Overview

overview

10

Static

static

3

updated or...df.exe

windows7-x64

10

updated or...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    66s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    23-01-2025 14:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    updated order00pdf.exe

  • Size

    694KB

  • MD5

    3eb2ceb99c3ef6893ace27ea06be4cfa

  • SHA1

    c0d1da3207d947f99c1809cf94055adbdde7c3d7

  • SHA256

    28a65019d2736dd82fdb229c9e6f5ff053c25e095d118ae03359238f44ba22d7

  • SHA512

    6e9d570a4e5e20a2d0acd3fd4beebc872238e99aec72a747b3aec809c46f4a26dd651d39be69026f4d061a66d515e131ae830e663104d688fb0841f2b4fe4158

  • SSDEEP

    12288:eQFtq5Aai1/mnTesWGrzVXxBEgqO/kCerVYuVH3Uv2Hd9:eMq5Aai10mMzJkjxD2sd9

Score
10/10
formbooka02ddiscoveryexecutionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

a02d

Decoy

coplus.market

oofing-jobs-74429.bond

healchemists.xyz

oofcarpenternearme-jp.xyz

enewebsolutions.online

harepoint.legal

88977.club

omptables.xyz

eat-pumps-31610.bond

endown.graphics

amsexgirls.website

ovevibes.xyz

u-thiensu.online

yblinds.xyz

rumpchiefofstaff.store

erzog.fun

rrm.lat

agiclime.pro

agaviet59.shop

lbdoanhnhan.net

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 2 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1280
      • C:\Users\Admin\AppData\Local\Temp\updated order00pdf.exe
        "C:\Users\Admin\AppData\Local\Temp\updated order00pdf.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1680
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\updated order00pdf.exe"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2876
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dVNcpHUEH.exe"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2800
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dVNcpHUEH" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA026.tmp"
          3⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2716
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:392
          • C:\Windows\SysWOW64\autoconv.exe
            "C:\Windows\SysWOW64\autoconv.exe"
            4⤵
              PID:2372

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmpA026.tmp
        Filesize

        1KB

        MD5

        2c6216a0d0966bd2816724ae74831022

        SHA1

        61db3944eb988cf1564a0be20c7c3d04f02d5bef

        SHA256

        0e8756b09f3f46354df854db509ecacd98c9cc03ebf8d5494667231542005763

        SHA512

        07c22a561d0848c71a38c7705231384c008cf693e253d96e11c8a80a7be733f5861a794ba75f57e67b95992b56644a610739a49d7fc48728014025012109f77a

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
        Filesize

        7KB

        MD5

        04be1b8c5244dba2bc70d7e7647ace3d

        SHA1

        1af8503a5e053103cd7c7b9d9f5a1ad9510509db

        SHA256

        47ad7c92bc9adbe0baa11291c318f3f4c3756f787731527077d94514bccb6342

        SHA512

        684247fe01de80ea0c5a336102a7bb7cc0cca1bee40e0e634c67d9741a8c383f0d643036475c75cd6a644b07330cde23ca405880dde3dfb11f832aca2abbfaa0

        Download Submit

      • memory/392-21-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/392-19-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/392-28-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/392-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/392-24-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/1280-29-0x0000000006BB0000-0x0000000006CD9000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/1280-27-0x00000000002A0000-0x00000000003A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1680-6-0x0000000004320000-0x000000000439A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/1680-1-0x0000000000B40000-0x0000000000BF4000-memory.dmp

        Filesize

        720KB

        Download

      • memory/1680-2-0x0000000073F60000-0x000000007464E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/1680-0-0x0000000073F6E000-0x0000000073F6F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1680-25-0x0000000073F60000-0x000000007464E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/1680-3-0x0000000000570000-0x000000000058E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1680-5-0x0000000073F60000-0x000000007464E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/1680-4-0x0000000073F6E000-0x0000000073F6F000-memory.dmp

        Filesize

        4KB

        Download