Overview

overview

10

Static

static

1

ijeonyi.com.exe

windows7_x64

10

ijeonyi.com.exe

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    19-04-2021 18:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ijeonyi.com.exe

  • Size

    2.7MB

  • MD5

    a4c6ea4179cc3e52033866c2e100aa83

  • SHA1

    3d282d189f9b1920de79e4dd0aa36cc280f6b53e

  • SHA256

    1baad45cc119fef01aa0a48c0ea82a6dc10c3365d44984d50f94f25866063474

  • SHA512

    0519e921e35d85872f0e8b73a60efb108ab17c81bc1cdfcdc75e9df225ddf8fb6c8d262f63e0ff1f0efb76990808f102214db6f6239d38fd866a1c64130787f3

Score
10/10
formbookpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.hollandhousedesigns.design/vns/

Decoy

sparkspressworld.com

everydayresidency.com

thebosscollectionn.com

milkweedmagic.com

worklesshours.com

romeosfurnituremadera.com

unclepetesproduce.com

athleticamackay.com

9nhl.com

powellassetmanagement.com

jxlamp.com

onpointpetproducts.com

buymysoft.com

nazertrader.com

goprj.com

keeptalkservice.com

aolei1688.com

donstackl.com

almasorchids.com

pj5bwn.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 1 IoCs
    rat
  • Adds policy Run key to start application 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1196
    • C:\Users\Admin\AppData\Local\Temp\ijeonyi.com.exe
      "C:\Users\Admin\AppData\Local\Temp\ijeonyi.com.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:484
      • C:\Users\Admin\AppData\Roaming\FMPlayerSoftware\FMPlayerLauncher.exe
        C:\Users\Admin\AppData\Roaming\FMPlayerSoftware\FMPlayerLauncher.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2016
    • C:\Windows\SysWOW64\autochk.exe
      "C:\Windows\SysWOW64\autochk.exe"
      2⤵
        PID:1056
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\SysWOW64\msiexec.exe"
        2⤵
        • Adds policy Run key to start application
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:532
        • C:\Program Files\Mozilla Firefox\Firefox.exe
          "C:\Program Files\Mozilla Firefox\Firefox.exe"
          3⤵
            PID:1092

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      2
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      3
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\FMPlayerSoftware\FMPlayerLauncher.exe
        MD5

        419b47fd0246a2c73e62b198c1be0eaa

        SHA1

        76e7971057ed82638fc0811a8e36be458c24796f

        SHA256

        7f09dadd04613493aaafea8b13a7bea08d3f0db4a69a5abe540e90f8d344400f

        SHA512

        2c5724bcf716ebb58e84bd3fde916ab956a224bf711594d5b9f6aed819894733686c1d46f72e72a84330f06c25cd9ae5c4c0950bdf4fa3a93b6002a1adfa972e

        Download Submit
      • C:\Users\Admin\AppData\Roaming\FMPlayerSoftware\FMPlayerLauncher.exe
        MD5

        419b47fd0246a2c73e62b198c1be0eaa

        SHA1

        76e7971057ed82638fc0811a8e36be458c24796f

        SHA256

        7f09dadd04613493aaafea8b13a7bea08d3f0db4a69a5abe540e90f8d344400f

        SHA512

        2c5724bcf716ebb58e84bd3fde916ab956a224bf711594d5b9f6aed819894733686c1d46f72e72a84330f06c25cd9ae5c4c0950bdf4fa3a93b6002a1adfa972e

        Download Submit
      • C:\Users\Admin\AppData\Roaming\FMPlayerSoftware\config.ini
        MD5

        9ff41a15752595741c706e0920c3b6c0

        SHA1

        8e799616685c1ce15906c097b5e25c74197d7f7c

        SHA256

        e7ead82dd8a73f3ad08d41f7b0d173f966c9ea099158cbdbb4fbe309fc6141b8

        SHA512

        1df3437e5922de3f3bea416d0d766c1752e40dd23614700addbb63f7af9dfee0f4c3a2e447d9b9b5d137f34f9cbdb0d8ad5b29d2dc69b0673496356cc27fa3bc

        Download Submit
      • C:\Users\Admin\AppData\Roaming\FMPlayerSoftware\libtag9.dll
        MD5

        a05c09ea0f3fd5dbdc528dbeb8815bb3

        SHA1

        9f19f5ee4af5f13efc35908d69a2b6e501878be3

        SHA256

        b4e4ab0157dc276773e416e92f9cd216d763d7f6fb1ba4fa5223b2a7ec47f2ff

        SHA512

        58f981e5b0a2f4f72b821718e637c1df9edc77df68aea20b0a1592f383f456107668ebe8bc49ab31f8004537fe33f595400ea5b70cb9ab878593534883c472bf

