Overview

overview

10

Static

static

3

Statement ...nt.exe

windows7-x64

10

Statement ...nt.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    23-04-2024 16:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Statement Of Account.exe

  • Size

    772KB

  • MD5

    da68e8ff4e0c0d00c613fa9301cf4a37

  • SHA1

    7456cf2540dce6403407b532c502ce5abb07e9ec

  • SHA256

    b7def3af905789a4ecedcc226d91592d8bc758ce8c5458d62ef435707de8670f

  • SHA512

    3ac31e76311ad1acec983dedb6f2142471a6225bb279a5c9425fd75a15971d2e635ec4d7dfc8a060b1d647ef67d168504452a4acf4500047f31c63c932de99f6

  • SSDEEP

    12288:xSNhWU2EOum32U5Gt68PG+SAJYyEQzHmt5xCohEotOJ6E+L+BtN:xSLrvUGt07MY9xCohEl8LaN

Score
10/10
formbookgs12ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gs12

Decoy

juniavilela.com

italiahealth.club

freefoodpro.com

qqmotor.co

mosahacatering.com

wocc.club

tourly360.com

airzf.com

eternalknot1008.com

pons.cc

zdryueva.com

bodution.website

vip8g100013.top

3box.club

bestoffersinoneplace.com

tronbank.club

hlysh.live

allfireofferapp.sbs

goldenvistaservices.com

theconfidencebl-youprint.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Statement Of Account.exe
    "C:\Users\Admin\AppData\Local\Temp\Statement Of Account.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Statement Of Account.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2540
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SdYCcXyq.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2592
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SdYCcXyq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp37D2.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2772
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2152
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 36
        3⤵
        • Program crash
        PID:2880

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp37D2.tmp
    Filesize

    1KB

    MD5

    5b9c96afeddca21dbcec4805a00e657a

    SHA1

    b801ba274ae1b470e0b3eac46446641371479689

    SHA256

    3a0abbe9c368abb2dc21c7e39cccac9fc333002dd4fc22ecfef3e3100682b28c

    SHA512

    077f1e0e1e537d74ac667d22fbeddfb0e4f0d227bb3aefb83222ba625962f0bfb26c4a9dfc1037be89c1a2f1957dabcdae4af76a7425f343c2d32478f1ffa55e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    f0e98ee87b5b931dbb3725dc97c8fc02

    SHA1

    15cef4982b4718cf198ad06971a706e4bccc4e21

    SHA256

    f671484e9638784e7fbe504ee6150da8ee750348407d39abbb94c96f071592d0

    SHA512

    45acbea9f270606b3228f1c0836df8fdb94c67b66308b271ad09b60f6f0069cfe495df6e6aa1d02129701248c9f1fa9962bda52630458144e830b585c498afb0

    Download Submit
  • memory/1728-1-0x0000000074830000-0x0000000074F1E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1728-0-0x00000000009A0000-0x0000000000A68000-memory.dmp
    Filesize

    800KB

    Download
  • memory/1728-2-0x0000000004C30000-0x0000000004C70000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1728-3-0x0000000000500000-0x0000000000518000-memory.dmp
    Filesize

    96KB

    Download
  • memory/1728-4-0x00000000004B0000-0x00000000004BE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1728-5-0x0000000000560000-0x0000000000574000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1728-6-0x00000000001D0000-0x0000000000246000-memory.dmp
    Filesize

    472KB

    Download
  • memory/1728-31-0x0000000074830000-0x0000000074F1E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2152-24-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/2152-27-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/2152-30-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/2152-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2540-21-0x0000000001BC0000-0x0000000001C00000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2540-23-0x000000006F3F0000-0x000000006F99B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2540-19-0x000000006F3F0000-0x000000006F99B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2540-32-0x000000006F3F0000-0x000000006F99B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2592-22-0x0000000002740000-0x0000000002780000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2592-25-0x000000006F3F0000-0x000000006F99B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2592-20-0x000000006F3F0000-0x000000006F99B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2592-33-0x000000006F3F0000-0x000000006F99B000-memory.dmp
    Filesize

    5.7MB

    Download