Overview

overview

10

Static

static

3

LF20240228.exe

windows7-x64

10

LF20240228.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240319-en
  • resource tags

    arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
  • submitted
    26-03-2024 12:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LF20240228.exe

  • Size

    652KB

  • MD5

    26a38af05a6bdd23f047eb65fee67251

  • SHA1

    61633e621f7d7cdcca5936b27a18cfe7e5169aae

  • SHA256

    3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a

  • SHA512

    7d852f05e4377b77691c3c7517609b6bd12c96d0c5dfe0bb330974ff891731529c12da9a7d52ea0f4e526fd35ce35237bfe40d2099afc12f59e58f95157e16b9

  • SSDEEP

    12288:JCTYHa5WHBh2Izs6vHhIlvyuq7it546mz2p9:QTYNHU6vHKlvU7ij46mKp

Score
10/10
formbookhy07ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hy07

Decoy

katemclaughl.in

worthyofficial.com

digitopia.click

ledmee.com

siwaasnz.life

ba-y.com

specifiedbuild.com

abandoned-houses-pt-0.bond

yesxoit.xyz

onlinemehrgeld.com

gosysamergoods.com

speakdontell.com

brokenequipmentsolutions.online

gruppofebi.cloud

adilosk.shop

supplierpartnerportal.com

wizov.dev

fast-homeinsurance.com

j88.vote

onamaevn.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 5 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1264
    • C:\Users\Admin\AppData\Local\Temp\LF20240228.exe
      "C:\Users\Admin\AppData\Local\Temp\LF20240228.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2052
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wIJCOfiF.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2520
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wIJCOfiF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp71C6.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:3068
      • C:\Users\Admin\AppData\Local\Temp\LF20240228.exe
        "C:\Users\Admin\AppData\Local\Temp\LF20240228.exe"
        3⤵
          PID:2588
        • C:\Users\Admin\AppData\Local\Temp\LF20240228.exe
          "C:\Users\Admin\AppData\Local\Temp\LF20240228.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2712
      • C:\Windows\SysWOW64\autochk.exe
        "C:\Windows\SysWOW64\autochk.exe"
        2⤵
          PID:2504
        • C:\Windows\SysWOW64\help.exe
          "C:\Windows\SysWOW64\help.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2948
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Users\Admin\AppData\Local\Temp\LF20240228.exe"
            3⤵
            • Deletes itself
            PID:748

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Persistence

      Scheduled Task/Job

      1
      T1053

      Privilege Escalation

      Scheduled Task/Job

      1
      T1053

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp71C6.tmp
        Filesize

        1KB

        MD5

        7e91a442917902677b9094935d5669da

        SHA1

        2ded15538feba0ef8fa66dc962ab6ca884e8b072

        SHA256

        4e878a2b98c84c709a4f4ee929b969b297a93241012d251c2cb4a85f7d6b0357

        SHA512

        50a516102fd8d2cddee7e6477e2c7494bcd27dcab1d8ca126c0a7085c0b3554a1a13253b341bb434d7c3f597424abfcb2e96417f50e667115bb5f215ab269ee1

        Download Submit
      • memory/1264-20-0x00000000037A0000-0x00000000038A0000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1264-34-0x00000000049A0000-0x0000000004A5F000-memory.dmp
        Filesize

        764KB

        Download
      • memory/1264-43-0x00000000049A0000-0x0000000004A5F000-memory.dmp
        Filesize

        764KB

        Download
      • memory/1264-26-0x0000000006B70000-0x0000000006CE6000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/2052-4-0x00000000002E0000-0x00000000002EC000-memory.dmp
        Filesize

        48KB

        Download
      • memory/2052-5-0x0000000004E30000-0x0000000004EA6000-memory.dmp
        Filesize

        472KB

        Download
      • memory/2052-3-0x0000000000280000-0x0000000000292000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2052-0-0x0000000000AF0000-0x0000000000B98000-memory.dmp
        Filesize

        672KB

        Download
      • memory/2052-2-0x0000000004B50000-0x0000000004B90000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2052-18-0x0000000074160000-0x000000007484E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/2052-1-0x0000000074160000-0x000000007484E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/2520-30-0x000000006DFD0000-0x000000006E57B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2520-21-0x000000006DFD0000-0x000000006E57B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2520-22-0x000000006DFD0000-0x000000006E57B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2520-29-0x0000000002720000-0x0000000002760000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2520-25-0x0000000002720000-0x0000000002760000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2520-28-0x0000000002720000-0x0000000002760000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2712-14-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/2712-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2712-24-0x00000000001E0000-0x00000000001F4000-memory.dmp
        Filesize

        80KB

        Download
      • memory/2712-23-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/2712-17-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/2712-32-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/2712-33-0x00000000003E0000-0x00000000003F4000-memory.dmp
        Filesize

        80KB

        Download
      • memory/2712-27-0x0000000000BA0000-0x0000000000EA3000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/2712-13-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/2948-36-0x0000000000C70000-0x0000000000C76000-memory.dmp
        Filesize

        24KB

        Download
      • memory/2948-37-0x0000000000080000-0x00000000000AF000-memory.dmp
        Filesize

        188KB

        Download
      • memory/2948-38-0x0000000000770000-0x0000000000A73000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/2948-39-0x0000000000080000-0x00000000000AF000-memory.dmp
        Filesize

        188KB

        Download
      • memory/2948-41-0x0000000000540000-0x00000000005D3000-memory.dmp
        Filesize

        588KB

        Download
      • memory/2948-35-0x0000000000C70000-0x0000000000C76000-memory.dmp
        Filesize

        24KB

        Download