Overview

overview

10

Static

static

Memorandum.exe

windows7_x64

10

Memorandum.exe

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    09-07-2020 14:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Memorandum.exe

  • Size

    654KB

  • MD5

    6ee086f9280e9b6dd55baeb5d247b8fc

  • SHA1

    5492172488c392f929acb9b7cd775f940841eff0

  • SHA256

    5749af95d51ba8e5d08b5724c8806a4e9fdd137ad4424ca2dd6f025a2662b421

  • SHA512

    922be9587b623bae08f20eda65cc0ef7ce2960c3ebfee6a22709bf3976b0a1a553bcfd72fa7304b59bb1ba680d219537fe1c8bdd47c6833c039f3c09cd20b6e5

Score
10/10
persistencespywareevasiontrojanstealerformbook

Malware Config

Signatures

  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Adds Run entry to policy start application 2 TTPs 2 IoCs
    persistence
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Suspicious behavior: MapViewOfSection 9 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Deletes itself 1 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Checks whether UAC is enabled
    PID:1228
    • C:\Users\Admin\AppData\Local\Temp\Memorandum.exe
      "C:\Users\Admin\AppData\Local\Temp\Memorandum.exe"
      2⤵
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      PID:1544
      • C:\Users\Admin\AppData\Local\Temp\Memorandum.exe
        "C:\Users\Admin\AppData\Local\Temp\Memorandum.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        PID:744
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      2⤵
        PID:792
      • C:\Windows\SysWOW64\autofmt.exe
        "C:\Windows\SysWOW64\autofmt.exe"
        2⤵
          PID:272
        • C:\Windows\SysWOW64\autofmt.exe
          "C:\Windows\SysWOW64\autofmt.exe"
          2⤵
            PID:752
          • C:\Windows\SysWOW64\autofmt.exe
            "C:\Windows\SysWOW64\autofmt.exe"
            2⤵
              PID:556
            • C:\Windows\SysWOW64\autofmt.exe
              "C:\Windows\SysWOW64\autofmt.exe"
              2⤵
                PID:1108
              • C:\Windows\SysWOW64\cmstp.exe
                "C:\Windows\SysWOW64\cmstp.exe"
                2⤵
                • Suspicious use of AdjustPrivilegeToken
                • Drops file in Program Files directory
                • Adds Run entry to policy start application
                • Modifies Internet Explorer settings
                • Suspicious behavior: MapViewOfSection
                • System policy modification
                • Suspicious use of WriteProcessMemory
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                PID:1624
                • C:\Windows\SysWOW64\cmd.exe
                  /c del "C:\Users\Admin\AppData\Local\Temp\Memorandum.exe"
                  3⤵
                  • Deletes itself
                  PID:1036
                • C:\Program Files\Mozilla Firefox\Firefox.exe
                  "C:\Program Files\Mozilla Firefox\Firefox.exe"
                  3⤵
                    PID:1988

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              Registry Run Keys / Startup Folder

              1
              T1060

              Privilege Escalation

              Defense Evasion

              Modify Registry

              3
              T1112

              Credential Access

              Credentials in Files

              1
              T1081

              Discovery

              System Information Discovery

              1
              T1082

              Lateral Movement

              Collection

              Data from Local System

              1
              T1005

              Exfiltration

              Command and Control

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Roaming\79OQ87VU\79Ologim.jpeg
                Download Submit
              • C:\Users\Admin\AppData\Roaming\79OQ87VU\79Ologrf.ini
                Download Submit
              • C:\Users\Admin\AppData\Roaming\79OQ87VU\79Ologri.ini
                Download Submit
              • C:\Users\Admin\AppData\Roaming\79OQ87VU\79Ologrv.ini
                Download Submit
              • memory/744-1-0x000000000041E350-mapping.dmp
                Download
              • memory/744-0-0x0000000000400000-0x000000000042D000-memory.dmp
                Filesize

                180KB

                Download
              • memory/1036-5-0x0000000000000000-mapping.dmp
                Download
              • memory/1228-2-0x0000000007810000-0x000000000790D000-memory.dmp
                Filesize

                1012KB

                Download
              • memory/1624-4-0x0000000000390000-0x00000000003A8000-memory.dmp
                Filesize

                96KB

                Download
              • memory/1624-9-0x0000000003B80000-0x0000000003CBB000-memory.dmp
                Filesize

                1.2MB

                Download
              • memory/1624-8-0x0000000074BB0000-0x0000000074CCD000-memory.dmp
                Filesize

                1.1MB

                Download
              • memory/1624-7-0x00000000750B0000-0x00000000750BC000-memory.dmp
                Filesize

                48KB

                Download
              • memory/1624-6-0x00000000007F0000-0x00000000008AC000-memory.dmp
                Filesize

                752KB

                Download
              • memory/1624-3-0x0000000000000000-mapping.dmp
                Download
              • memory/1988-10-0x0000000000000000-mapping.dmp
                Download
              • memory/1988-11-0x000000013FE20000-0x000000013FEB3000-memory.dmp
                Filesize

                588KB

                Download