Overview

overview

10

Static

static

3

HEC Batang...ge.exe

windows7-x64

10

HEC Batang...ge.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    26-08-2024 12:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HEC Batangas Integrated LNG and Power Project DocumentationsType a message.exe

  • Size

    1.6MB

  • MD5

    a03c2d4c4885db5f3e8264e2e0523ee9

  • SHA1

    53d45a80e79d121ec6745cf8816acb7e6598b897

  • SHA256

    9dbaa66ef9f31c83ab943932bc96eaf2d6e9c1995b427c75e6e9a259f2c91697

  • SHA512

    6f2ec109bf1e5b96f35d2b8ff1cc8facad31f329adad3486198f5b80ba38e7a17bf6a10d355f770f4b05b16dc1fedacf43afeaecabdfc8d34b8e998e14135433

  • SSDEEP

    24576:xlUjX00wR9Uqk8qW0gmRR1Gbp0PjcET+v3JR945EIy8o:xKjXMR9UN8lYGbp0P4E6v3Jf4

Score
10/10
formbookrzndiscoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

rzn

Decoy

lyeth.net

annatdinh.com

amber-pozzi.com

kalunenterprise.com

knightskysbts.com

drnishamaharaj.com

neverendingbreadsticks.com

asuvac.com

snapbidz.com

autovistoriapredial.net

eskisla.com

fiorej.com

probuscee.com

elysme.com

laizdancefit.com

pet-imports.com

imasshipping.com

greenflagcars.com

essentialoilphotos.com

demolition4us.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1256
    • C:\Users\Admin\AppData\Local\Temp\HEC Batangas Integrated LNG and Power Project DocumentationsType a message.exe
      "C:\Users\Admin\AppData\Local\Temp\HEC Batangas Integrated LNG and Power Project DocumentationsType a message.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1820
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TbBsVt" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA737.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2388
      • C:\Users\Admin\AppData\Local\Temp\HEC Batangas Integrated LNG and Power Project DocumentationsType a message.exe
        "C:\Users\Admin\AppData\Local\Temp\HEC Batangas Integrated LNG and Power Project DocumentationsType a message.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3056
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2716
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\HEC Batangas Integrated LNG and Power Project DocumentationsType a message.exe"
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:3060
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2488

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpA737.tmp
    Filesize

    1KB

    MD5

    28e929d0691771df7fa14ac944ad1612

    SHA1

    a982786121f01f407b9d9f1f928a8acb7788792d

    SHA256

    7a0c1e044cad156b92b35e548c8df059a7138ba4fa3ce640cb4c588c72237fa0

    SHA512

    33fc5d0643543438f07eb3deebd8d4abbf9e53d67840b65eb0a8680574ffe63ef74fddf4203649c467b86b0c375978cd2f408f80a6efa338ab545f9b1b90939d

    Download Submit

  • memory/1256-33-0x0000000007850000-0x00000000079B8000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/1256-38-0x0000000007850000-0x00000000079B8000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/1256-27-0x0000000006E40000-0x0000000006FD7000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/1256-32-0x0000000006E40000-0x0000000006FD7000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/1820-1-0x00000000001C0000-0x000000000036A000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1820-7-0x000000007459E000-0x000000007459F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1820-2-0x0000000074590000-0x0000000074C7E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1820-6-0x00000000004F0000-0x00000000004FA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1820-9-0x00000000049C0000-0x0000000004A1C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/1820-8-0x0000000074590000-0x0000000074C7E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1820-0-0x000000007459E000-0x000000007459F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1820-28-0x0000000074590000-0x0000000074C7E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2716-37-0x0000000000090000-0x000000000009E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2716-35-0x0000000000090000-0x000000000009E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2716-34-0x0000000000090000-0x000000000009E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3056-22-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3056-23-0x0000000000A90000-0x0000000000D93000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/3056-26-0x0000000000180000-0x0000000000194000-memory.dmp

    Filesize

    80KB

    Download

  • memory/3056-31-0x0000000000390000-0x00000000003A4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/3056-30-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3056-25-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3056-15-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3056-17-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3056-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download