Overview

overview

10

Static

static

3

LF20240228.exe

windows7-x64

10

LF20240228.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-03-2024 12:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LF20240228.exe

  • Size

    652KB

  • MD5

    26a38af05a6bdd23f047eb65fee67251

  • SHA1

    61633e621f7d7cdcca5936b27a18cfe7e5169aae

  • SHA256

    3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a

  • SHA512

    7d852f05e4377b77691c3c7517609b6bd12c96d0c5dfe0bb330974ff891731529c12da9a7d52ea0f4e526fd35ce35237bfe40d2099afc12f59e58f95157e16b9

  • SSDEEP

    12288:JCTYHa5WHBh2Izs6vHhIlvyuq7it546mz2p9:QTYNHU6vHKlvU7ij46mKp

Score
10/10
formbookhy07ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hy07

Decoy

katemclaughl.in

worthyofficial.com

digitopia.click

ledmee.com

siwaasnz.life

ba-y.com

specifiedbuild.com

abandoned-houses-pt-0.bond

yesxoit.xyz

onlinemehrgeld.com

gosysamergoods.com

speakdontell.com

brokenequipmentsolutions.online

gruppofebi.cloud

adilosk.shop

supplierpartnerportal.com

wizov.dev

fast-homeinsurance.com

j88.vote

onamaevn.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 5 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3532
    • C:\Users\Admin\AppData\Local\Temp\LF20240228.exe
      "C:\Users\Admin\AppData\Local\Temp\LF20240228.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4156
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wIJCOfiF.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4764
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wIJCOfiF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp77B0.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:32
      • C:\Users\Admin\AppData\Local\Temp\LF20240228.exe
        "C:\Users\Admin\AppData\Local\Temp\LF20240228.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3340
        • C:\Windows\SysWOW64\wlanext.exe
          "C:\Windows\SysWOW64\wlanext.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1936
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Users\Admin\AppData\Local\Temp\LF20240228.exe"
            5⤵
              PID:4480

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Persistence

    Scheduled Task/Job

    1
    T1053

    Privilege Escalation

    Scheduled Task/Job

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2qxqgn5w.ah1.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmp77B0.tmp
      Filesize

      1KB

      MD5

      a8b88aefed0c89744f49021afb1a6dc1

      SHA1

      9182e9bf5f6bb5f7107434d0983802a639a152b6

      SHA256

      1a3f3d8ec43bf6866d641c76c62e45a6a0b41553c75cb8aec0611823c5152390

      SHA512

      f09afc39996bfe5870985c5c65e478d3f9439ee083d0691e62240ab845545ade9afbcfa6372c8bbe7b3cbb0f804c410c1372bb74356faea1e40d22b076848097

      Download Submit
    • memory/1936-79-0x0000000001280000-0x00000000012AF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1936-80-0x0000000001860000-0x00000000018F3000-memory.dmp
      Filesize

      588KB

      Download
    • memory/1936-74-0x0000000000670000-0x0000000000687000-memory.dmp
      Filesize

      92KB

      Download
    • memory/1936-76-0x0000000000670000-0x0000000000687000-memory.dmp
      Filesize

      92KB

      Download
    • memory/1936-77-0x0000000001280000-0x00000000012AF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1936-78-0x0000000001930000-0x0000000001C7A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/3340-71-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/3340-36-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/3340-38-0x0000000001010000-0x0000000001024000-memory.dmp
      Filesize

      80KB

      Download
    • memory/3340-19-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/3340-24-0x00000000014C0000-0x000000000180A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/3340-72-0x00000000014A0000-0x00000000014B4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/3532-39-0x00000000085B0000-0x00000000086F9000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3532-83-0x00000000025C0000-0x00000000026E9000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/3532-84-0x00000000025C0000-0x00000000026E9000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/3532-87-0x00000000025C0000-0x00000000026E9000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/3532-73-0x0000000008150000-0x00000000082F3000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4156-6-0x0000000005B10000-0x0000000005B22000-memory.dmp
      Filesize

      72KB

      Download
    • memory/4156-7-0x0000000005B40000-0x0000000005B4C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/4156-8-0x00000000075F0000-0x0000000007666000-memory.dmp
      Filesize

      472KB

      Download
    • memory/4156-5-0x0000000005980000-0x000000000598A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4156-4-0x0000000005B80000-0x0000000005B90000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4156-22-0x0000000074D30000-0x00000000754E0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/4156-3-0x00000000059A0000-0x0000000005A32000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4156-2-0x0000000006050000-0x00000000065F4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4156-9-0x0000000009C70000-0x0000000009D0C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/4156-1-0x0000000000EF0000-0x0000000000F98000-memory.dmp
      Filesize

      672KB

      Download
    • memory/4156-0-0x0000000074D30000-0x00000000754E0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/4764-42-0x0000000006560000-0x00000000065AC000-memory.dmp
      Filesize

      304KB

      Download
    • memory/4764-56-0x0000000002BE0000-0x0000000002BF0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4764-45-0x00000000715F0000-0x000000007163C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/4764-44-0x00000000074E0000-0x0000000007512000-memory.dmp
      Filesize

      200KB

      Download
    • memory/4764-59-0x0000000007860000-0x000000000787A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/4764-58-0x0000000007EA0000-0x000000000851A000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/4764-60-0x00000000078D0000-0x00000000078DA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4764-43-0x000000007FC50000-0x000000007FC60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4764-61-0x0000000007AE0000-0x0000000007B76000-memory.dmp
      Filesize

      600KB

      Download
    • memory/4764-62-0x0000000007A60000-0x0000000007A71000-memory.dmp
      Filesize

      68KB

      Download
    • memory/4764-64-0x0000000007AA0000-0x0000000007AB4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/4764-63-0x0000000007A90000-0x0000000007A9E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/4764-65-0x0000000007BA0000-0x0000000007BBA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/4764-66-0x0000000007B80000-0x0000000007B88000-memory.dmp
      Filesize

      32KB

      Download
    • memory/4764-69-0x0000000074D30000-0x00000000754E0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/4764-57-0x0000000007520000-0x00000000075C3000-memory.dmp
      Filesize

      652KB

      Download
    • memory/4764-55-0x0000000006AD0000-0x0000000006AEE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/4764-15-0x0000000074D30000-0x00000000754E0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/4764-41-0x0000000006500000-0x000000000651E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/4764-16-0x0000000002BE0000-0x0000000002BF0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4764-40-0x0000000006110000-0x0000000006464000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4764-37-0x0000000006000000-0x0000000006066000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4764-26-0x0000000005E90000-0x0000000005EF6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4764-23-0x0000000005460000-0x0000000005482000-memory.dmp
      Filesize

      136KB

      Download
    • memory/4764-20-0x0000000005660000-0x0000000005C88000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/4764-17-0x0000000002BE0000-0x0000000002BF0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4764-14-0x0000000002C30000-0x0000000002C66000-memory.dmp
      Filesize

      216KB

      Download