Overview

overview

10

Static

static

3

cd0f9f8e28...f9.exe

windows7-x64

10

cd0f9f8e28...f9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/03/2024, 04:06

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    cd0f9f8e285dc698ec134a65cb519bf9.exe

  • Size

    477KB

  • MD5

    cd0f9f8e285dc698ec134a65cb519bf9

  • SHA1

    8e1772b29b049782e2df7b81facca92428aaeda6

  • SHA256

    861da69934b91448a3336cb1202ede93466a5bea352da087a703823af581bc0c

  • SHA512

    ac55ef9b7e0c4482f1816cce77039ec43453172d12f96faaf6591114bfbbb4d68318e9f3b9c07ce44950b5a429d902e5cce49edcd4f510fa7545c6a210a4d76b

  • SSDEEP

    6144:+JzKf/zmCja4qQmQCrcbnFuuUcTFx0T21BOcCSaa1MSSB6T1KpQcHCbh3:+JY1ja4qQ+rcbFudkuN/S/1MSSPQcHK1

Score
10/10
formbookfrpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

fr

Decoy

geturstuff.life

kisakollections.com

bkipmtahuna.com

aoxou.com

thebigandfreeupdates.download

utvtribe.com

icontoken.com

naturexperience.com

h2sentertainmentcafe.com

careerproresumepa.com

franchiseindia.directory

psychouniversity.com

traveng.com

mylifestylebyclem.com

greentmraelty.com

imoneg.com

lupusrebelacademy.com

ghqxc.info

lylulidbd.com

dalfreestyle.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3440
    • C:\Users\Admin\AppData\Local\Temp\cd0f9f8e285dc698ec134a65cb519bf9.exe
      "C:\Users\Admin\AppData\Local\Temp\cd0f9f8e285dc698ec134a65cb519bf9.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4700
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\cd0f9f8e285dc698ec134a65cb519bf9.exe" "C:\Users\Admin\AppData\Local\syscheck.exe"
        3⤵
          PID:4464
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\syscheck.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:116
          • C:\Users\Admin\AppData\Local\syscheck.exe
            "C:\Users\Admin\AppData\Local\syscheck.exe"
            4⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of SetThreadContext
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2868
            • C:\Users\Admin\AppData\Local\syscheck.exe
              "C:\Users\Admin\AppData\Local\syscheck.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              PID:4020
      • C:\Windows\SysWOW64\cmmon32.exe
        "C:\Windows\SysWOW64\cmmon32.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2156
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\syscheck.exe"
          3⤵
            PID:4652

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\syscheck.exe
              Filesize

              477KB

              MD5

              cd0f9f8e285dc698ec134a65cb519bf9

              SHA1

              8e1772b29b049782e2df7b81facca92428aaeda6

              SHA256

              861da69934b91448a3336cb1202ede93466a5bea352da087a703823af581bc0c

              SHA512

              ac55ef9b7e0c4482f1816cce77039ec43453172d12f96faaf6591114bfbbb4d68318e9f3b9c07ce44950b5a429d902e5cce49edcd4f510fa7545c6a210a4d76b

              Download Submit

            • memory/2156-30-0x0000000000960000-0x000000000098A000-memory.dmp

              Filesize

              168KB

              Download

            • memory/2156-31-0x0000000002A40000-0x0000000002D8A000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/2156-28-0x0000000000AA0000-0x0000000000AAC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/2156-36-0x0000000000960000-0x000000000098A000-memory.dmp

              Filesize

              168KB

              Download

            • memory/2156-29-0x0000000000AA0000-0x0000000000AAC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/2156-33-0x0000000002930000-0x00000000029C3000-memory.dmp

              Filesize

              588KB

              Download

            • memory/2868-16-0x0000000005990000-0x00000000059A0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2868-15-0x0000000074590000-0x0000000074D40000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/2868-17-0x0000000074590000-0x0000000074D40000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/2868-18-0x0000000006780000-0x000000000681C000-memory.dmp

              Filesize

              624KB

              Download

            • memory/2868-22-0x0000000074590000-0x0000000074D40000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/3440-42-0x00000000087A0000-0x00000000088EB000-memory.dmp

              Filesize

              1.3MB

              Download

            • memory/3440-27-0x00000000083C0000-0x00000000084F2000-memory.dmp

              Filesize

              1.2MB

              Download

            • memory/3440-39-0x00000000087A0000-0x00000000088EB000-memory.dmp

              Filesize

              1.3MB

              Download

            • memory/3440-34-0x00000000083C0000-0x00000000084F2000-memory.dmp

              Filesize

              1.2MB

              Download

            • memory/3440-38-0x00000000087A0000-0x00000000088EB000-memory.dmp

              Filesize

              1.3MB

              Download

            • memory/4020-19-0x0000000000400000-0x000000000042A000-memory.dmp

              Filesize

              168KB

              Download

            • memory/4020-26-0x00000000010C0000-0x00000000010D4000-memory.dmp

              Filesize

              80KB

              Download

            • memory/4020-25-0x0000000000400000-0x000000000042A000-memory.dmp

              Filesize

              168KB

              Download

            • memory/4020-23-0x0000000001200000-0x000000000154A000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/4700-0-0x0000000000010000-0x000000000008E000-memory.dmp

              Filesize

              504KB

              Download

            • memory/4700-11-0x0000000074590000-0x0000000074D40000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4700-9-0x0000000004D30000-0x0000000004D40000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4700-8-0x0000000074590000-0x0000000074D40000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4700-5-0x0000000004D30000-0x0000000004D40000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4700-4-0x0000000004A40000-0x0000000004A5C000-memory.dmp

              Filesize

              112KB

              Download

            • memory/4700-3-0x0000000004AC0000-0x0000000004B52000-memory.dmp

              Filesize

              584KB

              Download

            • memory/4700-2-0x0000000005070000-0x0000000005614000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/4700-1-0x0000000074590000-0x0000000074D40000-memory.dmp

              Filesize

              7.7MB

              Download