Overview

overview

10

Static

static

1

jpG.exe

windows7-x64

10

jpG.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    15-08-2024 12:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    jpG.exe

  • Size

    1.1MB

  • MD5

    6db162a5cd29432c1922968c38d61b52

  • SHA1

    fef1f9828625cd773356a8026ba8db98ce2dff5a

  • SHA256

    0d19f3e45d3a107d0b326b3c2aa3a6cc0c8878c6424a523483408db0c196eab0

  • SHA512

    6ddcc696ae22be74197650708e1709ff45092d5549bacc159808b00f3ff409770ce7ea3438b9e7a59735a37d0281265073cc0d51d60a16809d695611d18494de

  • SSDEEP

    12288:LdD/HflxQZY976WkB5k86o6NYIBF0REAcJTlcB74mobf+0CxYoQJ74:LtHfKK76WZ86oymxcJTqB72bf5CpM74

Score
10/10
formbookkmgeevasionexecutionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kmge

Decoy

jia0752d.com

cq0jt.sbs

whimsicalweddingrentals.com

meetsex-here.life

hhe-crv220.com

bedbillionaire.com

soycmo.com

mrawkward.xyz

11ramshornroad.com

motoyonaturals.com

thischicloves.com

gacorbet.pro

ihsanid.com

pancaketurner.com

santanarstore.com

cr3dtv.com

negotools.com

landfillequip.com

sejasuapropriachefe.com

diamant-verkopen.store

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Formbook payload 1 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\jpG.exe
    "C:\Users\Admin\AppData\Local\Temp\jpG.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2092
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\jpG.exe" -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2920
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
      2⤵
        PID:2608
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        2⤵
          PID:2788
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 2092 -s 788
          2⤵
            PID:2624

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2092-0-0x000007FEF5013000-0x000007FEF5014000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2092-1-0x0000000000EF0000-0x0000000000F00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2092-2-0x0000000000020000-0x0000000000026000-memory.dmp

          Filesize

          24KB

          Download

        • memory/2092-3-0x000007FEF5010000-0x000007FEF59FC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2092-4-0x000000001A680000-0x000000001A708000-memory.dmp

          Filesize

          544KB

          Download

        • memory/2092-13-0x000007FEF5013000-0x000007FEF5014000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2092-14-0x000007FEF5010000-0x000007FEF59FC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2788-11-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/2920-9-0x00000000029C0000-0x0000000002A40000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2920-10-0x000000001B830000-0x000000001BB12000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/2920-12-0x0000000001D80000-0x0000000001D88000-memory.dmp

          Filesize

          32KB

          Download