Overview

overview

10

Static

static

Scan Document 01.exe

windows7_x64

10

Scan Document 01.exe

windows10_x64

10

Resubmissions

17-01-2021 18:09

210117-vq3vkllags 10

14-01-2021 20:24

210114-j3px9tn942 10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    17-01-2021 18:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Scan Document 01.exe

  • Size

    435KB

  • MD5

    47a3b1f5f7a8f5d342654a4e351d62ea

  • SHA1

    e94eca6012b651847bfb4212c21c989041d1438e

  • SHA256

    196b4470cd98c4f6d5c634170a1c6a98cf59b61c9b12a032ec9fb776b74a0527

  • SHA512

    d4f4b0064830a0091a9ed070f9e43c0abb768d1fc4bf6d5a9589f2ce3b4a0908125264233a53119c914994474a30f628c04fbdb0361d2e8556094caebb0e303e

Score
10/10
formbookxloaderloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.elevatedenterprizes.com/h3qo/

Decoy

dhflow.com

jyindex.com

ezcleanhandle.com

trungtamcongdong.online

simsprotectionagency.com

easylivemeet.com

blackvikingfashionhouse.com

52banxue.com

girlsinit.com

drhemo.com

freethefarmers.com

velvetrosephotography.com

geometricbotaniclas.com

skyandspirit.com

deltacomunicacao.com

mucademy.com

jaboilfieldsolutions.net

howtowinatblackjacknow.com

anytimegrowth.com

simranluthra.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 4 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 194 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 27 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2756
    • C:\Users\Admin\AppData\Local\Temp\Scan Document 01.exe
      "C:\Users\Admin\AppData\Local\Temp\Scan Document 01.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4092
      • C:\Users\Admin\AppData\Local\Temp\Scan Document 01.exe
        "C:\Users\Admin\AppData\Local\Temp\Scan Document 01.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2704
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\SysWOW64\wscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2848
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Scan Document 01.exe"
        3⤵
          PID:4000
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        2⤵
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1544

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1544-15-0x0000000000000000-mapping.dmp
      Download
    • memory/2704-5-0x00000000006D0000-0x00000000006E0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2704-4-0x0000000000D90000-0x00000000010B0000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/2704-7-0x00000000008B0000-0x00000000008C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2704-2-0x00000000005AD0E0-mapping.dmp
      Download
    • memory/2756-6-0x0000000002B70000-0x0000000002CD2000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/2756-8-0x0000000006070000-0x0000000006145000-memory.dmp
      Filesize

      852KB

      Download
    • memory/2756-16-0x00000000067D0000-0x00000000068A8000-memory.dmp
      Filesize

      864KB

      Download
    • memory/2848-9-0x0000000000000000-mapping.dmp
      Download
    • memory/2848-13-0x00000000046B0000-0x00000000049D0000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/2848-14-0x0000000004A60000-0x0000000004AEF000-memory.dmp
      Filesize

      572KB

      Download
    • memory/2848-10-0x0000000000B30000-0x0000000000B57000-memory.dmp
      Filesize

      156KB

      Download
    • memory/2848-11-0x0000000003000000-0x0000000003029000-memory.dmp
      Filesize

      164KB

      Download
    • memory/4000-12-0x0000000000000000-mapping.dmp
      Download