Overview

overview

10

Static

static

10

PURCHASE ORDER.exe

windows7_x64

10

PURCHASE ORDER.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    09-11-2020 19:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PURCHASE ORDER.exe

  • Size

    378KB

  • MD5

    c284f72d5a76d0ff86ed2c35c74ebe89

  • SHA1

    ceeae846adc4e2f121f601c7d3cf13a1b9ebff33

  • SHA256

    916badee0304605bfd8e43c11179fb975d094226a432eeb28af55dc9be426c24

  • SHA512

    240b5096045ba660bddf27f0ff26031a99b5ecf005094ad91df019ad7b832a64102b009a7d1187bd946951912730108469c36b37a2925596a641a7becf2d9469

Score
10/10
formbookevasionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.mansiobok3.info/ch62/

Decoy

priceground.com

protmaxvigilancia.com

allyboom.com

calimerkids.com

behproject.com

everxs.com

peertopeervaluetrading.com

asosdiscountscode.com

supersoloblitz.com

allindiaexpo.com

mountainpunks.com

lawberrys.com

myinsuranceclaimconsultants.com

autoberles.center

xn--circuitomioulla-7qb.com

beheartratemonitoringkey.live

bigcitypillows.com

tresriosresortoffers.com

ratmanrodentremoval.com

fujiaseed.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2352
    • C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe
      "C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"
      2⤵
      • Checks BIOS information in registry
      • Maps connected drives based on registry
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1316
      • C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe
        "{path}"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3960
    • C:\Windows\SysWOW64\cmstp.exe
      "C:\Windows\SysWOW64\cmstp.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3860
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"
        3⤵
          PID:792

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Virtualization/Sandbox Evasion

    2
    T1497

    Modify Registry

    2
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    4
    T1012

    Virtualization/Sandbox Evasion

    2
    T1497

    System Information Discovery

    2
    T1082

    Peripheral Device Discovery

    1
    T1120

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\9L5A8AD1\9L5logim.jpeg
      MD5

      9ee605354ae0bae20a89baa5796dbab2

      SHA1

      3767c14c3a3add02dcc6d9c60a63d80bc480c6bc

      SHA256

      db45c23743d78f05a7ae07a5fb20730f18ef4d1a86a156d85112142aaa9c73be

      SHA512

      e8679a50c75f7f74a6c830375752186f0495bd151cb9cd7fa7ac49a174566f98cd66eb796b52b88759fe484fb5e282fc6f6cca9d127ccdea8e07b03af72d2f2f

      Download Submit
    • C:\Users\Admin\AppData\Roaming\9L5A8AD1\9L5logri.ini
      MD5

      d63a82e5d81e02e399090af26db0b9cb

      SHA1

      91d0014c8f54743bba141fd60c9d963f869d76c9

      SHA256

      eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

      SHA512

      38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

      Download Submit
    • C:\Users\Admin\AppData\Roaming\9L5A8AD1\9L5logrv.ini
      MD5

      bbc41c78bae6c71e63cb544a6a284d94

      SHA1

      33f2c1d9fa0e9c99b80bc2500621e95af38b1f9a

      SHA256

      ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb

      SHA512

      0aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4

      Download Submit
    • memory/792-9-0x0000000000000000-mapping.dmp
      Download
    • memory/3860-6-0x0000000000000000-mapping.dmp
      Download
    • memory/3860-7-0x0000000000D00000-0x0000000000D16000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3860-8-0x0000000000D00000-0x0000000000D16000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3860-10-0x0000000005460000-0x00000000055EA000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/3960-3-0x0000000000400000-0x000000000042A000-memory.dmp
      Filesize

      168KB

      Download
    • memory/3960-4-0x000000000041B6D0-mapping.dmp
      Download