Overview

overview

10

Static

static

1

7MZSs0P9IvJHGya.exe

windows7-x64

10

7MZSs0P9IvJHGya.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-08-2024 07:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7MZSs0P9IvJHGya.exe

  • Size

    634KB

  • MD5

    b848cbbb4d07a75edc0f3bbedeacd096

  • SHA1

    73e77737438539c5f6d8547e9afcc160902a131c

  • SHA256

    f24eca1c3ebbbb6d043a05f5e0684843326abadb28ecd4ff746de38defeb8929

  • SHA512

    16bf768045d05d7eda9352ec39d9dfff6847797213eac991c51536d6fadb51bd550d580ee725357aa08205f7c083ed57071d16ce94659f75d481f8a1e8c77aba

  • SSDEEP

    12288:d0tjlGAiSeURm5CO5OkpIkFSE6oGph+IoI3FocZziba2JGcJ4pelEteiAdkR:olGAOUejF2MSE4h+Iz3FF5Ca2JG2uel0

Score
10/10
formbookps15discoveryexecutionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ps15

Decoy

57797.asia

jhpwt.net

basketballdrillsforkids.com

zgzf6.rest

casinomaxnodepositbonus.icu

uptocryptonews.com

gomenasorry.com

fortanix.space

stripscity.xyz

genbotdiy.xyz

mayson-wedding.com

neb-hub.net

seancollinsmusic.com

migraine-treatment-57211.bond

prosperawoman.info

tradefairleads.tech

xn--yeminlitercme-6ob.com

xwaveevent.com

fashiontrendshub.xyz

window-replacement-80823.bond

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 3 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    PID:3396
    • C:\Users\Admin\AppData\Local\Temp\7MZSs0P9IvJHGya.exe
      "C:\Users\Admin\AppData\Local\Temp\7MZSs0P9IvJHGya.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1524
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7MZSs0P9IvJHGya.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1220
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WPszxeq.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4040
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WPszxeq" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC4B7.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:852
      • C:\Users\Admin\AppData\Local\Temp\7MZSs0P9IvJHGya.exe
        "C:\Users\Admin\AppData\Local\Temp\7MZSs0P9IvJHGya.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4588
        • C:\Windows\SysWOW64\control.exe
          "C:\Windows\SysWOW64\control.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2912
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Users\Admin\AppData\Local\Temp\7MZSs0P9IvJHGya.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2344

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    3d086a433708053f9bf9523e1d87a4e8

    SHA1

    b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

    SHA256

    6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

    SHA512

    931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    562199048a18eaab3533193ad448f95d

    SHA1

    584e508cf01ffd6e4453300e27fd39a2c3b3b7fd

    SHA256

    3e99d6ac6fc611559799adadd90aaf3b9ab80b55498eccd0a61e4ad044c91449

    SHA512

    ee7c9d0e83d1b5046065f59f8be2ecd30a2a232b2a889ee2b6e8848943697705ceabbb3e79cd59d073011571b55b5eaecd39955c2bbf52d219338a371e666ca5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_exzmwuwe.tnr.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpC4B7.tmp
    Filesize

    1KB

    MD5

    5258cecb3a656d17d9c5e1fa4416ffed

    SHA1

    640ce450f541eaa1006487f31be3c225ec7b15d8

    SHA256

    f37481a57d2250d78076bae96481e1185d711e21937ec1c04906a54752016494

    SHA512

    6bf0e07e8e20ce561c72358ac54feb85d7841728ca3b5ea1ebffc6537b8d001c9c6279bb8777d4e428dcfcaa33df9aa99d3df2df45f5a5acf089b33db900b2cc

    Download Submit

  • memory/1220-16-0x0000000074870000-0x0000000075020000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1220-17-0x0000000005030000-0x0000000005658000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1220-76-0x0000000007210000-0x000000000721A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1220-75-0x00000000071B0000-0x00000000071CA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1220-74-0x0000000007810000-0x0000000007E8A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1220-73-0x0000000006E50000-0x0000000006EF3000-memory.dmp

    Filesize

    652KB

    Download

  • memory/1220-65-0x0000000006DF0000-0x0000000006E0E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1220-15-0x0000000002550000-0x0000000002586000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1220-45-0x0000000005990000-0x0000000005CE4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1220-80-0x00000000073E0000-0x00000000073F4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1220-18-0x0000000074870000-0x0000000075020000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1220-19-0x0000000074870000-0x0000000075020000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1220-82-0x00000000074C0000-0x00000000074C8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1220-53-0x0000000075100000-0x000000007514C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1220-50-0x0000000005EC0000-0x0000000005F0C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1220-24-0x00000000057A0000-0x0000000005806000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1220-88-0x0000000074870000-0x0000000075020000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1220-25-0x0000000005810000-0x0000000005876000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1220-23-0x0000000005700000-0x0000000005722000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1220-49-0x0000000005E60000-0x0000000005E7E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1524-47-0x0000000074870000-0x0000000075020000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1524-2-0x0000000005140000-0x00000000056E4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1524-1-0x0000000000050000-0x00000000000F0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1524-0-0x000000007487E000-0x000000007487F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1524-3-0x0000000004B90000-0x0000000004C22000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1524-4-0x0000000004AE0000-0x0000000004AEA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1524-5-0x0000000074870000-0x0000000075020000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1524-10-0x000000000B740000-0x000000000B7DC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1524-9-0x0000000008630000-0x00000000086A6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1524-8-0x0000000004E30000-0x0000000004E46000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1524-7-0x0000000004E20000-0x0000000004E2E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1524-6-0x0000000004CE0000-0x0000000004CFA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2912-91-0x0000000000AE0000-0x0000000000B07000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2912-92-0x0000000000E70000-0x0000000000E9F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3396-95-0x0000000008A70000-0x0000000008BBE000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4040-20-0x0000000074870000-0x0000000075020000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4040-81-0x00000000072B0000-0x00000000072CA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4040-51-0x0000000006BC0000-0x0000000006BF2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4040-77-0x00000000071F0000-0x0000000007286000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4040-22-0x0000000074870000-0x0000000075020000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4040-89-0x0000000074870000-0x0000000075020000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4040-52-0x0000000075100000-0x000000007514C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4040-79-0x00000000071A0000-0x00000000071AE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4040-78-0x0000000007170000-0x0000000007181000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4588-44-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4588-90-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download