Overview

overview

10

Static

static

3

e64a5a0e34...d6.exe

windows7-x64

10

e64a5a0e34...d6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    13-02-2024 05:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e64a5a0e34ecb51c2c40cb84016354e096b7c5bc34f5a841d685e94844644ad6.exe

  • Size

    814KB

  • MD5

    8fc83cdc44075773ee401f010d2443b0

  • SHA1

    96cd91bb463dcb0f7b56e94bf2cb15d7dc8f63b6

  • SHA256

    220977b28fc847b8a2d7c65d3d19a3859e3e62dc5e19edaf4909965516a91694

  • SHA512

    12a5cf0ee3c995faf09f821e4f4db1bf4f50c5ead57e72bf6e518b38c4d14a020724698e0930ea515ddeb810464ab9c9a616e3c8cd0a7e82ce64ab58a614f597

  • SSDEEP

    12288:mj6mRlmDKClMfkrPEBuGKw3f+s2geR3VJ6wGllh5VelrQTydKp:m2a4KCycrPQIo+aePgDalrQTl

Score
10/10
formbookkmgeratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kmge

Decoy

jia0752d.com

cq0jt.sbs

whimsicalweddingrentals.com

meetsex-here.life

hhe-crv220.com

bedbillionaire.com

soycmo.com

mrawkward.xyz

11ramshornroad.com

motoyonaturals.com

thischicloves.com

gacorbet.pro

ihsanid.com

pancaketurner.com

santanarstore.com

cr3dtv.com

negotools.com

landfillequip.com

sejasuapropriachefe.com

diamant-verkopen.store

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1380
    • C:\Users\Admin\AppData\Local\Temp\e64a5a0e34ecb51c2c40cb84016354e096b7c5bc34f5a841d685e94844644ad6.exe
      "C:\Users\Admin\AppData\Local\Temp\e64a5a0e34ecb51c2c40cb84016354e096b7c5bc34f5a841d685e94844644ad6.exe"
      2⤵
      • Drops startup file
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2336
      • C:\Users\Admin\AppData\Local\Temp\skype.exe
        "C:\Users\Admin\AppData\Local\Temp\skype.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3016
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c ping 127.0.0.1 -n 19 > nul && copy "C:\Users\Admin\AppData\Local\Temp\skype.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe" && ping 127.0.0.1 -n 19 > nul && "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe"
          4⤵
          • Drops startup file
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2708
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 19
            5⤵
            • Runs ping.exe
            PID:2540
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 19
            5⤵
            • Runs ping.exe
            PID:596
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2908
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
              6⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              PID:1200
    • C:\Windows\SysWOW64\chkdsk.exe
      "C:\Windows\SysWOW64\chkdsk.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1516
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:1096

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    2
    T1082

    Query Registry

    1
    T1012

    Remote System Discovery

    1
    T1018

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe
      Filesize

      814KB

      MD5

      8fc83cdc44075773ee401f010d2443b0

      SHA1

      96cd91bb463dcb0f7b56e94bf2cb15d7dc8f63b6

      SHA256

      220977b28fc847b8a2d7c65d3d19a3859e3e62dc5e19edaf4909965516a91694

      SHA512

      12a5cf0ee3c995faf09f821e4f4db1bf4f50c5ead57e72bf6e518b38c4d14a020724698e0930ea515ddeb810464ab9c9a616e3c8cd0a7e82ce64ab58a614f597

      Download Submit
    • memory/1200-34-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1200-30-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1200-36-0x0000000000390000-0x00000000003A4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1200-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1200-32-0x0000000000B40000-0x0000000000E43000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1200-24-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1200-22-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1380-49-0x0000000004F90000-0x000000000508D000-memory.dmp
      Filesize

      1012KB

      Download
    • memory/1380-37-0x0000000004F90000-0x000000000508D000-memory.dmp
      Filesize

      1012KB

      Download
    • memory/1380-35-0x00000000038B0000-0x00000000039B0000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/1516-40-0x00000000000C0000-0x00000000000EF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1516-39-0x0000000000E80000-0x0000000000E87000-memory.dmp
      Filesize

      28KB

      Download
    • memory/1516-38-0x0000000000E80000-0x0000000000E87000-memory.dmp
      Filesize

      28KB

      Download
    • memory/1516-46-0x0000000000990000-0x0000000000A23000-memory.dmp
      Filesize

      588KB

      Download
    • memory/1516-53-0x0000000000990000-0x0000000000A23000-memory.dmp
      Filesize

      588KB

      Download
    • memory/1516-41-0x0000000000B00000-0x0000000000E03000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1516-42-0x00000000000C0000-0x00000000000EF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/2336-0-0x0000000000320000-0x00000000003F2000-memory.dmp
      Filesize

      840KB

      Download
    • memory/2336-8-0x0000000074550000-0x0000000074C3E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2336-3-0x00000000042C0000-0x0000000004304000-memory.dmp
      Filesize

      272KB

      Download
    • memory/2336-2-0x0000000000720000-0x0000000000760000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2336-1-0x0000000074550000-0x0000000074C3E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2908-16-0x00000000010E0000-0x00000000011B2000-memory.dmp
      Filesize

      840KB

      Download
    • memory/2908-31-0x0000000073E60000-0x000000007454E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2908-29-0x0000000004D70000-0x0000000004DB0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2908-28-0x0000000004D70000-0x0000000004DB0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2908-27-0x0000000073E60000-0x000000007454E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2908-21-0x0000000004D70000-0x0000000004DB0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2908-20-0x0000000000500000-0x0000000000506000-memory.dmp
      Filesize

      24KB

      Download
    • memory/2908-19-0x0000000000640000-0x000000000065A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/2908-18-0x0000000004D70000-0x0000000004DB0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2908-17-0x0000000073E60000-0x000000007454E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/3016-7-0x0000000074550000-0x0000000074C3E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/3016-6-0x0000000004C40000-0x0000000004C80000-memory.dmp
      Filesize

      256KB

      Download
    • memory/3016-5-0x0000000074550000-0x0000000074C3E000-memory.dmp
      Filesize

      6.9MB

      Download