Overview

overview

10

Static

static

1

NEcFLmCS7qNMwHy.exe

windows7-x64

10

NEcFLmCS7qNMwHy.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    09-08-2024 07:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEcFLmCS7qNMwHy.exe

  • Size

    783KB

  • MD5

    9b27789c9feb9bddebfee2519a9b64d7

  • SHA1

    36dbadc4856937b197e467a7ef8ccbfb329d19bb

  • SHA256

    8d68ad78eb364b147233b29bbeab6309a47289090ca2672e90fb299a37111f62

  • SHA512

    bbb60df42f05faa819644b8204ac02dfcbb0d3a76ff956518ae3803084a6454d42c7f3df1d118e7ae8437eae03586ca27c666a3dcadecd048328632936aa0e5f

  • SSDEEP

    24576:KP9a8MbV6y2KYpA5IM8UCC4DIyNm3Czh17:9bVOhUEMov

Score
10/10
formbookps15discoveryexecutionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ps15

Decoy

57797.asia

jhpwt.net

basketballdrillsforkids.com

zgzf6.rest

casinomaxnodepositbonus.icu

uptocryptonews.com

gomenasorry.com

fortanix.space

stripscity.xyz

genbotdiy.xyz

mayson-wedding.com

neb-hub.net

seancollinsmusic.com

migraine-treatment-57211.bond

prosperawoman.info

tradefairleads.tech

xn--yeminlitercme-6ob.com

xwaveevent.com

fashiontrendshub.xyz

window-replacement-80823.bond

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 3 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1244
      • C:\Users\Admin\AppData\Local\Temp\NEcFLmCS7qNMwHy.exe
        "C:\Users\Admin\AppData\Local\Temp\NEcFLmCS7qNMwHy.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1604
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\NEcFLmCS7qNMwHy.exe"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2436
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WIHIGiLl.exe"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1572
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WIHIGiLl" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBC2E.tmp"
          3⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2420
        • C:\Users\Admin\AppData\Local\Temp\NEcFLmCS7qNMwHy.exe
          "C:\Users\Admin\AppData\Local\Temp\NEcFLmCS7qNMwHy.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2628
          • C:\Windows\SysWOW64\msiexec.exe
            "C:\Windows\SysWOW64\msiexec.exe"
            4⤵
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2520
            • C:\Windows\SysWOW64\cmd.exe
              /c del "C:\Users\Admin\AppData\Local\Temp\NEcFLmCS7qNMwHy.exe"
              5⤵
              • Deletes itself
              • System Location Discovery: System Language Discovery
              PID:2396

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpBC2E.tmp
      Filesize

      1KB

      MD5

      e75c6cb51ca0badd57fd7fee3d0f864a

      SHA1

      029a2413d6814ae28fa94340d5d5cf877f1fe05b

      SHA256

      362fb7072387afe7f7cce73ea1c79ed18f466ceda0eb082afd9656d19e79427d

      SHA512

      f38283876965b945e5f0f5c47130816b331012cb289682f93d891b9bac4baf87c7c61b1bfad423cb3cbfd929e0f99363b9be7bf0a78816e3fcc06716e2c5b4e2

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\96PWMDSRRYPYRKEBMK94.temp
      Filesize

      7KB

      MD5

      ed7b3fb6dd77109e93f42f0e4c567be4

      SHA1

      ea6c94d670e2649dd9cdf2c5de213109ee8fb505

      SHA256

      681e9849231c4f7800943c18b04b63e860423c3a96ba7a2c63b4b6730c87df13

      SHA512

      41cb2ab7a66ca3abcf3b99e8b00bd53c0cf5b3c0adaffc9340e7086b588dc602cf63bdec1818dfe1f49157d7cb0f404a4ad6e54521d0e67cb853d0fa8ec30ced

      Download Submit

    • memory/1604-4-0x00000000009D0000-0x00000000009EA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1604-26-0x0000000074790000-0x0000000074E7E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1604-0-0x000000007479E000-0x000000007479F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1604-5-0x00000000009F0000-0x00000000009FE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1604-6-0x0000000000A00000-0x0000000000A16000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1604-7-0x00000000056E0000-0x0000000005756000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1604-2-0x0000000006CA0000-0x0000000006D3A000-memory.dmp

      Filesize

      616KB

      Download

    • memory/1604-1-0x0000000000C50000-0x0000000000D18000-memory.dmp

      Filesize

      800KB

      Download

    • memory/1604-3-0x0000000074790000-0x0000000074E7E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2520-29-0x00000000005D0000-0x00000000005E4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2520-31-0x00000000005D0000-0x00000000005E4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2520-32-0x0000000000090000-0x00000000000BF000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2628-22-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2628-25-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2628-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2628-21-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2628-28-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download