Overview

overview

10

Static

static

3

573d8ee967...5d.exe

windows7-x64

10

573d8ee967...5d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-08-2024 01:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    573d8ee9678cef8163e96937a6a5a4f14a5ade12f5646ab05550c0038c770e5d.exe

  • Size

    2.2MB

  • MD5

    15c4948711c3ac6250ff98d0e5272b27

  • SHA1

    545a473d3a8fc3810fbb0ff04e2d4d28ab95bedb

  • SHA256

    573d8ee9678cef8163e96937a6a5a4f14a5ade12f5646ab05550c0038c770e5d

  • SHA512

    d3a0e2273fb307b456f8c860028a489c26011dc75ffd6075473babf320962530d690319706ef03ba2869c2c7d91ec95933ab4c4ed13d755de79d55d82ae58a41

  • SSDEEP

    12288:WK9Xxc/7gzqLiOG1tBda9myeHjQPBPwrgiQa5o0fpfEXKX:n9XxcjgOG3Bda9WmPegiQa5Pftkm

Score
10/10
formbookgy15credential_accessdiscoveryevasionexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gy15

Decoy

yb40w.top

286live.com

poozonlife.com

availableweedsonline.com

22926839.com

petlovepet.fun

halbaexpress.com

newswingbd.com

discountdesh.com

jwoalhbn.xyz

dandevonald.com

incrediblyxb.christmas

ailia.pro

ga3ki3.com

99812.photos

richiecom.net

ummahskills.online

peakleyva.store

a1cbloodtest.com

insurancebygarry.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Formbook payload 3 IoCs
    rat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 61 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3388
    • C:\Users\Admin\AppData\Local\Temp\573d8ee9678cef8163e96937a6a5a4f14a5ade12f5646ab05550c0038c770e5d.exe
      "C:\Users\Admin\AppData\Local\Temp\573d8ee9678cef8163e96937a6a5a4f14a5ade12f5646ab05550c0038c770e5d.exe"
      2⤵
      • UAC bypass
      • Windows security bypass
      • Checks computer location settings
      • Windows security modification
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2724
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\573d8ee9678cef8163e96937a6a5a4f14a5ade12f5646ab05550c0038c770e5d.exe" -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1756
      • C:\Program Files (x86)\Windows Mail\wab.exe
        "C:\Program Files (x86)\Windows Mail\wab.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1056
      • C:\Program Files (x86)\Windows Mail\wab.exe
        "C:\Program Files (x86)\Windows Mail\wab.exe"
        3⤵
          PID:1860
      • C:\Windows\SysWOW64\NETSTAT.EXE
        "C:\Windows\SysWOW64\NETSTAT.EXE"
        2⤵
        • Adds policy Run key to start application
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Gathers network information
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4420
        • C:\Windows\SysWOW64\cmd.exe
          /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2820
        • C:\Program Files\Mozilla Firefox\Firefox.exe
          "C:\Program Files\Mozilla Firefox\Firefox.exe"
          3⤵
            PID:3896

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      2
      T1059

      PowerShell

      1
      T1059.001

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Impair Defenses

      3
      T1562

      Disable or Modify Tools

      3
      T1562.001

      Modify Registry

      6
      T1112

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      4
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\DB1
        Filesize

        40KB

        MD5

        a182561a527f929489bf4b8f74f65cd7

        SHA1

        8cd6866594759711ea1836e86a5b7ca64ee8911f

        SHA256

        42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

        SHA512

        9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_apcmc0f4.3qf.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Roaming\7P9NRRT0\7P9logim.jpeg
        Filesize

        75KB

        MD5

        bf8ae6d932ea5f7579d617f425105b2c

        SHA1

        d427c73926df01d8b8b8a36759c8744dc1e147ed

        SHA256

        2a1db90c0f73502faff9cdb4fd1284ac85c9b613048b68e67002bd5136fc85ea

        SHA512

        997e422a8b801a02bd1e19e84735a9002d795c32aed266a59432781baaa9fff5a949e1e82f444c39c5b6c6cc605847050d2b93d24c9c891c863e32c26e3551ca

        Download Submit

      • C:\Users\Admin\AppData\Roaming\7P9NRRT0\7P9logrf.ini
        Filesize

        40B

        MD5

        2f245469795b865bdd1b956c23d7893d

        SHA1

        6ad80b974d3808f5a20ea1e766c7d2f88b9e5895

        SHA256

        1662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361

        SHA512

        909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f

        Download Submit

      • C:\Users\Admin\AppData\Roaming\7P9NRRT0\7P9logrg.ini
        Filesize

        38B

        MD5

        4aadf49fed30e4c9b3fe4a3dd6445ebe

        SHA1

        1e332822167c6f351b99615eada2c30a538ff037

        SHA256

        75034beb7bded9aeab5748f4592b9e1419256caec474065d43e531ec5cc21c56

        SHA512

        eb5b3908d5e7b43ba02165e092f05578f45f15a148b4c3769036aa542c23a0f7cd2bc2770cf4119a7e437de3f681d9e398511f69f66824c516d9b451bb95f945

        Download Submit

      • C:\Users\Admin\AppData\Roaming\7P9NRRT0\7P9logri.ini
        Filesize

        40B

        MD5

        d63a82e5d81e02e399090af26db0b9cb

        SHA1

        91d0014c8f54743bba141fd60c9d963f869d76c9

        SHA256

        eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

        SHA512

        38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

        Download Submit

      • C:\Users\Admin\AppData\Roaming\7P9NRRT0\7P9logrv.ini
        Filesize

        872B

        MD5

        bbc41c78bae6c71e63cb544a6a284d94

        SHA1

        33f2c1d9fa0e9c99b80bc2500621e95af38b1f9a

        SHA256

        ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb

        SHA512

        0aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4

        Download Submit

      • memory/1056-4-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/1056-9-0x0000000000E20000-0x0000000000E35000-memory.dmp

        Filesize

        84KB

        Download

      • memory/1056-11-0x0000000001170000-0x00000000014BA000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/1056-12-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/1756-8-0x00007FFBE2000000-0x00007FFBE2AC1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1756-6-0x00007FFBE2000000-0x00007FFBE2AC1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1756-18-0x00000125A9170000-0x00000125A9192000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1756-25-0x00007FFBE2000000-0x00007FFBE2AC1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1756-5-0x00007FFBE2003000-0x00007FFBE2005000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2724-2-0x00007FFBE2000000-0x00007FFBE2AC1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2724-0-0x000002316C6B0000-0x000002316C6BA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2724-1-0x00007FFBE2003000-0x00007FFBE2005000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2724-3-0x000002316EA80000-0x000002316EB06000-memory.dmp

        Filesize

        536KB

        Download

      • memory/2724-26-0x00007FFBE2000000-0x00007FFBE2AC1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3388-47-0x0000000008CC0000-0x0000000008E16000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/3388-10-0x0000000008B40000-0x0000000008CBA000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/4420-28-0x0000000000CF0000-0x0000000000D1F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/4420-27-0x0000000000730000-0x000000000073B000-memory.dmp

        Filesize

        44KB

        Download