Overview

overview

10

Static

static

3

payment.exe

windows7-x64

10

payment.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-01-2025 19:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    payment.exe

  • Size

    707KB

  • MD5

    23abe3c84b5db078cf92723357670b30

  • SHA1

    ed9dd2816ee1f01252f0221e1bf717a531440475

  • SHA256

    7a4b80b6d3ea4ca73224197f7d85d763dd953826978cdc30c6e75fb298cfb5ab

  • SHA512

    cab42f389efe9faee486d58d31684d79fd7a3f42c0cee5125f4e6b0dd4d72aa94f97cca167eeb42612363cad9679f21a2986cb97a7673d2266cdf05b7b4c3eb6

  • SSDEEP

    12288:TF0dkI8Xp4gnV2v8gWfRhkMpCof0xrQ53Ms8a+U/gSaE55BO3Uug1o474q7:TudexQ8PfLJRf0FQ53S1NSHjzuU+

Score
10/10
formbooka01ddiscoveryexecutionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

a01d

Decoy

eniorshousing05.shop

rywisevas.biz

4726.pizza

itchen-design-42093.bond

3456.tech

4825.plus

nlinecraps.xyz

itamins-52836.bond

nfluencer-marketing-40442.bond

nline-advertising-58573.bond

rautogroups.net

limbtrip.net

oftware-download-14501.bond

nline-advertising-66733.bond

erity.xyz

xknrksi.icu

x-ist.club

yber-security-26409.bond

oincatch.xyz

onitoring-devices-34077.bond

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 2 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3424
    • C:\Users\Admin\AppData\Local\Temp\payment.exe
      "C:\Users\Admin\AppData\Local\Temp\payment.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2560
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\payment.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4604
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cieYBQwi.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1488
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cieYBQwi" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBEEB.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:3732
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:4320
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\SysWOW64\wscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1200
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2884

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    3d086a433708053f9bf9523e1d87a4e8

    SHA1

    b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

    SHA256

    6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

    SHA512

    931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    8ca68eab0810672c6a73d3294fcb7905

    SHA1

    937b406d8f14b04548f894fbe36778df06a0670a

    SHA256

    099a90123831f358c118c544e2c91b8fd03fe6a9bc6220d91fca41a2ddb0e14d

    SHA512

    6189fa3206ea551a6dcd4a083b4bc79e18f3634ca5d795f4c491ed244cd19643b5ef83165f62fa98b7d1713d8f9961148cd9e1a6fb5110819e24d17fc6605676

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fr3rrp1n.di3.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpBEEB.tmp
    Filesize

    1KB

    MD5

    11a2739f58890c33f9eaebde2aaa924c

    SHA1

    2a1783a27624b73ca57903f916c98bb7478eae02

    SHA256

    2a6a25e518658ef2cca998df1a2149394a53632f0915b4fc62e5299ed85dcc12

    SHA512

    6a300fed2358e48ea551d5c2f6b5b68d1d87a8b64606790c13797cc84ca187eae3443b5adc38926292f3349860a783e41e7c193aa528b9d2da4b763f81e503a0

    Download Submit

  • memory/1200-81-0x00000000007C0000-0x00000000007E7000-memory.dmp

    Filesize

    156KB

    Download

  • memory/1200-93-0x0000000000990000-0x00000000009BF000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1488-88-0x0000000074EC0000-0x0000000075670000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1488-83-0x0000000007A90000-0x0000000007AA4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1488-84-0x0000000007B90000-0x0000000007BAA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1488-80-0x0000000007A50000-0x0000000007A61000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1488-79-0x0000000007AD0000-0x0000000007B66000-memory.dmp

    Filesize

    600KB

    Download

  • memory/1488-75-0x0000000007510000-0x00000000075B3000-memory.dmp

    Filesize

    652KB

    Download

  • memory/1488-64-0x00000000074E0000-0x00000000074FE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1488-53-0x00000000074A0000-0x00000000074D2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1488-54-0x000000006FE10000-0x000000006FE5C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1488-37-0x0000000074EC0000-0x0000000075670000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1488-85-0x0000000007B70000-0x0000000007B78000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1488-25-0x0000000074EC0000-0x0000000075670000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1488-31-0x0000000074EC0000-0x0000000075670000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2560-12-0x00000000033D0000-0x0000000003448000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2560-52-0x0000000074EC0000-0x0000000075670000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2560-11-0x0000000074EC0000-0x0000000075670000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2560-1-0x0000000000F10000-0x0000000000FC8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/2560-2-0x0000000005F60000-0x0000000006504000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2560-3-0x0000000005A50000-0x0000000005AE2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2560-4-0x0000000005AF0000-0x0000000005E44000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2560-9-0x00000000088C0000-0x00000000088E6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2560-5-0x0000000005A30000-0x0000000005A3A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2560-6-0x0000000074EC0000-0x0000000075670000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2560-10-0x0000000074ECE000-0x0000000074ECF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2560-7-0x00000000065B0000-0x000000000664C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2560-8-0x00000000087E0000-0x000000000888E000-memory.dmp

    Filesize

    696KB

    Download

  • memory/2560-0-0x0000000074ECE000-0x0000000074ECF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3424-97-0x0000000008470000-0x00000000085CA000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/4320-47-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4604-50-0x0000000006ED0000-0x0000000006F1C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4604-18-0x0000000074EC0000-0x0000000075670000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4604-78-0x0000000007CD0000-0x0000000007CDA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4604-76-0x00000000082B0000-0x000000000892A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4604-65-0x000000006FE10000-0x000000006FE5C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4604-17-0x0000000003030000-0x0000000003066000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4604-82-0x0000000007E80000-0x0000000007E8E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4604-77-0x0000000007C50000-0x0000000007C6A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4604-48-0x0000000006930000-0x000000000694E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4604-23-0x0000000005A00000-0x0000000005A66000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4604-19-0x0000000074EC0000-0x0000000075670000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4604-20-0x0000000005AE0000-0x0000000006108000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4604-21-0x0000000074EC0000-0x0000000075670000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4604-92-0x0000000074EC0000-0x0000000075670000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4604-22-0x0000000005960000-0x0000000005982000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4604-24-0x0000000006210000-0x0000000006276000-memory.dmp

    Filesize

    408KB

    Download