Overview

overview

10

Static

static

3

3bd968f2cf...6a.exe

windows7-x64

10

3bd968f2cf...6a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-03-2024 02:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe

  • Size

    652KB

  • MD5

    26a38af05a6bdd23f047eb65fee67251

  • SHA1

    61633e621f7d7cdcca5936b27a18cfe7e5169aae

  • SHA256

    3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a

  • SHA512

    7d852f05e4377b77691c3c7517609b6bd12c96d0c5dfe0bb330974ff891731529c12da9a7d52ea0f4e526fd35ce35237bfe40d2099afc12f59e58f95157e16b9

  • SSDEEP

    12288:JCTYHa5WHBh2Izs6vHhIlvyuq7it546mz2p9:QTYNHU6vHKlvU7ij46mKp

Score
10/10
formbookhy07ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hy07

Decoy

katemclaughl.in

worthyofficial.com

digitopia.click

ledmee.com

siwaasnz.life

ba-y.com

specifiedbuild.com

abandoned-houses-pt-0.bond

yesxoit.xyz

onlinemehrgeld.com

gosysamergoods.com

speakdontell.com

brokenequipmentsolutions.online

gruppofebi.cloud

adilosk.shop

supplierpartnerportal.com

wizov.dev

fast-homeinsurance.com

j88.vote

onamaevn.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Detects executables packed with SmartAssembly 1 IoCs
  • Formbook payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe
    "C:\Users\Admin\AppData\Local\Temp\3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3896
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wIJCOfiF.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2272
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wIJCOfiF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8C42.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1072
    • C:\Users\Admin\AppData\Local\Temp\3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe
      "C:\Users\Admin\AppData\Local\Temp\3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe"
      2⤵
        PID:4028
      • C:\Users\Admin\AppData\Local\Temp\3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe
        "C:\Users\Admin\AppData\Local\Temp\3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe"
        2⤵
          PID:2368
        • C:\Users\Admin\AppData\Local\Temp\3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe
          "C:\Users\Admin\AppData\Local\Temp\3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe"
          2⤵
            PID:3956
          • C:\Users\Admin\AppData\Local\Temp\3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe
            "C:\Users\Admin\AppData\Local\Temp\3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe"
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:2696

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Scheduled Task/Job

        1
        T1053

        Persistence

        Scheduled Task/Job

        1
        T1053

        Privilege Escalation

        Scheduled Task/Job

        1
        T1053

        Defense Evasion

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tutu1l3m.cqi.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmp8C42.tmp
          Filesize

          1KB

          MD5

          3443de31389eb53f707cc8d4786f70f2

          SHA1

          6ac811634348044306d9f0337eb0ac2f9cdff917

          SHA256

          9866fe3ba2d756a312667c2296127684c81d3b92d5a6beb0ad17f210919661b9

          SHA512

          f96d648706616cd0c2d3ae95390dec8addd09ee2359cef762a801851517f5a82646508fc9b1fc12e156f78766ec6d02dbca439b8458c3af1c15999dc2a09d293

          Download Submit
        • memory/2272-31-0x0000000006270000-0x00000000062D6000-memory.dmp
          Filesize

          408KB

          Download
        • memory/2272-55-0x0000000007BA0000-0x0000000007BBA000-memory.dmp
          Filesize

          104KB

          Download
        • memory/2272-68-0x00000000744B0000-0x0000000074C60000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/2272-36-0x00000000064E0000-0x0000000006834000-memory.dmp
          Filesize

          3.3MB

          Download
        • memory/2272-64-0x0000000007F00000-0x0000000007F1A000-memory.dmp
          Filesize

          104KB

          Download
        • memory/2272-63-0x0000000007E00000-0x0000000007E14000-memory.dmp
          Filesize

          80KB

          Download
        • memory/2272-62-0x0000000007DF0000-0x0000000007DFE000-memory.dmp
          Filesize

          56KB

          Download
        • memory/2272-61-0x0000000003030000-0x0000000003040000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2272-14-0x0000000002F80000-0x0000000002FB6000-memory.dmp
          Filesize

          216KB

          Download
        • memory/2272-60-0x0000000003030000-0x0000000003040000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2272-16-0x00000000744B0000-0x0000000074C60000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/2272-18-0x0000000003030000-0x0000000003040000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2272-17-0x0000000003030000-0x0000000003040000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2272-20-0x0000000005AC0000-0x00000000060E8000-memory.dmp
          Filesize

          6.2MB

          Download
        • memory/2272-59-0x0000000007DC0000-0x0000000007DD1000-memory.dmp
          Filesize

          68KB

          Download
        • memory/2272-37-0x00000000055F0000-0x000000000560E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/2272-58-0x00000000744B0000-0x0000000074C60000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/2272-24-0x00000000060F0000-0x0000000006112000-memory.dmp
          Filesize

          136KB

          Download
        • memory/2272-57-0x0000000007E40000-0x0000000007ED6000-memory.dmp
          Filesize

          600KB

          Download
        • memory/2272-30-0x0000000006190000-0x00000000061F6000-memory.dmp
          Filesize

          408KB

          Download
        • memory/2272-65-0x0000000007EE0000-0x0000000007EE8000-memory.dmp
          Filesize

          32KB

          Download
        • memory/2272-56-0x0000000007C10000-0x0000000007C1A000-memory.dmp
          Filesize

          40KB

          Download
        • memory/2272-54-0x00000000081E0000-0x000000000885A000-memory.dmp
          Filesize

          6.5MB

          Download
        • memory/2272-38-0x0000000006930000-0x000000000697C000-memory.dmp
          Filesize

          304KB

          Download
        • memory/2272-39-0x0000000003030000-0x0000000003040000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2272-40-0x000000007EFA0000-0x000000007EFB0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2272-41-0x0000000006EA0000-0x0000000006ED2000-memory.dmp
          Filesize

          200KB

          Download
        • memory/2272-42-0x0000000070D70000-0x0000000070DBC000-memory.dmp
          Filesize

          304KB

          Download
        • memory/2272-52-0x0000000006E60000-0x0000000006E7E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/2272-53-0x0000000007890000-0x0000000007933000-memory.dmp
          Filesize

          652KB

          Download
        • memory/2696-23-0x00000000012F0000-0x000000000163A000-memory.dmp
          Filesize

          3.3MB

          Download
        • memory/2696-19-0x0000000000400000-0x000000000042F000-memory.dmp
          Filesize

          188KB

          Download
        • memory/3896-1-0x00000000009F0000-0x0000000000A98000-memory.dmp
          Filesize

          672KB

          Download
        • memory/3896-2-0x0000000005B30000-0x00000000060D4000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/3896-5-0x0000000005530000-0x000000000553A000-memory.dmp
          Filesize

          40KB

          Download
        • memory/3896-22-0x00000000744B0000-0x0000000074C60000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/3896-3-0x0000000005490000-0x0000000005522000-memory.dmp
          Filesize

          584KB

          Download
        • memory/3896-7-0x0000000006DE0000-0x0000000006DEC000-memory.dmp
          Filesize

          48KB

          Download
        • memory/3896-8-0x00000000070E0000-0x0000000007156000-memory.dmp
          Filesize

          472KB

          Download
        • memory/3896-9-0x0000000009750000-0x00000000097EC000-memory.dmp
          Filesize

          624KB

          Download
        • memory/3896-6-0x0000000005820000-0x0000000005832000-memory.dmp
          Filesize

          72KB

          Download
        • memory/3896-0-0x00000000744B0000-0x0000000074C60000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/3896-4-0x00000000030F0000-0x0000000003100000-memory.dmp
          Filesize

          64KB

          Download