        Download Submit
      • C:\Users\Admin\AppData\Roaming\N3R349B2\N3Rlogim.jpeg
        MD5

        4cb93526b32aca2172484d04f7bdd1df

        SHA1

        117bcba73f87cfe40d91e3dca5bb4092ebb88348

        SHA256

        38ec575ee826efe44da44ac907db4ffab8f3ccac45a1386c7cf0e90271607d2f

        SHA512

        673e9cdb19b06f4a76d945d897a20f422f0ec1316321033d360d4024540d679a529e713b184be3005fabee45d3710acd95392fd8bd2757e7a9576af37fe386e4

        Download Submit
      • C:\Users\Admin\AppData\Roaming\N3R349B2\N3Rlogrf.ini
        MD5

        2f245469795b865bdd1b956c23d7893d

        SHA1

        6ad80b974d3808f5a20ea1e766c7d2f88b9e5895

        SHA256

        1662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361

        SHA512

        909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f

        Download Submit
      • C:\Users\Admin\AppData\Roaming\N3R349B2\N3Rlogri.ini
        MD5

        d63a82e5d81e02e399090af26db0b9cb

        SHA1

        91d0014c8f54743bba141fd60c9d963f869d76c9

        SHA256

        eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

        SHA512

        38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

        Download Submit
      • C:\Users\Admin\AppData\Roaming\N3R349B2\N3Rlogrv.ini
        MD5

        ba3b6bc807d4f76794c4b81b09bb9ba5

        SHA1

        24cb89501f0212ff3095ecc0aba97dd563718fb1

        SHA256

        6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507

        SHA512

        ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf

        Download Submit
      • \Users\Admin\AppData\Roaming\FMPlayerSoftware\FMPlayerLauncher.exe
        MD5

        419b47fd0246a2c73e62b198c1be0eaa

        SHA1

        76e7971057ed82638fc0811a8e36be458c24796f

        SHA256

        7f09dadd04613493aaafea8b13a7bea08d3f0db4a69a5abe540e90f8d344400f

        SHA512

        2c5724bcf716ebb58e84bd3fde916ab956a224bf711594d5b9f6aed819894733686c1d46f72e72a84330f06c25cd9ae5c4c0950bdf4fa3a93b6002a1adfa972e

        Download Submit
      • \Users\Admin\AppData\Roaming\FMPlayerSoftware\libtag9.dll
        MD5

        a05c09ea0f3fd5dbdc528dbeb8815bb3

        SHA1

        9f19f5ee4af5f13efc35908d69a2b6e501878be3

        SHA256

        b4e4ab0157dc276773e416e92f9cd216d763d7f6fb1ba4fa5223b2a7ec47f2ff

        SHA512

        58f981e5b0a2f4f72b821718e637c1df9edc77df68aea20b0a1592f383f456107668ebe8bc49ab31f8004537fe33f595400ea5b70cb9ab878593534883c472bf

        Download Submit
      • memory/484-60-0x0000000075AD1000-0x0000000075AD3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/532-74-0x0000000000070000-0x0000000000084000-memory.dmp
        Filesize

        80KB

        Download
      • memory/532-72-0x0000000000000000-mapping.dmp
        Download
      • memory/532-75-0x00000000000F0000-0x000000000011E000-memory.dmp
        Filesize

        184KB

        Download
      • memory/532-76-0x0000000002470000-0x0000000002773000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/532-77-0x0000000001FF0000-0x0000000002083000-memory.dmp
        Filesize

        588KB

        Download
      • memory/1092-79-0x0000000000000000-mapping.dmp
        Download
      • memory/1092-80-0x000000013F5B0000-0x000000013F643000-memory.dmp
        Filesize

        588KB

        Download
      • memory/1092-81-0x00000000012A0000-0x0000000001351000-memory.dmp
        Filesize

        708KB

        Download
      • memory/1196-78-0x0000000004A30000-0x0000000004BC2000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/1196-71-0x0000000006D20000-0x0000000006E92000-memory.dmp
        Filesize

        1.4MB

        Download
      • memory/2016-70-0x00000000003C0000-0x00000000003D4000-memory.dmp
        Filesize

        80KB

        Download
      • memory/2016-69-0x0000000002A40000-0x0000000002D43000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/2016-62-0x0000000000000000-mapping.dmp
        Download