Overview

overview

10

Static

static

1

payment.exe

windows7-x64

10

payment.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26-09-2024 07:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    payment.exe

  • Size

    1.6MB

  • MD5

    45a4e5d5a6cf73ca933df94dc0717abf

  • SHA1

    17172d6433ca3efc9e0e7aadfb73820c786fa974

  • SHA256

    ed2ac5e893ba48ab637927b1ea3092fa88f0c5ac83125d63c2bf6983f5fe9592

  • SHA512

    316965afa3da625c082d24924c8079e5cf812654b166784c6341623d8e7b98a0733d6629ab2a8d9d4eaa5de1ba964cdaa4477ffb7a5740aa500b8be4a73ab85e

  • SSDEEP

    49152:iAodtaG9kS2U84B+FLan9k5TRM9zl2Vj8HF9nVLn7:G/B1PHFDLn7

Score
10/10
formbookkmgeexecutionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kmge

Decoy

jia0752d.com

cq0jt.sbs

whimsicalweddingrentals.com

meetsex-here.life

hhe-crv220.com

bedbillionaire.com

soycmo.com

mrawkward.xyz

11ramshornroad.com

motoyonaturals.com

thischicloves.com

gacorbet.pro

ihsanid.com

pancaketurner.com

santanarstore.com

cr3dtv.com

negotools.com

landfillequip.com

sejasuapropriachefe.com

diamant-verkopen.store

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 1 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs regedit.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\payment.exe
    "C:\Users\Admin\AppData\Local\Temp\payment.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2276
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2480
    • C:\Windows\regedit.exe
      "C:\Windows\regedit.exe"
      2⤵
      • Runs regedit.exe
      PID:2648
    • C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      2⤵
        PID:2736
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
        2⤵
          PID:2748
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
          2⤵
            PID:2792
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
            2⤵
              PID:2764
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
              2⤵
                PID:2696
              • C:\Windows\System32\svchost.exe
                "C:\Windows\System32\svchost.exe"
                2⤵
                  PID:2664
                • C:\Program Files (x86)\Windows Mail\wab.exe
                  "C:\Program Files (x86)\Windows Mail\wab.exe"
                  2⤵
                    PID:2672

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • memory/2480-4-0x000007FEF5F3E000-0x000007FEF5F3F000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2480-5-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

                  Filesize

                  2.9MB

                  Download

                • memory/2480-7-0x000007FEF5C80000-0x000007FEF661D000-memory.dmp

                  Filesize

                  9.6MB

                  Download

                • memory/2480-6-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/2480-8-0x000007FEF5C80000-0x000007FEF661D000-memory.dmp

                  Filesize

                  9.6MB

                  Download

                • memory/2480-9-0x000007FEF5C80000-0x000007FEF661D000-memory.dmp

                  Filesize

                  9.6MB

                  Download

                • memory/2480-10-0x000007FEF5C80000-0x000007FEF661D000-memory.dmp

                  Filesize

                  9.6MB

                  Download

                • memory/2480-11-0x000007FEF5C80000-0x000007FEF661D000-memory.dmp

                  Filesize

                  9.6MB

                  Download

                • memory/2480-13-0x000007FEF5C80000-0x000007FEF661D000-memory.dmp

                  Filesize

                  9.6MB

                  Download

                • memory/2672-14-0x0000000000400000-0x000000000042F000-memory.dmp

                  Filesize

                  188KB

                  Download