Overview

overview

10

Static

static

3

ce85ee918e...8f.exe

windows7-x64

10

ce85ee918e...8f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    97s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-12-2024 23:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ce85ee918e48a7c9a731c87109b9dbda0db744fe753412dad9397f670beebb8f.exe

  • Size

    450KB

  • MD5

    cd005dbadf071616082e110600abc48d

  • SHA1

    c111f671078a2fc46ec46c501e96079cf97e10c7

  • SHA256

    ce85ee918e48a7c9a731c87109b9dbda0db744fe753412dad9397f670beebb8f

  • SHA512

    d1960751778de17ee541669a51c0c7ea7a007af39fb5a957cb28f08d02819b08ce417c24e1f8b83e401ab2dd5cbd524b2ba1e1b83cf1d1f75291aff52b8af87c

  • SSDEEP

    12288:ifH22qla5w/yXbx+DbZ83FLDqqC5l/40PVc:ifH0MW/Ibx+DbZ83pqp5l/

Score
10/10
formbookpurecrypterfs44discoverydownloaderloaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

fs44

Decoy

whneat.com

jljcw.net

pocodelivery.com

outofplacezine.com

yavuzcansigorta.com

xinhewood-cn.com

cartogogh.com

5avis.com

joyceyong.art

digitalsurf.community

blackcreekbarns.com

magazinedistribuidor.com

sportsgross.com

drevom.online

mayibeofservice.com

gareloi-digit.com

permitha.net

renaissanceestetica.com

facts-r-friends.com

dach-loc.com

Signatures

  • Detect PureCrypter injector 1 IoCs
    loader
  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • PureCrypter

    PureCrypter is a .NET malware loader first seen in early 2021.

    loaderdownloaderpurecrypter
  • Purecrypter family
    purecrypter
  • Formbook payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ce85ee918e48a7c9a731c87109b9dbda0db744fe753412dad9397f670beebb8f.exe
    "C:\Users\Admin\AppData\Local\Temp\ce85ee918e48a7c9a731c87109b9dbda0db744fe753412dad9397f670beebb8f.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3900
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 10
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3828
      • C:\Windows\SysWOW64\timeout.exe
        timeout 10
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:4756
    • C:\Users\Admin\AppData\Local\Temp\Dtyjdrkcyvvjlatasks.exe
      "C:\Users\Admin\AppData\Local\Temp\Dtyjdrkcyvvjlatasks.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4068
    • C:\Users\Admin\AppData\Local\Temp\ce85ee918e48a7c9a731c87109b9dbda0db744fe753412dad9397f670beebb8f.exe
      C:\Users\Admin\AppData\Local\Temp\ce85ee918e48a7c9a731c87109b9dbda0db744fe753412dad9397f670beebb8f.exe
      2⤵
        PID:4832
      • C:\Users\Admin\AppData\Local\Temp\ce85ee918e48a7c9a731c87109b9dbda0db744fe753412dad9397f670beebb8f.exe
        C:\Users\Admin\AppData\Local\Temp\ce85ee918e48a7c9a731c87109b9dbda0db744fe753412dad9397f670beebb8f.exe
        2⤵
          PID:4924
        • C:\Users\Admin\AppData\Local\Temp\ce85ee918e48a7c9a731c87109b9dbda0db744fe753412dad9397f670beebb8f.exe
          C:\Users\Admin\AppData\Local\Temp\ce85ee918e48a7c9a731c87109b9dbda0db744fe753412dad9397f670beebb8f.exe
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1004

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Dtyjdrkcyvvjlatasks.exe
        Filesize

        72KB

        MD5

        e2c915e5f775cd76f53cab4eede03ba6

        SHA1

        2ec952debae802353c29098ca010244d8ff974b5

        SHA256

        19b271898408a5180f1d0d79fc9b316375edb63f509ae8eda49b73cdf8f83f74

        SHA512

        cfee769e8e029a1891a6d45ab92a681604dd6e0818794f03765122d4070c8b6edfa4ce5358fd7258629a6843f4d3b2a236fb04d8fea9f45769245ebbcf38d785

        Download Submit

      • memory/1004-28-0x00000000016C0000-0x0000000001A0A000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/1004-27-0x00000000016C0000-0x0000000001A0A000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/1004-24-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/3900-6-0x000000007478E000-0x000000007478F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3900-4-0x0000000074780000-0x0000000074F30000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3900-0-0x000000007478E000-0x000000007478F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3900-7-0x0000000074780000-0x0000000074F30000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3900-8-0x0000000007370000-0x00000000073E0000-memory.dmp

        Filesize

        448KB

        Download

      • memory/3900-9-0x00000000073E0000-0x000000000742C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3900-5-0x0000000004E30000-0x0000000004E3A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3900-3-0x0000000004E60000-0x0000000004EF2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/3900-26-0x0000000074780000-0x0000000074F30000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3900-2-0x0000000005370000-0x0000000005914000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3900-1-0x00000000003C0000-0x0000000000436000-memory.dmp

        Filesize

        472KB

        Download