Overview

overview

10

Static

static

3

invoice copypdf.exe

windows7-x64

10

invoice copypdf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-06-2024 22:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    invoice copypdf.exe

  • Size

    408KB

  • MD5

    d9ae02ae949ec2aba95cda647fe09240

  • SHA1

    3858a6e45d0031fcbd9081dee453fdf196cc95a4

  • SHA256

    75a0f38d45e726a70992f82304bfb85b127c37e591c02c59fe5750d308a95bd6

  • SHA512

    f724c3ab608fdd6393147a2534d035b2211848efc091bcf73fb20ef2476a1705df9a423ccfe732903b8ed4fd6bef1d361e9881d5c767089ae2f5377049c97a46

  • SSDEEP

    12288:KnzmVzil201tDwa2rGcLSY5ndlqChvqeA:KnzmVzK5S0cLSY5ndlqov

Score
10/10
formbookmnfratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mnf

Decoy

freeedomfencemn.com

corse-pollens.com

gellyc.com

mindplusgrind.com

gzrikang.com

horukac.com

aswaqina.com

lawofficeofjimhankey.com

everyoneshoroscope.com

freisaq.com

khimyoga.com

usmarketingdigital.com

artistagospel.com

stop-moskitos.com

sertecbasicos.com

mvmontessori.net

duke-a-website.com

arcaneunlocked.com

turnershydrographics.com

bipbopbling.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 2 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 35 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3460
    • C:\Users\Admin\AppData\Local\Temp\invoice copypdf.exe
      "C:\Users\Admin\AppData\Local\Temp\invoice copypdf.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3936
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nojDVIgkBT" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4968.tmp"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4792
      • C:\Users\Admin\AppData\Local\Temp\invoice copypdf.exe
        "C:\Users\Admin\AppData\Local\Temp\invoice copypdf.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:452
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\SysWOW64\wscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3944
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\invoice copypdf.exe"
        3⤵
          PID:1760

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp4968.tmp
      Filesize

      1KB

      MD5

      c00315c498001409003f3ec3ea642a6e

      SHA1

      4f4bce4a09e88ef241b4e5c0037d584bea878c2d

      SHA256

      82f9fcaa11f261d144fe92861c9cd0d4d7ee5e788a4db716e3e814d3eecb23c1

      SHA512

      361cf3290b52e682f8e35e493b222c6e00387b681fc0869330567710b44ec87336964cb6c20af45c8488ec385cd41f4830bceaa913a044c2394cd07396f40e5b

      Download Submit
    • memory/452-15-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/452-10-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/452-13-0x0000000001710000-0x0000000001A5A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/452-16-0x0000000001220000-0x0000000001234000-memory.dmp
      Filesize

      80KB

      Download
    • memory/3460-28-0x0000000008000000-0x0000000008119000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/3460-25-0x0000000008000000-0x0000000008119000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/3460-23-0x0000000008000000-0x0000000008119000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/3460-21-0x0000000007EA0000-0x0000000007FF1000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3460-17-0x0000000007EA0000-0x0000000007FF1000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3936-4-0x0000000074B92000-0x0000000074B93000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3936-12-0x0000000074B90000-0x0000000075141000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/3936-0-0x0000000074B92000-0x0000000074B93000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3936-3-0x0000000074B90000-0x0000000075141000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/3936-2-0x0000000074B90000-0x0000000075141000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/3936-1-0x0000000074B90000-0x0000000075141000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/3944-19-0x0000000000DC0000-0x0000000000DE7000-memory.dmp
      Filesize

      156KB

      Download
    • memory/3944-18-0x0000000000DC0000-0x0000000000DE7000-memory.dmp
      Filesize

      156KB

      Download