Overview

overview

10

Static

static

3

ee7dd9158f...26.exe

windows7-x64

10

ee7dd9158f...26.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    27/07/2024, 02:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ee7dd9158f6175700aa6d58f346036f949889f8deebf8dbee83c40874bbc1f26.exe

  • Size

    561KB

  • MD5

    01fbcc6559c010e59be1dc7b66c12e4f

  • SHA1

    657f058d4032447658f71265803f7a6d52a64532

  • SHA256

    ee7dd9158f6175700aa6d58f346036f949889f8deebf8dbee83c40874bbc1f26

  • SHA512

    8d83eea254360b6fcbb2a83ef6a6d26898a2370c151cdd36fc964509b27b4e5241ebff1d520d6bfb194ce14589c51d2387023ece6858c6a8e6a7634f7418fdcc

  • SSDEEP

    12288:0MHalYsHfne1TDq/MrmqiqaXpSxDHjFB0LobIgySCq:Jaltve1TmUvir4zZuLobSSF

Score
10/10
formbookgy15discoveryexecutionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gy15

Decoy

yb40w.top

286live.com

poozonlife.com

availableweedsonline.com

22926839.com

petlovepet.fun

halbaexpress.com

newswingbd.com

discountdesh.com

jwoalhbn.xyz

dandevonald.com

incrediblyxb.christmas

ailia.pro

ga3ki3.com

99812.photos

richiecom.net

ummahskills.online

peakleyva.store

a1cbloodtest.com

insurancebygarry.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 2 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1252
    • C:\Users\Admin\AppData\Local\Temp\ee7dd9158f6175700aa6d58f346036f949889f8deebf8dbee83c40874bbc1f26.exe
      "C:\Users\Admin\AppData\Local\Temp\ee7dd9158f6175700aa6d58f346036f949889f8deebf8dbee83c40874bbc1f26.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1176
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KfYvtUBOq.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2708
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KfYvtUBOq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5E65.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2936
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2616
    • C:\Windows\SysWOW64\msdt.exe
      "C:\Windows\SysWOW64\msdt.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:568
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2052

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp5E65.tmp
    Filesize

    1KB

    MD5

    5351fbc10699d661fe1b40b43cd5fb65

    SHA1

    f53ef185cfe57d783c89503d66e63b3b3b31b371

    SHA256

    e31c4b2663c18b9c83c015184088584a681c26db9e4f991a6d4f9c5047f26f04

    SHA512

    28794ae67d49afdd63dd7e09c80f37cd955c37efeda9b3063b62f6a90986bcfbc4fcd1314e6198fb1caf1ea57557e05b515a67d39c613dd3d8076c84904370bc

    Download Submit

  • memory/568-23-0x0000000000130000-0x000000000015F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/568-22-0x0000000000540000-0x0000000000634000-memory.dmp

    Filesize

    976KB

    Download

  • memory/1176-3-0x00000000004D0000-0x00000000004DE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1176-4-0x00000000006A0000-0x00000000006AE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1176-5-0x0000000001FF0000-0x0000000002066000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1176-0-0x0000000073FBE000-0x0000000073FBF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1176-19-0x0000000073FB0000-0x000000007469E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1176-2-0x0000000073FB0000-0x000000007469E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1176-1-0x0000000000AF0000-0x0000000000B82000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1252-21-0x0000000000010000-0x0000000000020000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2616-13-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2616-18-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2616-15-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2616-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download