Overview

overview

10

Static

static

3

სას�...��.exe

windows7-x64

10

სას�...��.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-12-2024 15:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    სასწრაფო შესყიდვის ორდერი.exe

  • Size

    656KB

  • MD5

    2a40336c0118ebd499979f2ade0d182b

  • SHA1

    5e17d2b9740c55aa0d5a7d59b058d9ec624fa8a6

  • SHA256

    8ebfadee37467f95eab5405dbd6660ff7ff38f82fe61893ac9b03884a1099110

  • SHA512

    11d986a8d045e3aa688c23294eb2aa441856d8acb2c8118e5013869343919bbfca3382eded88ee784051a0ab8c5348ff35ad24b39ad94d6140e8c0fb4df02fa4

  • SSDEEP

    12288:bbMKRjIFdlfh+7nLNzA52h7O56CSQfZwrxTFoHNA2ZPbx8:bbMy8FdNh2npz7h7e6CS6TNNbx

Score
10/10
formbookde08discoveryexecutionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

de08

Decoy

retirecloudyyard.com

fabiyan.xyz

chrisarlyde.com

selapex.com

vivalosgales.com

specialty-medicine.com

contasesolucoes.com

satunusanews.net

allyibc.com

alameda1876.com

artofdala.com

yukoidusp.xyz

steeldrumbandnearme.com

stonewedgetechnology.com

kentonai.com

macquarie-private.com

ddgwy.com

megagreenhousekits.com

descomplicaomarketing.com

inclusiverealtor.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 4 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3440
    • C:\Users\Admin\AppData\Local\Temp\სასწრაფო შესყიდვის ორდერი.exe
      "C:\Users\Admin\AppData\Local\Temp\სასწრაფო შესყიდვის ორდერი.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2232
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rydefoz.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3224
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rydefoz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp702A.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:4756
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
          PID:5052
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:4072
      • C:\Windows\SysWOW64\cmstp.exe
        "C:\Windows\SysWOW64\cmstp.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3164
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2536

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ij3cpq1j.av0.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp702A.tmp
      Filesize

      1KB

      MD5

      f27745bf5575928c3f5109912f791a79

      SHA1

      25dd4550e33bbcd5fc83d823b2db0b6de183ff50

      SHA256

      0272c0f2d1f65d581ad86a17df91030acdc04a67b23be3cd435481da9261401f

      SHA512

      ab9f96e88d18fc7abd34ce387a99d7e53b0d18881b9effaded3a40c2c3af951da93ea00eeec988d4089c9879d35310345b53f77d8be2d9051ff003420598cb8a

      Download Submit

    • memory/2232-8-0x0000000074F2E000-0x0000000074F2F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2232-11-0x00000000029C0000-0x0000000002A44000-memory.dmp

      Filesize

      528KB

      Download

    • memory/2232-4-0x0000000005150000-0x000000000515A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2232-5-0x0000000074F20000-0x00000000756D0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2232-6-0x00000000064E0000-0x000000000657C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/2232-7-0x0000000006440000-0x0000000006456000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2232-29-0x0000000074F20000-0x00000000756D0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2232-9-0x0000000074F20000-0x00000000756D0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2232-10-0x00000000064C0000-0x00000000064CA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2232-3-0x0000000005090000-0x0000000005122000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2232-15-0x000000000A5C0000-0x000000000A626000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2232-22-0x000000000A630000-0x000000000A668000-memory.dmp

      Filesize

      224KB

      Download

    • memory/2232-1-0x0000000000600000-0x00000000006AA000-memory.dmp

      Filesize

      680KB

      Download

    • memory/2232-2-0x0000000005790000-0x0000000005D34000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2232-0-0x0000000074F2E000-0x0000000074F2F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3164-77-0x0000000000460000-0x0000000000476000-memory.dmp

      Filesize

      88KB

      Download

    • memory/3164-79-0x0000000000D20000-0x0000000000D4F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/3224-28-0x0000000005880000-0x0000000005BD4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3224-67-0x0000000007550000-0x000000000755E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3224-24-0x0000000004F20000-0x0000000004F42000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3224-17-0x0000000004A40000-0x0000000004A76000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3224-23-0x0000000074F20000-0x00000000756D0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3224-18-0x0000000074F20000-0x00000000756D0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3224-21-0x0000000074F20000-0x00000000756D0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3224-19-0x0000000005210000-0x0000000005838000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/3224-74-0x0000000074F20000-0x00000000756D0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3224-71-0x0000000007640000-0x0000000007648000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3224-70-0x0000000074F20000-0x00000000756D0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3224-44-0x0000000005FF0000-0x000000000600E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3224-45-0x0000000006010000-0x000000000605C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3224-46-0x000000007F930000-0x000000007F940000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3224-47-0x00000000065E0000-0x0000000006612000-memory.dmp

      Filesize

      200KB

      Download

    • memory/3224-48-0x00000000711E0000-0x000000007122C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3224-58-0x0000000006570000-0x000000000658E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3224-60-0x0000000074F20000-0x00000000756D0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3224-59-0x00000000071F0000-0x0000000007293000-memory.dmp

      Filesize

      652KB

      Download

    • memory/3224-61-0x0000000007960000-0x0000000007FDA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3224-62-0x0000000007320000-0x000000000733A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3224-63-0x0000000007390000-0x000000000739A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3224-64-0x00000000075A0000-0x0000000007636000-memory.dmp

      Filesize

      600KB

      Download

    • memory/3224-65-0x0000000074F20000-0x00000000756D0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3224-66-0x0000000007520000-0x0000000007531000-memory.dmp

      Filesize

      68KB

      Download

    • memory/3224-25-0x00000000050D0000-0x0000000005136000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3224-68-0x0000000007560000-0x0000000007574000-memory.dmp

      Filesize

      80KB

      Download

    • memory/3224-69-0x0000000007660000-0x000000000767A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3440-43-0x00000000082B0000-0x000000000840A000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/3440-78-0x00000000082B0000-0x000000000840A000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/3440-83-0x0000000002BD0000-0x0000000002CA9000-memory.dmp

      Filesize

      868KB

      Download

    • memory/4072-32-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/4072-33-0x00000000015B0000-0x00000000015C4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/4072-76-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/4072-30-0x00000000010E0000-0x000000000142A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4072-26-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download