Overview

overview

10

Static

static

1

acb58cf1f8...19.msi

windows7-x64

10

acb58cf1f8...19.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 10:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    acb58cf1f819372ca5f461636f47ef790ec5d2748a5eaa3676104e46cdca1b19.msi

  • Size

    480KB

  • MD5

    6d7ada8915023eb188f47444a77d169d

  • SHA1

    f87023a7c0de6b0ff4b0b2b799e58f41b938c332

  • SHA256

    acb58cf1f819372ca5f461636f47ef790ec5d2748a5eaa3676104e46cdca1b19

  • SHA512

    d37cf81df8f8dc64c5d5f0d68a2ad428b7d7d31658dd6980bc27db0d3dbc3ef44776012ea72feafc1c3348b0c9cd3599ce89168aa7edd992769dca26a98cc084

  • SSDEEP

    12288:TEqy7sSW7kNUhBiTL1wuG2YVkp455oaomdIbTbq:TE5wzAQUTO/2SkpWon

Score
10/10
formbookairatspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

ai

Decoy

theapschool.com

riseupfloridakeys.com

xn--mgbb2awa9dm20i.com

apnee-coach.com

christianmarketinggifts.com

eurothereum.biz

solutionfull.com

equifaxqsecurity2017.com

roboeye-tech.com

living-isar.immo

cable-online-zone.sale

parfumirza.com

civilizationsprice.com

zealasia.com

billet-bateau-tanger.com

andrewkurtsummers.net

darylandkaitlyn.com

ddaak.com

seattlepetadventures.com

iopuern.online

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 1 IoCs
    rat
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 8 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3440
    • C:\Windows\system32\msiexec.exe
      msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\acb58cf1f819372ca5f461636f47ef790ec5d2748a5eaa3676104e46cdca1b19.msi
      2⤵
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:4556
    • C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\SysWOW64\netsh.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4708
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Installer\MSIAD67.tmp"
        3⤵
          PID:2068
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Enumerates connected drives
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3652
      • C:\Windows\system32\srtasks.exe
        C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4876
      • C:\Windows\Installer\MSIAD67.tmp
        "C:\Windows\Installer\MSIAD67.tmp"
        2⤵
        • Suspicious use of SetThreadContext
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1692
        • C:\Windows\Installer\MSIAD67.tmp
          "C:\Windows\Installer\MSIAD67.tmp"
          3⤵
          • Suspicious use of SetThreadContext
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:372
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:4020

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e57ac21.rbs
      Filesize

      681B

      MD5

      8265e67c7ef56672480f25c64bfe7e7d

      SHA1

      1ccb1478c65643501dd46c0de91871c906346c62

      SHA256

      ea49ad09bd3b664f4494ebc6a251fe6ed9c6e390df5569b34281f0529f139569

      SHA512

      c189b18ca3aa383d02ce3c5e2256ddefdd5bd06f56b4f92a8898477c03039b72a5e727707ab5a69fcb262d8ae84bb3a414af55e10e4ddf7b85534ee79c755392

      Download Submit

    • C:\Windows\Installer\MSIAD67.tmp
      Filesize

      453KB

      MD5

      fb6874156f7530ccaac5c0c8b4ab22ba

      SHA1

      8e70fa2fb16735594c961db602ccd965f7634122

      SHA256

      6e7119cc172059cedc3933aa66cfbe816196859a1bb87604ac8253ddebf85f8b

      SHA512

      56f131092278769526e5d8b784be32781d7c36cbdf14e535919ab654b5a5c9ae7d7734c6549e92bad18b3b5289f9b86a820daed2bdc18fc78392455dfefa1f90

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      23.7MB

      MD5

      4ff3740ae5098a7b15474f0a10f3afa6

      SHA1

      59400ca82c90056bf949972606da562ce11cbedc

      SHA256

      be7d4defcf951592556737505d50ba4f1153a2fb07f4ea1eb60561480f58e535

      SHA512

      eded1df7c4b53765cd2ca7f03dfb8003a367adf3d2ef1498ba87c263943b2cd6779ff33eb30e28d57518dd02bfc58fdf4be8f7c3605b95cfc2ae23105b7e57b7

      Download Submit

    • \??\Volume{b8b1c3f9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{83224c48-7eb9-4d09-bda3-180880608ab4}_OnDiskSnapshotProp
      Filesize

      6KB

      MD5

      4a49213e3b8509074f8eb52dfa9e9101

      SHA1

      df3e72d874f905648f3369f8c918fbe71062766a

      SHA256

      e666b8ced12883ab1bb8ed5ec47544259798760938cfbc8fa294da7f48f9859e

      SHA512

      bac623776027496734dfb763d150ccecd605880328fc869d471162470988d335d7d2e951f04f045101504d3f3bbb88ec43c9213ef183113866ccbe6e049cf70c

      Download Submit

    • memory/372-21-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/1692-17-0x00000000029F0000-0x00000000029FA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1692-16-0x0000000005140000-0x000000000515E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1692-15-0x0000000005090000-0x00000000050C0000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1692-14-0x0000000005180000-0x0000000005212000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1692-20-0x00000000089B0000-0x0000000008A4C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/1692-13-0x0000000005730000-0x0000000005CD4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1692-12-0x00000000007A0000-0x000000000081A000-memory.dmp

      Filesize

      488KB

      Download

    • memory/3440-43-0x00000000088B0000-0x000000000899E000-memory.dmp

      Filesize

      952KB

      Download

    • memory/4708-35-0x00000000015F0000-0x000000000160E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4708-36-0x00000000015F0000-0x000000000160E000-memory.dmp

      Filesize

      120KB

      Download