Overview

overview

10

Static

static

3

LF20240228.exe

windows7-x64

10

LF20240228.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    26-03-2024 12:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LF20240228.exe

  • Size

    652KB

  • MD5

    26a38af05a6bdd23f047eb65fee67251

  • SHA1

    61633e621f7d7cdcca5936b27a18cfe7e5169aae

  • SHA256

    3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a

  • SHA512

    7d852f05e4377b77691c3c7517609b6bd12c96d0c5dfe0bb330974ff891731529c12da9a7d52ea0f4e526fd35ce35237bfe40d2099afc12f59e58f95157e16b9

  • SSDEEP

    12288:JCTYHa5WHBh2Izs6vHhIlvyuq7it546mz2p9:QTYNHU6vHKlvU7ij46mKp

Score
10/10
formbookhy07ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hy07

Decoy

katemclaughl.in

worthyofficial.com

digitopia.click

ledmee.com

siwaasnz.life

ba-y.com

specifiedbuild.com

abandoned-houses-pt-0.bond

yesxoit.xyz

onlinemehrgeld.com

gosysamergoods.com

speakdontell.com

brokenequipmentsolutions.online

gruppofebi.cloud

adilosk.shop

supplierpartnerportal.com

wizov.dev

fast-homeinsurance.com

j88.vote

onamaevn.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1340
    • C:\Users\Admin\AppData\Local\Temp\LF20240228.exe
      "C:\Users\Admin\AppData\Local\Temp\LF20240228.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2392
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wIJCOfiF.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1360
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wIJCOfiF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp388E.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:2748
      • C:\Users\Admin\AppData\Local\Temp\LF20240228.exe
        "C:\Users\Admin\AppData\Local\Temp\LF20240228.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2828
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\SysWOW64\svchost.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\LF20240228.exe"
        3⤵
        • Deletes itself
        PID:2540

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp388E.tmp
    Filesize

    1KB

    MD5

    9c9b41c8c6367711205b78d0655eb858

    SHA1

    cd1133db4ec8a096ac8af0ec30b7e8eddcf21ee7

    SHA256

    7f5fbeb96c3dcee08eef4201dce323a76fcc92a6939be767a4d202a0f1c5a821

    SHA512

    c20a66aa226e63961e91ee80f69e6a83589ce1e933714411ae2115fd16860756d9c6e7af0c820f43bdd0acbe6dacc6da2a590e2487f2cc978e8627f4167cca14

    Download Submit
  • memory/1340-22-0x0000000003040000-0x0000000003140000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/1340-29-0x00000000052E0000-0x0000000005425000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/1360-25-0x0000000002AB0000-0x0000000002AF0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1360-26-0x0000000002AB0000-0x0000000002AF0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1360-28-0x000000006E520000-0x000000006EACB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1360-30-0x000000006E520000-0x000000006EACB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1360-23-0x000000006E520000-0x000000006EACB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1360-24-0x0000000002AB0000-0x0000000002AF0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2392-5-0x0000000002350000-0x00000000023C6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/2392-18-0x0000000074150000-0x000000007483E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2392-0-0x0000000000D90000-0x0000000000E38000-memory.dmp
    Filesize

    672KB

    Download
  • memory/2392-4-0x00000000003E0000-0x00000000003EC000-memory.dmp
    Filesize

    48KB

    Download
  • memory/2392-3-0x0000000000300000-0x0000000000312000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2392-2-0x00000000006E0000-0x0000000000720000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2392-1-0x0000000074150000-0x000000007483E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2736-34-0x0000000000870000-0x0000000000B73000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/2736-31-0x0000000000860000-0x0000000000868000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2736-35-0x00000000000C0000-0x00000000000EF000-memory.dmp
    Filesize

    188KB

    Download
  • memory/2736-32-0x0000000000860000-0x0000000000868000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2736-37-0x0000000000650000-0x00000000006E3000-memory.dmp
    Filesize

    588KB

    Download
  • memory/2736-33-0x00000000000C0000-0x00000000000EF000-memory.dmp
    Filesize

    188KB

    Download
  • memory/2828-13-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/2828-27-0x0000000000270000-0x0000000000284000-memory.dmp
    Filesize

    80KB

    Download
  • memory/2828-21-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/2828-20-0x00000000008E0000-0x0000000000BE3000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/2828-17-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/2828-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2828-14-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download