Overview

overview

10

Static

static

1

wise_depos...en.cmd

windows7-x64

10

wise_depos...en.cmd

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    25-06-2024 17:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    wise_deposit_note__1114218690__3287491072__en.cmd

  • Size

    2.4MB

  • MD5

    42323f7609e2e5c56add77d01e27432f

  • SHA1

    e5262c46781a8c58aaee00a529ed7597dbb2b698

  • SHA256

    4cb31951ae2b4f8b86b532c25762252f28525f55061d8d09a356a9c8f12029b2

  • SHA512

    0814feee3013a4409c3171f30dc9d9d4ffe5626e6ba28a257163fa8f26380751fbd5ba7077e47e9bcd59d8b852b50822fb3383c9a6366b8619db7627d9ded44d

  • SSDEEP

    24576:IPHN8ur54cKt8AdV30Z3ZRYwVxrhWHmmV/MBm54hRCKxBJxsv:IPHSur5M8Ar30JnrQLMEBv

Score
10/10
formbookca63persistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ca63

Decoy

themaxrichth.online

lhzshb.com

isacarrceramics.online

duhochanquoc.website

apexmedia.pro

33311.pro

x2mjbu8gg.shop

dashcreative.online

nifle.shop

hora.lol

rclrwa.asia

aviation-training-sqj.top

a9659a62.vip

uspgh.work

hhol5.top

jinkaida-cn.cn

watchwedding.com

728ym.lat

gillieron.swiss

bingsne.online

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 3 IoCs
    rat
  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 15 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Program crash 1 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 58 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Windows\system32\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\wise_deposit_note__1114218690__3287491072__en.cmd"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1700
      • C:\Windows\System32\extrac32.exe
        C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
        3⤵
          PID:2000
        • C:\Users\Public\alpha.exe
          C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1984
          • C:\Windows\system32\extrac32.exe
            extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
            4⤵
              PID:2860
          • C:\Users\Public\alpha.exe
            C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\wise_deposit_note__1114218690__3287491072__en.cmd" "C:\\Users\\Public\\Audio.mp4" 9
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2456
            • C:\Users\Public\kn.exe
              C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\wise_deposit_note__1114218690__3287491072__en.cmd" "C:\\Users\\Public\\Audio.mp4" 9
              4⤵
              • Executes dropped EXE
              PID:2492
          • C:\Users\Public\alpha.exe
            C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 12
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2512
            • C:\Users\Public\kn.exe
              C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 12
              4⤵
              • Executes dropped EXE
              PID:2568
          • C:\Users\Public\Libraries\Audio.pif
            C:\Users\Public\Libraries\Audio.pif
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Suspicious use of SetThreadContext
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2768
            • C:\Users\Public\Libraries\yrblzjxP.pif
              C:\Users\Public\Libraries\yrblzjxP.pif
              4⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:2844
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 36
                5⤵
                • Loads dropped DLL
                • Program crash
                PID:1008
            • C:\Windows\SysWOW64\extrac32.exe
              C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\Audio.pif C:\\Users\\Public\\Libraries\\Pxjzlbry.PIF
              4⤵
                PID:1768
              • C:\Windows\SysWOW64\colorcpl.exe
                C:\Windows\System32\colorcpl.exe
                4⤵
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of AdjustPrivilegeToken
                PID:2264
            • C:\Users\Public\alpha.exe
              C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
              3⤵
              • Executes dropped EXE
              PID:2488
            • C:\Users\Public\alpha.exe
              C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Audio.mp4" / A / F / Q / S
              3⤵
              • Executes dropped EXE
              PID:2480
          • C:\Windows\SysWOW64\netsh.exe
            "C:\Windows\SysWOW64\netsh.exe"
            2⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1900
            • C:\Windows\SysWOW64\cmd.exe
              /c del "C:\Windows\SysWOW64\colorcpl.exe"
              3⤵
                PID:744

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Execution

          Persistence

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Privilege Escalation

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Public\Audio.mp4
            Filesize

            1.7MB

            MD5

            19c1e12dd929495409539244b0ed93c7

            SHA1

            4cfa1823732b5b7357ddb1932d3b1547c7227619

            SHA256

            26de6e62d11c5b463d2077c56f11c4bfddaa8e83200ab1facc29e478e15f11ff

            SHA512

            6b09493e2a26f8aa43e2cf34ab5973b7ab28b6ab95ad014d767bb7b4f9bb541c12f013a53c42b9f8931a304105f7da486b51749c453021d234303336fd82a2b4

            Download Submit
          • C:\Users\Public\Libraries\Audio.pif
            Filesize

            890KB

            MD5

            a0af268716f0954964b48a4ac5c44b08

            SHA1

            f80f8c5083002d8e9484a45d21221e5c7f0160dc

            SHA256

            8d49b42445b075555360a8809710d34bc35d8658ced4ed1a062b6d4c2e7be2e6

            SHA512

            3f6588e1b76450cd72711b505ff81072f7055de76abcd5dab5bcc03d7a91b214422152f470ff8ffce73cbe8501e75dff6dd60371ebf7da7a6927741c09279692

            Download Submit
          • C:\Users\Public\kn.exe
            Filesize

            1.1MB

            MD5

            ec1fd3050dbc40ec7e87ab99c7ca0b03

            SHA1

            ae7fdfc29f4ef31e38ebf381e61b503038b5cb35

            SHA256

            1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3

            SHA512

            4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2

            Download Submit
          • \Users\Public\Libraries\yrblzjxP.pif
            Filesize

            66KB

            MD5

            c116d3604ceafe7057d77ff27552c215

            SHA1

            452b14432fb5758b46f2897aeccd89f7c82a727d

            SHA256

            7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

            SHA512

            9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6

            Download Submit
          • \Users\Public\alpha.exe
            Filesize

            337KB

            MD5

            5746bd7e255dd6a8afa06f7c42c1ba41

            SHA1

            0f3c4ff28f354aede202d54e9d1c5529a3bf87d8

            SHA256

            db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386

            SHA512

            3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e

            Download Submit
          • memory/1096-74-0x00000000077F0000-0x0000000007981000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/1900-63-0x0000000001160000-0x000000000117B000-memory.dmp
            Filesize

            108KB

            Download
          • memory/1900-65-0x0000000000080000-0x00000000000AF000-memory.dmp
            Filesize

            188KB

            Download
          • memory/2264-59-0x00000000031B0000-0x00000000041B0000-memory.dmp
            Filesize

            16.0MB

            Download
          • memory/2264-62-0x00000000031B0000-0x00000000041B0000-memory.dmp
            Filesize

            16.0MB

            Download
          • memory/2768-34-0x0000000000400000-0x00000000004E7000-memory.dmp
            Filesize

            924KB

            Download
          • memory/2844-44-0x0000000000400000-0x0000000001400000-memory.dmp
            Filesize

            16.0MB

            Download
          • memory/2844-47-0x0000000000400000-0x000000000041A000-memory.dmp
            Filesize

            104KB

            Download