Overview

overview

10

Static

static

3

M12464.exe

windows7-x64

10

M12464.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2024 08:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    M12464.exe

  • Size

    743KB

  • MD5

    b3055c75b563421ec8cc8ec1f4ef8390

  • SHA1

    4414bb16c23fd366404549b06f4d167aa1e86109

  • SHA256

    4af0929bd0f58119fc1d0a81205f20e32411d76eedca5bc5a3547cb9707a0f50

  • SHA512

    0343b4e8940f782839e8173152563397a9c8c6c450f372b02e127b37ac8173209e9843c181556865584bb12abc181895efae4e08a2e48bc2d08e80704f77b545

  • SSDEEP

    12288:wnCb+eCSmttm1P+jXIrBz1HwN2MIKLD4eRV8HenDqfHMHTlsp9byUdOUR0:wuC7tR2XHbMR0UVWfMzlspx9dtR0

Score
10/10
formbookhy29discoveryexecutionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hy29

Decoy

obswell.online

etflix.luxury

ulunguwethu.store

ulbcenter.shop

nswering-service-mi-de-tt.click

upport-marketplace84.click

wepxbd163.lat

mplants-doctors.today

aofexf90yj.top

hermodynamic.space

dfg3n489.cyou

off.gay

alkak.cam

ijanarko.net

7tl.site

yaanincma.store

ires-47022.bond

elek4dalt77.xyz

foxsakepeople.online

ndefeatedqs.shop

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 3 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1192
      • C:\Users\Admin\AppData\Local\Temp\M12464.exe
        "C:\Users\Admin\AppData\Local\Temp\M12464.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2728
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JRDVLXiqHJ.exe"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2628
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JRDVLXiqHJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB432.tmp"
          3⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2584
        • C:\Users\Admin\AppData\Local\Temp\M12464.exe
          "C:\Users\Admin\AppData\Local\Temp\M12464.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2024
          • C:\Windows\SysWOW64\raserver.exe
            "C:\Windows\SysWOW64\raserver.exe"
            4⤵
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1708
            • C:\Windows\SysWOW64\cmd.exe
              /c del "C:\Users\Admin\AppData\Local\Temp\M12464.exe"
              5⤵
              • Deletes itself
              • System Location Discovery: System Language Discovery
              PID:2552

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpB432.tmp
      Filesize

      1KB

      MD5

      db5d8e0fce91b187f897fea364288426

      SHA1

      36fbfec592fca3bc08d0bfb40036ad352b37e215

      SHA256

      24c7e1771d20103facd5f49e1dca32b09ea955ece80308fd9d4b055415812992

      SHA512

      6aea6ec06e67d58b0f3ae5558d45119ed412ca884995c5dc30a80feff201925315152236d276e1429a29edc3a538f43cac83a9ef9a2beece6e2b73277240a44b

      Download Submit

    • memory/1192-26-0x00000000072E0000-0x000000000741B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1192-22-0x0000000003B30000-0x0000000003C30000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1708-25-0x0000000000080000-0x00000000000AF000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1708-24-0x0000000000590000-0x00000000005AC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2024-16-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2024-23-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2024-14-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2024-19-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2024-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2728-4-0x0000000073F4E000-0x0000000073F4F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2728-6-0x0000000005DA0000-0x0000000005E18000-memory.dmp

      Filesize

      480KB

      Download

    • memory/2728-20-0x0000000073F40000-0x000000007462E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2728-5-0x0000000073F40000-0x000000007462E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2728-0-0x0000000073F4E000-0x0000000073F4F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2728-3-0x00000000003A0000-0x00000000003BC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2728-2-0x0000000073F40000-0x000000007462E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2728-1-0x0000000000E90000-0x0000000000F50000-memory.dmp

      Filesize

      768KB

      Download