Overview

overview

10

Static

static

5

68773735ef...45.exe

windows7-x64

10

68773735ef...45.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-05-2024 05:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    68773735efbd467e3286df5cbd2cc678926f0821ebbc9c2633b215b31d0b7d45.exe

  • Size

    1.0MB

  • MD5

    4bcaa831d3aed104046c10e47dc8850e

  • SHA1

    4f9e1249c407dbd9c0669f3158519eed96ae5980

  • SHA256

    68773735efbd467e3286df5cbd2cc678926f0821ebbc9c2633b215b31d0b7d45

  • SHA512

    332f8ac217cbcd1ddf94c0d782ac33eefb4578faedc99bcd88afbeac304b5efed16920c4e9403806f3214c16c1ccb05143279a204e846b1d6562206d7bdeae14

  • SSDEEP

    24576:0AHnh+eWsN3skA4RV1Hom2KXMmHa5ZchzV/S5:Dh+ZkldoPK8Ya5Zo5A

Score
10/10
formbookse63ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

se63

Decoy

socratesandhisclouds.com

versioncolor.com

ytcp011.com

908511.vip

egysrvs.com

ky5682011.cc

kkuu14.icu

wavebsb.com

klikadelivery.com

jnbxbpq.com

5o8oh.us

hemule.net

techinf.xyz

bevage.club

we37h.com

tipsde.shop

48136.vip

bestcampertrailerbrands.com

fairmedics.in

quixonic.tech

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3456
    • C:\Users\Admin\AppData\Local\Temp\68773735efbd467e3286df5cbd2cc678926f0821ebbc9c2633b215b31d0b7d45.exe
      "C:\Users\Admin\AppData\Local\Temp\68773735efbd467e3286df5cbd2cc678926f0821ebbc9c2633b215b31d0b7d45.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2408
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\68773735efbd467e3286df5cbd2cc678926f0821ebbc9c2633b215b31d0b7d45.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1020
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 712
        3⤵
        • Program crash
        PID:2024
    • C:\Windows\SysWOW64\mstsc.exe
      "C:\Windows\SysWOW64\mstsc.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2792
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\SysWOW64\svchost.exe"
        3⤵
          PID:4208
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2408 -ip 2408
      1⤵
        PID:2096

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1020-11-0x00000000006A0000-0x00000000006CF000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1020-14-0x0000000001200000-0x000000000154A000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/1020-16-0x0000000000ED0000-0x0000000000EE5000-memory.dmp
        Filesize

        84KB

        Download
      • memory/1020-15-0x00000000006A0000-0x00000000006CF000-memory.dmp
        Filesize

        188KB

        Download
      • memory/2408-10-0x0000000000D20000-0x0000000000D24000-memory.dmp
        Filesize

        16KB

        Download
      • memory/2792-18-0x0000000000110000-0x000000000024A000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2792-20-0x0000000000110000-0x000000000024A000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2792-21-0x0000000000980000-0x00000000009AF000-memory.dmp
        Filesize

        188KB

        Download
      • memory/3456-17-0x0000000009290000-0x0000000009423000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3456-23-0x0000000009290000-0x0000000009423000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3456-26-0x000000000B2F0000-0x000000000B416000-memory.dmp
        Filesize

        1.1MB

        Download
      • memory/3456-27-0x000000000B2F0000-0x000000000B416000-memory.dmp
        Filesize

        1.1MB

        Download
      • memory/3456-30-0x000000000B2F0000-0x000000000B416000-memory.dmp
        Filesize

        1.1MB

        Download