Overview

overview

10

Static

static

1

6f4ef07076...83.exe

windows7-x64

10

6f4ef07076...83.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    12-08-2024 01:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6f4ef07076ebad36eea92eeaeb42b91bdf910d4e93bc0bf6b4fc40e6d191ed83.exe

  • Size

    636KB

  • MD5

    1e07f9e0e115b0d56b8c051c9e38563e

  • SHA1

    e5a7b7eb96343d506ab16b17868d281cc0d9188b

  • SHA256

    6f4ef07076ebad36eea92eeaeb42b91bdf910d4e93bc0bf6b4fc40e6d191ed83

  • SHA512

    26a828670c0b8a8acc14c0000d40b4e1bf048254b690d257a8198acf33666b6e81886fef6914fb70cd0dd2a0cf0293fbf24124fdbc3276a9a0d073f0837df2bd

  • SSDEEP

    12288:NRzAiSeURm5WoixfKTYZAOqjygs3+ER4X0VgdOeHH51zo1sSzKihJgAjkR:NRzAOUemxSUZAyZDFiz611gA2

Score
10/10
formbookmd02discoveryexecutionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

md02

Decoy

onsen1508.com

partymaxclubmen36.click

texasshelvingwarehouse.com

tiantiying.com

taxcredits-pr.com

33mgbet.com

equipoleiremnacional.com

andrewghita.com

zbbnp.xyz

englandbreaking.com

a1b5v.xyz

vizamag.com

h0lg3.rest

ux-design-courses-17184.bond

of84.top

qqkartel88v1.com

avalynkate.com

cpuk-finance.com

yeslabs.xyz

webuyandsellpa.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 2 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1252
    • C:\Users\Admin\AppData\Local\Temp\6f4ef07076ebad36eea92eeaeb42b91bdf910d4e93bc0bf6b4fc40e6d191ed83.exe
      "C:\Users\Admin\AppData\Local\Temp\6f4ef07076ebad36eea92eeaeb42b91bdf910d4e93bc0bf6b4fc40e6d191ed83.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1956
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\6f4ef07076ebad36eea92eeaeb42b91bdf910d4e93bc0bf6b4fc40e6d191ed83.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2188
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZtrukSbkRD.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2764
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZtrukSbkRD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp204.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2852
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2872
    • C:\Windows\SysWOW64\raserver.exe
      "C:\Windows\SysWOW64\raserver.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2652
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2308

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp204.tmp
    Filesize

    1KB

    MD5

    c39e25c0e3dc50e1a8494c8a66838a25

    SHA1

    ed05858d6d822579ba675a3fdca88d15fc0fe247

    SHA256

    70568c505d14d648d9aa43386dc9ea639b3e1c61fa865fe6376fcb4c009d4b47

    SHA512

    73a71c13870783b470f00aa127ddd2bdb4a1be6dd71701d6df6c5191941de18a6fedb6c90bb2b942f3dec6a09abaf5a84c28d1a228502f10d65395165c98e7f0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    7635a2d2117cc3c4a5dbef8c0b518db1

    SHA1

    0dfcb1314cebb07caf21b921909db63b9f35f953

    SHA256

    870e0e31058d92aa86eedef864f5e80f8fd6745a1197b7406570af62cf1206d0

    SHA512

    e4257db2e7f8121b0b33e01f91937cfe349fb9961a1e94b6b3830883a27a6c807c0872627744cb999b53d5d24dc5f549ba3e51af68efd7a649ebc3f14a4223e0

    Download Submit

  • memory/1252-33-0x00000000074D0000-0x000000000765B000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1956-4-0x0000000000500000-0x000000000050E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1956-26-0x00000000745F0000-0x0000000074CDE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1956-5-0x0000000000580000-0x0000000000596000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1956-6-0x00000000044A0000-0x0000000004516000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1956-3-0x00000000005D0000-0x00000000005EA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1956-2-0x00000000745F0000-0x0000000074CDE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1956-1-0x0000000000B80000-0x0000000000C20000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1956-0-0x00000000745FE000-0x00000000745FF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-27-0x0000000000AA0000-0x0000000000ABC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2652-28-0x00000000000D0000-0x00000000000FF000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2872-21-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2872-19-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2872-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2872-24-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download