Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    26-11-2020 08:35

General

  • Target

    PO98765.exe

  • Size

    672KB

  • MD5

    137ec800f9c49390f2f225ab22774443

  • SHA1

    2f3f1a1615b625cb1daf8d1e4a3eba208a89e30d

  • SHA256

    60263179eccb843c5aa38040ebd2483b29a3923a94987f006561488e5d0f1d96

  • SHA512

    41b84ea68ec7c2b9fd5205a1ce00fcbfbe03d82efb4ae7ca9030f643aae341ff32b23974a23db5f8c0fbb423b569e838c10da56f185cbf4e70f1c634e8b570ec

Malware Config

Extracted

Family

formbook

C2

http://www.firedoom.com/sbmh/

Decoy

edlasyarns.com

rettexo.com

friendlyksa.com

westhighlandwaytours.com

goudmarket.com

turkime.com

wellnysdirect.com

handydanny.net

ylccmakq.com

benefits-sherpa.com

sousolutions.net

lspcall.com

makgxoimisitzer.info

katrinarask.com

istanbulconsulter.net

mingjiaxuan.com

faculdadegraca.com

kikegbwebdesign.com

69ase.com

downrangedynamics.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook Payload 3 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
  • Looks for VMWare Tools registry key 2 TTPs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 3 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2624
    • C:\Users\Admin\AppData\Local\Temp\PO98765.exe
      "C:\Users\Admin\AppData\Local\Temp\PO98765.exe"
      2⤵
      • Checks BIOS information in registry
      • Maps connected drives based on registry
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1124
      • C:\Users\Admin\AppData\Local\Temp\PO98765.exe
        "C:\Users\Admin\AppData\Local\Temp\PO98765.exe"
        3⤵
          PID:844
        • C:\Users\Admin\AppData\Local\Temp\PO98765.exe
          "C:\Users\Admin\AppData\Local\Temp\PO98765.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1368
      • C:\Windows\SysWOW64\autochk.exe
        "C:\Windows\SysWOW64\autochk.exe"
        2⤵
          PID:1540
        • C:\Windows\SysWOW64\NETSTAT.EXE
          "C:\Windows\SysWOW64\NETSTAT.EXE"
          2⤵
          • Suspicious use of SetThreadContext
          • Gathers network information
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2056
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Users\Admin\AppData\Local\Temp\PO98765.exe"
            3⤵
              PID:936

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Execution

        Command-Line Interface

        1
        T1059

        Defense Evasion

        Virtualization/Sandbox Evasion

        2
        T1497

        Discovery

        Query Registry

        4
        T1012

        Virtualization/Sandbox Evasion

        2
        T1497

        System Information Discovery

        3
        T1082

        Peripheral Device Discovery

        1
        T1120

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/936-17-0x0000000000000000-mapping.dmp
        • memory/1124-9-0x0000000005D40000-0x0000000005DA5000-memory.dmp
          Filesize

          404KB

        • memory/1124-6-0x0000000004E00000-0x0000000004E01000-memory.dmp
          Filesize

          4KB

        • memory/1124-10-0x0000000005DC0000-0x0000000005DF0000-memory.dmp
          Filesize

          192KB

        • memory/1124-5-0x0000000004EA0000-0x0000000004EA1000-memory.dmp
          Filesize

          4KB

        • memory/1124-11-0x0000000005EB0000-0x0000000005EB1000-memory.dmp
          Filesize

          4KB

        • memory/1124-7-0x0000000004F40000-0x0000000004F41000-memory.dmp
          Filesize

          4KB

        • memory/1124-8-0x0000000004E80000-0x0000000004E93000-memory.dmp
          Filesize

          76KB

        • memory/1124-1-0x00000000004A0000-0x00000000004A1000-memory.dmp
          Filesize

          4KB

        • memory/1124-4-0x00000000054B0000-0x00000000054B1000-memory.dmp
          Filesize

          4KB

        • memory/1124-3-0x00000000029C0000-0x00000000029C1000-memory.dmp
          Filesize

          4KB

        • memory/1124-0-0x0000000073CB0000-0x000000007439E000-memory.dmp
          Filesize

          6.9MB

        • memory/1368-12-0x0000000000400000-0x000000000042E000-memory.dmp
          Filesize

          184KB

        • memory/1368-13-0x000000000041ECD0-mapping.dmp
        • memory/2056-14-0x0000000000000000-mapping.dmp
        • memory/2056-15-0x0000000000E10000-0x0000000000E1B000-memory.dmp
          Filesize

          44KB

        • memory/2056-16-0x0000000000E10000-0x0000000000E1B000-memory.dmp
          Filesize

          44KB

        • memory/2056-18-0x00000000048F0000-0x0000000004A5D000-memory.dmp
          Filesize

          1.4MB