Overview

overview

10

Static

static

1

f24eca1c3e...29.exe

windows7-x64

10

f24eca1c3e...29.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    12-08-2024 01:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f24eca1c3ebbbb6d043a05f5e0684843326abadb28ecd4ff746de38defeb8929.exe

  • Size

    634KB

  • MD5

    b848cbbb4d07a75edc0f3bbedeacd096

  • SHA1

    73e77737438539c5f6d8547e9afcc160902a131c

  • SHA256

    f24eca1c3ebbbb6d043a05f5e0684843326abadb28ecd4ff746de38defeb8929

  • SHA512

    16bf768045d05d7eda9352ec39d9dfff6847797213eac991c51536d6fadb51bd550d580ee725357aa08205f7c083ed57071d16ce94659f75d481f8a1e8c77aba

  • SSDEEP

    12288:d0tjlGAiSeURm5CO5OkpIkFSE6oGph+IoI3FocZziba2JGcJ4pelEteiAdkR:olGAOUejF2MSE4h+Iz3FF5Ca2JG2uel0

Score
10/10
formbookps15discoveryexecutionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ps15

Decoy

57797.asia

jhpwt.net

basketballdrillsforkids.com

zgzf6.rest

casinomaxnodepositbonus.icu

uptocryptonews.com

gomenasorry.com

fortanix.space

stripscity.xyz

genbotdiy.xyz

mayson-wedding.com

neb-hub.net

seancollinsmusic.com

migraine-treatment-57211.bond

prosperawoman.info

tradefairleads.tech

xn--yeminlitercme-6ob.com

xwaveevent.com

fashiontrendshub.xyz

window-replacement-80823.bond

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 1 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f24eca1c3ebbbb6d043a05f5e0684843326abadb28ecd4ff746de38defeb8929.exe
    "C:\Users\Admin\AppData\Local\Temp\f24eca1c3ebbbb6d043a05f5e0684843326abadb28ecd4ff746de38defeb8929.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\f24eca1c3ebbbb6d043a05f5e0684843326abadb28ecd4ff746de38defeb8929.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2684
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WPszxeq.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2584
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WPszxeq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp14E8.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2884
    • C:\Users\Admin\AppData\Local\Temp\f24eca1c3ebbbb6d043a05f5e0684843326abadb28ecd4ff746de38defeb8929.exe
      "C:\Users\Admin\AppData\Local\Temp\f24eca1c3ebbbb6d043a05f5e0684843326abadb28ecd4ff746de38defeb8929.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3048

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp14E8.tmp
    Filesize

    1KB

    MD5

    8f453fd433e454209d503d5f31dceb0a

    SHA1

    deed2d6d50cf043019f62bc87d1dfe80d266a8b5

    SHA256

    4b3a2c6847b2d51978950be328b27c255dc6dd4e50b057ff29c3df2bd4e55490

    SHA512

    63768355a0eed29fb4f884d8cc14986ddb65e04849b6c0c8ea63f5a4750889f37822170e66839fa5b9fdc5b3475a8f5acf0fb5be21390bd56fcd4629ecf89c0d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    d146ea6b9b1158ff48e9149eac88adad

    SHA1

    aa538341e190593204ee8a2f8f59ee0a73273aff

    SHA256

    9486b3c996b90fe65a0e44560dcd0a7cbfa0d5c7cc920d910fdf35b2f942368a

    SHA512

    cfd2df74fb61dba04f7b563cedd50ae34bce71043c4d95712b1497350bd6216f516f3b4a9e2777a9f0799189421337a395c89ede71a14172d77818e38aefeba0

    Download Submit

  • memory/2372-6-0x0000000004830000-0x00000000048A6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2372-3-0x0000000000750000-0x000000000076A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2372-4-0x0000000000310000-0x000000000031E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2372-5-0x0000000000490000-0x00000000004A6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2372-0-0x000000007462E000-0x000000007462F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2372-2-0x0000000074620000-0x0000000074D0E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2372-1-0x00000000009C0000-0x0000000000A60000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2372-25-0x0000000074620000-0x0000000074D0E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3048-24-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3048-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3048-19-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3048-21-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download