Overview

overview

10

Static

static

3

0rderD4ER18jd.exe

windows7-x64

10

0rderD4ER18jd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-12-2024 23:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0rderD4ER18jd.exe

  • Size

    444KB

  • MD5

    3e7db94077f8a289fe1676cd4bbc09ef

  • SHA1

    dad79b2bdeea126658c5fcb0f42850589d6ce92d

  • SHA256

    bd4d161a4d284fe71f101a6a68a3159a3cee958e42d53d1f140aeb1db52933f8

  • SHA512

    c8e26baed0c72db6c2a8b2903fa9469b3e803ef0f4f58996f841a73f75705be79ee67ea2b4cc14ea4de528a67a32017880fb6647b64261b2fd301711806bbde6

  • SSDEEP

    6144:AI3i64S3XFpZTY1piDh8pbDQRDRjEzEqUXHhkmTC0wNONnOQTAjyKz7dFHm3l/J6:Z3fs7DuljpqIhkiiNvQ0BTmbA1

Score
10/10
formbookwt6discoveryevasionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

wt6

Decoy

mdjbjsc.com

twosparrowslsbusiness.com

captipe.info

spirtofafrica.com

teacher4today.com

d9masks.com

americanveteransparks.com

originvinylvermont.com

lifeguardboat.net

neynunescuritiba.com

4activelife.xyz

tiniytie.com

schirmenworld.com

nogbeter.com

bikerm.com

higherpurposeproject.com

melloband.com

cremgrs.com

chengyuanwai.com

multiplewealthsecrets.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Formbook payload 3 IoCs
    rat
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3452
    • C:\Users\Admin\AppData\Local\Temp\0rderD4ER18jd.exe
      "C:\Users\Admin\AppData\Local\Temp\0rderD4ER18jd.exe"
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Windows security modification
      • Maps connected drives based on registry
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3348
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Get-MpPreference -verbose
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:860
      • C:\Users\Admin\AppData\Local\Temp\0rderD4ER18jd.exe
        "C:\Users\Admin\AppData\Local\Temp\0rderD4ER18jd.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:5048
    • C:\Windows\SysWOW64\chkdsk.exe
      "C:\Windows\SysWOW64\chkdsk.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4528
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\0rderD4ER18jd.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4920

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rakc2odp.xmi.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/860-33-0x00000000076D0000-0x0000000007702000-memory.dmp

    Filesize

    200KB

    Download

  • memory/860-47-0x0000000007710000-0x00000000077B3000-memory.dmp

    Filesize

    652KB

    Download

  • memory/860-35-0x0000000070AB0000-0x0000000070AFC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/860-45-0x0000000006AF0000-0x0000000006B0E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/860-46-0x0000000075230000-0x00000000759E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/860-59-0x0000000075230000-0x00000000759E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/860-56-0x0000000007B60000-0x0000000007B68000-memory.dmp

    Filesize

    32KB

    Download

  • memory/860-55-0x0000000007B80000-0x0000000007B9A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/860-54-0x0000000007A80000-0x0000000007A94000-memory.dmp

    Filesize

    80KB

    Download

  • memory/860-53-0x0000000007A70000-0x0000000007A7E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/860-52-0x0000000007A40000-0x0000000007A51000-memory.dmp

    Filesize

    68KB

    Download

  • memory/860-51-0x0000000007AC0000-0x0000000007B56000-memory.dmp

    Filesize

    600KB

    Download

  • memory/860-13-0x0000000004F70000-0x0000000004FA6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/860-14-0x0000000075230000-0x00000000759E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/860-16-0x0000000005760000-0x0000000005D88000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/860-15-0x0000000075230000-0x00000000759E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/860-17-0x0000000005450000-0x0000000005472000-memory.dmp

    Filesize

    136KB

    Download

  • memory/860-19-0x00000000056D0000-0x0000000005736000-memory.dmp

    Filesize

    408KB

    Download

  • memory/860-20-0x0000000075230000-0x00000000759E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/860-18-0x00000000054F0000-0x0000000005556000-memory.dmp

    Filesize

    408KB

    Download

  • memory/860-50-0x00000000078B0000-0x00000000078BA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/860-30-0x0000000005ED0000-0x0000000006224000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/860-31-0x0000000006530000-0x000000000654E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/860-32-0x00000000065B0000-0x00000000065FC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/860-34-0x0000000075230000-0x00000000759E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/860-49-0x0000000007840000-0x000000000785A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/860-48-0x0000000007E90000-0x000000000850A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3348-62-0x0000000075230000-0x00000000759E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3348-7-0x0000000075230000-0x00000000759E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3348-5-0x0000000005860000-0x000000000586A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3348-3-0x0000000005F30000-0x00000000064D4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3348-0-0x000000007523E000-0x000000007523F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3348-1-0x0000000000E20000-0x0000000000E94000-memory.dmp

    Filesize

    464KB

    Download

  • memory/3348-12-0x0000000006700000-0x0000000006736000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3348-11-0x0000000005EE0000-0x0000000005F36000-memory.dmp

    Filesize

    344KB

    Download

  • memory/3348-10-0x0000000075230000-0x00000000759E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3348-9-0x000000007523E000-0x000000007523F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3348-8-0x0000000005880000-0x0000000005888000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3348-4-0x0000000005980000-0x0000000005A12000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3348-6-0x0000000005A20000-0x0000000005A76000-memory.dmp

    Filesize

    344KB

    Download

  • memory/3348-2-0x00000000058E0000-0x000000000597C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3452-80-0x00000000080D0000-0x00000000081F4000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3452-76-0x00000000079A0000-0x0000000007A65000-memory.dmp

    Filesize

    788KB

    Download

  • memory/3452-72-0x0000000002780000-0x0000000002849000-memory.dmp

    Filesize

    804KB

    Download

  • memory/3452-67-0x0000000002780000-0x0000000002849000-memory.dmp

    Filesize

    804KB

    Download

  • memory/3452-71-0x00000000079A0000-0x0000000007A65000-memory.dmp

    Filesize

    788KB

    Download

  • memory/4528-75-0x0000000000060000-0x000000000006A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4528-73-0x0000000000060000-0x000000000006A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/5048-60-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/5048-69-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/5048-70-0x0000000003690000-0x00000000036A4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/5048-66-0x0000000001DE0000-0x0000000001DF4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/5048-63-0x0000000001990000-0x0000000001CDA000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/5048-65-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download