8b81

    SHA1

    2ff85f3fce8fe13bf80a83b399e211ef327fa8d6

    SHA256

    ac94a2c3cb0e44d02ef6206cb91dfe91f0ad8b8b14935aa1821ba82cc4f6acf1

    SHA512

    b28dec2a1794940248753716fb1cd6c55ad894337953a13e10c49fd513b897a8ed9578fce7a77acb0827bc5c3d477c5d2a41880c5bc7f1e032a5d7def06c5115

    Download Submit

  • memory/2540-27-0x000000006DF90000-0x000000006E53B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2540-26-0x0000000002610000-0x0000000002650000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2540-25-0x0000000002610000-0x0000000002650000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2540-22-0x000000006DF90000-0x000000006E53B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2540-23-0x0000000002610000-0x0000000002650000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2540-19-0x000000006DF90000-0x000000006E53B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2564-17-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2564-15-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2564-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2564-21-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3056-7-0x000000000A530000-0x000000000A59E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3056-0-0x0000000000960000-0x0000000000A12000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3056-6-0x0000000000260000-0x000000000026A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3056-24-0x00000000740F0000-0x00000000747DE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3056-5-0x00000000003A0000-0x00000000003E0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3056-4-0x00000000740F0000-0x00000000747DE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3056-3-0x00000000003E0000-0x00000000003F8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/3056-2-0x00000000003A0000-0x00000000003E0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3056-1-0x00000000740F0000-0x00000000747DE000-memory.dmp

    Filesize

    6.9MB

    Download