Overview

overview

10

Static

static

3

573d8ee967...5d.exe

windows7-x64

10

573d8ee967...5d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-08-2024 09:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    573d8ee9678cef8163e96937a6a5a4f14a5ade12f5646ab05550c0038c770e5d.exe

  • Size

    2.2MB

  • MD5

    15c4948711c3ac6250ff98d0e5272b27

  • SHA1

    545a473d3a8fc3810fbb0ff04e2d4d28ab95bedb

  • SHA256

    573d8ee9678cef8163e96937a6a5a4f14a5ade12f5646ab05550c0038c770e5d

  • SHA512

    d3a0e2273fb307b456f8c860028a489c26011dc75ffd6075473babf320962530d690319706ef03ba2869c2c7d91ec95933ab4c4ed13d755de79d55d82ae58a41

  • SSDEEP

    12288:WK9Xxc/7gzqLiOG1tBda9myeHjQPBPwrgiQa5o0fpfEXKX:n9XxcjgOG3Bda9WmPegiQa5Pftkm

Score
10/10
formbookgy15discoveryevasionexecutionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gy15

Decoy

yb40w.top

286live.com

poozonlife.com

availableweedsonline.com

22926839.com

petlovepet.fun

halbaexpress.com

newswingbd.com

discountdesh.com

jwoalhbn.xyz

dandevonald.com

incrediblyxb.christmas

ailia.pro

ga3ki3.com

99812.photos

richiecom.net

ummahskills.online

peakleyva.store

a1cbloodtest.com

insurancebygarry.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Formbook payload 3 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3572
    • C:\Users\Admin\AppData\Local\Temp\573d8ee9678cef8163e96937a6a5a4f14a5ade12f5646ab05550c0038c770e5d.exe
      "C:\Users\Admin\AppData\Local\Temp\573d8ee9678cef8163e96937a6a5a4f14a5ade12f5646ab05550c0038c770e5d.exe"
      2⤵
      • UAC bypass
      • Windows security bypass
      • Checks computer location settings
      • Windows security modification
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1132
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\573d8ee9678cef8163e96937a6a5a4f14a5ade12f5646ab05550c0038c770e5d.exe" -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3708
      • C:\Windows\System32\svchost.exe
        "C:\Windows\System32\svchost.exe"
        3⤵
          PID:1488
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
          3⤵
            PID:4016
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:228
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
            3⤵
              PID:788
          • C:\Windows\SysWOW64\msdt.exe
            "C:\Windows\SysWOW64\msdt.exe"
            2⤵
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4212
            • C:\Windows\SysWOW64\cmd.exe
              /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
              3⤵
              • System Location Discovery: System Language Discovery
              PID:2060

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ilpempkv.uje.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • memory/228-26-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/228-19-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/228-21-0x0000000001710000-0x0000000001A5A000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/228-23-0x0000000001AB0000-0x0000000001AC5000-memory.dmp

          Filesize

          84KB

          Download

        • memory/1132-2-0x00007FF9CAA00000-0x00007FF9CB4C1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1132-0-0x00000228DEE50000-0x00000228DEE5A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1132-1-0x00007FF9CAA03000-0x00007FF9CAA05000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1132-25-0x00007FF9CAA00000-0x00007FF9CB4C1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1132-3-0x00000228F9410000-0x00000228F9496000-memory.dmp

          Filesize

          536KB

          Download

        • memory/3572-32-0x0000000008200000-0x00000000082DA000-memory.dmp

          Filesize

          872KB

          Download

        • memory/3572-24-0x0000000008AB0000-0x0000000008C5D000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/3572-30-0x0000000008AB0000-0x0000000008C5D000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/3708-16-0x00007FF9CAA00000-0x00007FF9CB4C1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3708-15-0x00007FF9CAA00000-0x00007FF9CB4C1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3708-14-0x000002B8E9A00000-0x000002B8E9A22000-memory.dmp

          Filesize

          136KB

          Download

        • memory/3708-4-0x00007FF9CAA00000-0x00007FF9CB4C1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3708-20-0x00007FF9CAA00000-0x00007FF9CB4C1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4212-27-0x0000000000300000-0x0000000000357000-memory.dmp

          Filesize

          348KB

          Download

        • memory/4212-28-0x0000000000EC0000-0x0000000000EEF000-memory.dmp

          Filesize

          188KB

          Download