Overview

overview

10

Static

static

3

cd0f9f8e28...f9.exe

windows7-x64

10

cd0f9f8e28...f9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    16-03-2024 04:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cd0f9f8e285dc698ec134a65cb519bf9.exe

  • Size

    477KB

  • MD5

    cd0f9f8e285dc698ec134a65cb519bf9

  • SHA1

    8e1772b29b049782e2df7b81facca92428aaeda6

  • SHA256

    861da69934b91448a3336cb1202ede93466a5bea352da087a703823af581bc0c

  • SHA512

    ac55ef9b7e0c4482f1816cce77039ec43453172d12f96faaf6591114bfbbb4d68318e9f3b9c07ce44950b5a429d902e5cce49edcd4f510fa7545c6a210a4d76b

  • SSDEEP

    6144:+JzKf/zmCja4qQmQCrcbnFuuUcTFx0T21BOcCSaa1MSSB6T1KpQcHCbh3:+JY1ja4qQ+rcbFudkuN/S/1MSSPQcHK1

Score
10/10
formbookfrpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

fr

Decoy

geturstuff.life

kisakollections.com

bkipmtahuna.com

aoxou.com

thebigandfreeupdates.download

utvtribe.com

icontoken.com

naturexperience.com

h2sentertainmentcafe.com

careerproresumepa.com

franchiseindia.directory

psychouniversity.com

traveng.com

mylifestylebyclem.com

greentmraelty.com

imoneg.com

lupusrebelacademy.com

ghqxc.info

lylulidbd.com

dalfreestyle.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 5 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1196
    • C:\Users\Admin\AppData\Local\Temp\cd0f9f8e285dc698ec134a65cb519bf9.exe
      "C:\Users\Admin\AppData\Local\Temp\cd0f9f8e285dc698ec134a65cb519bf9.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1720
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\cd0f9f8e285dc698ec134a65cb519bf9.exe" "C:\Users\Admin\AppData\Local\syscheck.exe"
        3⤵
          PID:2556
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\syscheck.exe"
          3⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2536
          • C:\Users\Admin\AppData\Local\syscheck.exe
            "C:\Users\Admin\AppData\Local\syscheck.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Suspicious use of SetThreadContext
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2168
            • C:\Users\Admin\AppData\Local\syscheck.exe
              "C:\Users\Admin\AppData\Local\syscheck.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              PID:1896
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:704
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\syscheck.exe"
          3⤵
            PID:2176

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • \Users\Admin\AppData\Local\syscheck.exe
        Filesize

        477KB

        MD5

        cd0f9f8e285dc698ec134a65cb519bf9

        SHA1

        8e1772b29b049782e2df7b81facca92428aaeda6

        SHA256

        861da69934b91448a3336cb1202ede93466a5bea352da087a703823af581bc0c

        SHA512

        ac55ef9b7e0c4482f1816cce77039ec43453172d12f96faaf6591114bfbbb4d68318e9f3b9c07ce44950b5a429d902e5cce49edcd4f510fa7545c6a210a4d76b

        Download Submit

      • memory/704-43-0x0000000000C60000-0x0000000000F63000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/704-40-0x0000000001350000-0x000000000136B000-memory.dmp

        Filesize

        108KB

        Download

      • memory/704-41-0x0000000001350000-0x000000000136B000-memory.dmp

        Filesize

        108KB

        Download

      • memory/704-49-0x0000000000080000-0x00000000000AA000-memory.dmp

        Filesize

        168KB

        Download

      • memory/704-42-0x0000000000080000-0x00000000000AA000-memory.dmp

        Filesize

        168KB

        Download

      • memory/704-45-0x0000000000AF0000-0x0000000000B83000-memory.dmp

        Filesize

        588KB

        Download

      • memory/1196-34-0x0000000004EA0000-0x0000000004FBA000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/1196-39-0x0000000007590000-0x0000000007728000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1196-31-0x0000000003B50000-0x0000000003C50000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1196-47-0x0000000007590000-0x0000000007728000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1720-6-0x00000000744C0000-0x0000000074BAE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/1720-11-0x00000000744C0000-0x0000000074BAE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/1720-7-0x0000000004C30000-0x0000000004C70000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1720-3-0x0000000004C30000-0x0000000004C70000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1720-2-0x0000000000340000-0x000000000035C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/1720-0-0x00000000013D0000-0x000000000144E000-memory.dmp

        Filesize

        504KB

        Download

      • memory/1720-1-0x00000000744C0000-0x0000000074BAE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/1896-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1896-37-0x0000000000080000-0x00000000000AA000-memory.dmp

        Filesize

        168KB

        Download

      • memory/1896-19-0x0000000000080000-0x00000000000AA000-memory.dmp

        Filesize

        168KB

        Download

      • memory/1896-32-0x0000000000140000-0x0000000000154000-memory.dmp

        Filesize

        80KB

        Download

      • memory/1896-33-0x0000000000080000-0x00000000000AA000-memory.dmp

        Filesize

        168KB

        Download

      • memory/1896-27-0x0000000000080000-0x00000000000AA000-memory.dmp

        Filesize

        168KB

        Download

      • memory/1896-38-0x0000000000280000-0x0000000000294000-memory.dmp

        Filesize

        80KB

        Download

      • memory/1896-30-0x0000000000950000-0x0000000000C53000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/1896-21-0x0000000000080000-0x00000000000AA000-memory.dmp

        Filesize

        168KB

        Download

      • memory/2168-29-0x00000000744C0000-0x0000000074BAE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2168-18-0x0000000004AF0000-0x0000000004B30000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2168-16-0x0000000004AF0000-0x0000000004B30000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2168-15-0x00000000744C0000-0x0000000074BAE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2168-14-0x0000000004AF0000-0x0000000004B30000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2168-13-0x0000000000170000-0x00000000001EE000-memory.dmp

        Filesize

        504KB

        Download

      • memory/2168-12-0x00000000744C0000-0x0000000074BAE000-memory.dmp

        Filesize

        6.9MB

        Download