Overview

overview

10

Static

static

1

wise_depos...en.cmd

windows7-x64

10

wise_depos...en.cmd

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-06-2024 17:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    wise_deposit_note__1114218690__3287491072__en.cmd

  • Size

    2.4MB

  • MD5

    42323f7609e2e5c56add77d01e27432f

  • SHA1

    e5262c46781a8c58aaee00a529ed7597dbb2b698

  • SHA256

    4cb31951ae2b4f8b86b532c25762252f28525f55061d8d09a356a9c8f12029b2

  • SHA512

    0814feee3013a4409c3171f30dc9d9d4ffe5626e6ba28a257163fa8f26380751fbd5ba7077e47e9bcd59d8b852b50822fb3383c9a6366b8619db7627d9ded44d

  • SSDEEP

    24576:IPHN8ur54cKt8AdV30Z3ZRYwVxrhWHmmV/MBm54hRCKxBJxsv:IPHSur5M8Ar30JnrQLMEBv

Score
10/10
formbookca63persistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ca63

Decoy

themaxrichth.online

lhzshb.com

isacarrceramics.online

duhochanquoc.website

apexmedia.pro

33311.pro

x2mjbu8gg.shop

dashcreative.online

nifle.shop

hora.lol

rclrwa.asia

aviation-training-sqj.top

a9659a62.vip

uspgh.work

hhol5.top

jinkaida-cn.cn

watchwedding.com

728ym.lat

gillieron.swiss

bingsne.online

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 3 IoCs
    rat
  • Executes dropped EXE 9 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Program crash 1 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 57 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3364
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\wise_deposit_note__1114218690__3287491072__en.cmd"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2104
      • C:\Windows\System32\extrac32.exe
        C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
        3⤵
          PID:3904
        • C:\Users\Public\alpha.exe
          C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:648
          • C:\Windows\system32\extrac32.exe
            extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
            4⤵
              PID:800
          • C:\Users\Public\alpha.exe
            C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\wise_deposit_note__1114218690__3287491072__en.cmd" "C:\\Users\\Public\\Audio.mp4" 9
            3⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1480
            • C:\Users\Public\kn.exe
              C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\wise_deposit_note__1114218690__3287491072__en.cmd" "C:\\Users\\Public\\Audio.mp4" 9
              4⤵
              • Executes dropped EXE
              PID:1856
          • C:\Users\Public\alpha.exe
            C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 12
            3⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3780
            • C:\Users\Public\kn.exe
              C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 12
              4⤵
              • Executes dropped EXE
              PID:1684
          • C:\Users\Public\Libraries\Audio.pif
            C:\Users\Public\Libraries\Audio.pif
            3⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1544
            • C:\Users\Public\Libraries\yrblzjxP.pif
              C:\Users\Public\Libraries\yrblzjxP.pif
              4⤵
              • Executes dropped EXE
              PID:4032
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 224
                5⤵
                • Program crash
                PID:4284
            • C:\Windows\SysWOW64\extrac32.exe
              C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\Audio.pif C:\\Users\\Public\\Libraries\\Pxjzlbry.PIF
              4⤵
                PID:2132
              • C:\Windows\SysWOW64\colorcpl.exe
                C:\Windows\System32\colorcpl.exe
                4⤵
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of AdjustPrivilegeToken
                PID:3348
            • C:\Users\Public\alpha.exe
              C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
              3⤵
              • Executes dropped EXE
              PID:4760
            • C:\Users\Public\alpha.exe
              C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Audio.mp4" / A / F / Q / S
              3⤵
              • Executes dropped EXE
              PID:1764
          • C:\Windows\SysWOW64\NETSTAT.EXE
            "C:\Windows\SysWOW64\NETSTAT.EXE"
            2⤵
            • Suspicious use of SetThreadContext
            • Gathers network information
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3188
            • C:\Windows\SysWOW64\cmd.exe
              /c del "C:\Windows\SysWOW64\colorcpl.exe"
              3⤵
                PID:1012
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4032 -ip 4032
            1⤵
              PID:3336
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4324 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
              1⤵
                PID:3644

              Network

              MITRE ATT&CK Matrix ATT&CK v13

              Initial Access

              Execution

              Command and Scripting Interpreter

              1
              T1059

              Persistence

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Privilege Escalation

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Defense Evasion

              Modify Registry

              1
              T1112

              Credential Access

              Discovery

              System Information Discovery

              1
              T1082

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Resource Development

              Reconnaissance

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Public\Audio.mp4
                Filesize

                1.7MB

                MD5

                19c1e12dd929495409539244b0ed93c7

                SHA1

                4cfa1823732b5b7357ddb1932d3b1547c7227619

                SHA256

                26de6e62d11c5b463d2077c56f11c4bfddaa8e83200ab1facc29e478e15f11ff

                SHA512

                6b09493e2a26f8aa43e2cf34ab5973b7ab28b6ab95ad014d767bb7b4f9bb541c12f013a53c42b9f8931a304105f7da486b51749c453021d234303336fd82a2b4

                Download Submit
              • C:\Users\Public\Libraries\Audio.pif
                Filesize

                890KB

                MD5

                a0af268716f0954964b48a4ac5c44b08

                SHA1

                f80f8c5083002d8e9484a45d21221e5c7f0160dc

                SHA256

                8d49b42445b075555360a8809710d34bc35d8658ced4ed1a062b6d4c2e7be2e6

                SHA512

                3f6588e1b76450cd72711b505ff81072f7055de76abcd5dab5bcc03d7a91b214422152f470ff8ffce73cbe8501e75dff6dd60371ebf7da7a6927741c09279692

                Download Submit
              • C:\Users\Public\Libraries\yrblzjxP.pif
                Filesize

                66KB

                MD5

                c116d3604ceafe7057d77ff27552c215

                SHA1

                452b14432fb5758b46f2897aeccd89f7c82a727d

                SHA256

                7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

                SHA512

                9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6

                Download Submit
              • C:\Users\Public\alpha.exe
                Filesize

                283KB

                MD5

                8a2122e8162dbef04694b9c3e0b6cdee

                SHA1

                f1efb0fddc156e4c61c5f78a54700e4e7984d55d

                SHA256

                b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450

                SHA512

                99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

                Download Submit
              • C:\Users\Public\kn.exe
                Filesize

                1.6MB

                MD5

                bd8d9943a9b1def98eb83e0fa48796c2

                SHA1

                70e89852f023ab7cde0173eda1208dbb580f1e4f

                SHA256

                8de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2

                SHA512

                95630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b

                Download Submit
              • memory/1544-28-0x0000000000400000-0x00000000004E7000-memory.dmp
                Filesize

                924KB

                Download
              • memory/3188-51-0x00000000000A0000-0x00000000000AB000-memory.dmp
                Filesize

                44KB

                Download
              • memory/3188-52-0x0000000000700000-0x000000000072F000-memory.dmp
                Filesize

                188KB

                Download
              • memory/3348-46-0x0000000004E90000-0x0000000005E90000-memory.dmp
                Filesize

                16.0MB

                Download
              • memory/3348-50-0x0000000004E90000-0x0000000005E90000-memory.dmp
                Filesize

                16.0MB

                Download
              • memory/3364-56-0x00000000085C0000-0x00000000086BD000-memory.dmp
                Filesize

                1012KB

                Download
              • memory/4032-32-0x0000000000400000-0x0000000001400000-memory.dmp
                Filesize

                16.0MB

                Download
              • memory/4032-36-0x0000000000400000-0x000000000041A000-memory.dmp
                Filesize

                104KB

                Download