Overview

overview

10

Static

static

3

1541552b46...3c.exe

windows7-x64

10

1541552b46...3c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/07/2024, 18:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1541552b46b3b5a0d35698ce1d6bde3da40971bfda8d65897b2d6f343d815e3c.exe

  • Size

    831KB

  • MD5

    5ca90548bfafebd308ac134e049c334c

  • SHA1

    bf538269ba7f53b4bb1ceac79c7a7f296b7e2715

  • SHA256

    1541552b46b3b5a0d35698ce1d6bde3da40971bfda8d65897b2d6f343d815e3c

  • SHA512

    eb9592d086a537290263770f5b7edc7f1dc679aaf22dd592763211794cc0433be770ce52b3116a3a9bee9d1846b8c33972a437d6ee73db9d6646c4a16c078f76

  • SSDEEP

    24576:v/1zRDvw29GtsBaF0wqlK/qhgT/qLU1GYlafA:vtdw20tP0dlYZ/qLUWfA

Score
10/10
formbookmd02discoveryexecutionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

md02

Decoy

onsen1508.com

partymaxclubmen36.click

texasshelvingwarehouse.com

tiantiying.com

taxcredits-pr.com

33mgbet.com

equipoleiremnacional.com

andrewghita.com

zbbnp.xyz

englandbreaking.com

a1b5v.xyz

vizamag.com

h0lg3.rest

ux-design-courses-17184.bond

of84.top

qqkartel88v1.com

avalynkate.com

cpuk-finance.com

yeslabs.xyz

webuyandsellpa.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 2 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3456
    • C:\Users\Admin\AppData\Local\Temp\1541552b46b3b5a0d35698ce1d6bde3da40971bfda8d65897b2d6f343d815e3c.exe
      "C:\Users\Admin\AppData\Local\Temp\1541552b46b3b5a0d35698ce1d6bde3da40971bfda8d65897b2d6f343d815e3c.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4020
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1541552b46b3b5a0d35698ce1d6bde3da40971bfda8d65897b2d6f343d815e3c.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3372
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cqvYbdRxczOjiH.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3656
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cqvYbdRxczOjiH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp21CB.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:3076
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3760
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1116
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4320

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    968cb9309758126772781b83adb8a28f

    SHA1

    8da30e71accf186b2ba11da1797cf67f8f78b47c

    SHA256

    92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

    SHA512

    4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    4bddc7d6ad2f56e0747508a546f4521d

    SHA1

    9da0e6eb1729d52e17c6dce9e1f2038386f9315f

    SHA256

    67bf1d8dbc6864e65d36c6e15690d08880c4081b72ee5aa71da5a24d975c3d53

    SHA512

    16cc681d84c64f7e6f51048b850d279aff473ba660d8902394c59810a780288e0f3898675839fb28ab81dc946b0dd52935385fb31b780eff822d6b26a6a17098

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ek2qords.5ty.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp21CB.tmp
    Filesize

    1KB

    MD5

    1a629a10600ab1409e9366b8b47d638e

    SHA1

    483565e47bc60a6d341055b9fa9ece8ae029e777

    SHA256

    1d366970baba6931bd2385785503271b82712e63d9e0bedcca83799d6628ded4

    SHA512

    1a1f4b07998c7f514e024744f7a666ce48aa94dbb4b3da0319066862fd137547628cc1cce08328e16bfb37420570ed70da768a4867535899ffc9f0fadc5c47be

    Download Submit

  • memory/1116-85-0x0000000000260000-0x0000000000272000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1116-96-0x0000000000970000-0x000000000099F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1116-86-0x0000000000260000-0x0000000000272000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1116-88-0x0000000000260000-0x0000000000272000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3372-81-0x0000000007940000-0x000000000794E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3372-84-0x0000000007A30000-0x0000000007A38000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3372-94-0x0000000074520000-0x0000000074CD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3372-77-0x0000000007710000-0x000000000772A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3372-54-0x0000000074DB0000-0x0000000074DFC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3372-17-0x0000000004E50000-0x0000000004E86000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3372-19-0x0000000074520000-0x0000000074CD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3372-18-0x0000000005560000-0x0000000005B88000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3372-20-0x0000000074520000-0x0000000074CD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3372-24-0x0000000005B90000-0x0000000005BF6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3372-23-0x0000000005310000-0x0000000005332000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3372-25-0x0000000005C80000-0x0000000005CE6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3456-99-0x0000000008620000-0x0000000008725000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3656-79-0x0000000007D90000-0x0000000007E26000-memory.dmp

    Filesize

    600KB

    Download

  • memory/3656-83-0x0000000007E50000-0x0000000007E6A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3656-22-0x0000000074520000-0x0000000074CD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3656-30-0x0000000006200000-0x0000000006554000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3656-82-0x0000000007D50000-0x0000000007D64000-memory.dmp

    Filesize

    80KB

    Download

  • memory/3656-21-0x0000000074520000-0x0000000074CD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3656-95-0x0000000074520000-0x0000000074CD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3656-51-0x00000000067E0000-0x00000000067FE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3656-52-0x0000000006DB0000-0x0000000006DFC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3656-80-0x0000000007D10000-0x0000000007D21000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3656-55-0x0000000074DB0000-0x0000000074DFC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3656-53-0x00000000077D0000-0x0000000007802000-memory.dmp

    Filesize

    200KB

    Download

  • memory/3656-74-0x0000000006D30000-0x0000000006D4E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3656-75-0x0000000007A10000-0x0000000007AB3000-memory.dmp

    Filesize

    652KB

    Download

  • memory/3656-76-0x0000000008150000-0x00000000087CA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3656-27-0x0000000074520000-0x0000000074CD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3656-78-0x0000000007B80000-0x0000000007B8A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3760-40-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4020-11-0x000000007452E000-0x000000007452F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4020-10-0x0000000006A70000-0x0000000006B0C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4020-0-0x000000007452E000-0x000000007452F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4020-12-0x0000000074520000-0x0000000074CD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4020-9-0x0000000006960000-0x00000000069D6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4020-8-0x0000000002FA0000-0x0000000002FAC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4020-7-0x00000000059D0000-0x00000000059D8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4020-6-0x0000000008130000-0x000000000814A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4020-5-0x0000000074520000-0x0000000074CD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4020-49-0x0000000074520000-0x0000000074CD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4020-4-0x00000000057E0000-0x00000000057EA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4020-3-0x0000000005720000-0x00000000057B2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4020-2-0x0000000005DB0000-0x0000000006354000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4020-1-0x0000000000C70000-0x0000000000D46000-memory.dmp

    Filesize

    856KB

    Download