Overview

overview

10

Static

static

1

ijeonyi.com.exe

windows7_x64

10

ijeonyi.com.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    19-04-2021 18:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ijeonyi.com.exe

  • Size

    2.7MB

  • MD5

    a4c6ea4179cc3e52033866c2e100aa83

  • SHA1

    3d282d189f9b1920de79e4dd0aa36cc280f6b53e

  • SHA256

    1baad45cc119fef01aa0a48c0ea82a6dc10c3365d44984d50f94f25866063474

  • SHA512

    0519e921e35d85872f0e8b73a60efb108ab17c81bc1cdfcdc75e9df225ddf8fb6c8d262f63e0ff1f0efb76990808f102214db6f6239d38fd866a1c64130787f3

Score
10/10
formbookpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.hollandhousedesigns.design/vns/

Decoy

sparkspressworld.com

everydayresidency.com

thebosscollectionn.com

milkweedmagic.com

worklesshours.com

romeosfurnituremadera.com

unclepetesproduce.com

athleticamackay.com

9nhl.com

powellassetmanagement.com

jxlamp.com

onpointpetproducts.com

buymysoft.com

nazertrader.com

goprj.com

keeptalkservice.com

aolei1688.com

donstackl.com

almasorchids.com

pj5bwn.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 1 IoCs
    rat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3060
    • C:\Users\Admin\AppData\Local\Temp\ijeonyi.com.exe
      "C:\Users\Admin\AppData\Local\Temp\ijeonyi.com.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:752
      • C:\Users\Admin\AppData\Roaming\FMPlayerSoftware\FMPlayerLauncher.exe
        C:\Users\Admin\AppData\Roaming\FMPlayerSoftware\FMPlayerLauncher.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3648
    • C:\Windows\SysWOW64\wlanext.exe
      "C:\Windows\SysWOW64\wlanext.exe"
      2⤵
      • Adds policy Run key to start application
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2732
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:1284

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    2
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\FMPlayerSoftware\FMPlayerLauncher.exe
      MD5

      419b47fd0246a2c73e62b198c1be0eaa

      SHA1

      76e7971057ed82638fc0811a8e36be458c24796f

      SHA256

      7f09dadd04613493aaafea8b13a7bea08d3f0db4a69a5abe540e90f8d344400f

      SHA512

      2c5724bcf716ebb58e84bd3fde916ab956a224bf711594d5b9f6aed819894733686c1d46f72e72a84330f06c25cd9ae5c4c0950bdf4fa3a93b6002a1adfa972e

      Download Submit
    • C:\Users\Admin\AppData\Roaming\FMPlayerSoftware\FMPlayerLauncher.exe
      MD5

      419b47fd0246a2c73e62b198c1be0eaa

      SHA1

      76e7971057ed82638fc0811a8e36be458c24796f

      SHA256

      7f09dadd04613493aaafea8b13a7bea08d3f0db4a69a5abe540e90f8d344400f

      SHA512

      2c5724bcf716ebb58e84bd3fde916ab956a224bf711594d5b9f6aed819894733686c1d46f72e72a84330f06c25cd9ae5c4c0950bdf4fa3a93b6002a1adfa972e

      Download Submit
    • C:\Users\Admin\AppData\Roaming\FMPlayerSoftware\config.ini
      MD5

      9ff41a15752595741c706e0920c3b6c0

      SHA1

      8e799616685c1ce15906c097b5e25c74197d7f7c

      SHA256

      e7ead82dd8a73f3ad08d41f7b0d173f966c9ea099158cbdbb4fbe309fc6141b8

      SHA512

      1df3437e5922de3f3bea416d0d766c1752e40dd23614700addbb63f7af9dfee0f4c3a2e447d9b9b5d137f34f9cbdb0d8ad5b29d2dc69b0673496356cc27fa3bc

      Download Submit
    • C:\Users\Admin\AppData\Roaming\FMPlayerSoftware\libtag9.dll
      MD5

      a05c09ea0f3fd5dbdc528dbeb8815bb3

      SHA1

      9f19f5ee4af5f13efc35908d69a2b6e501878be3

      SHA256

      b4e4ab0157dc276773e416e92f9cd216d763d7f6fb1ba4fa5223b2a7ec47f2ff

      SHA512

      58f981e5b0a2f4f72b821718e637c1df9edc77df68aea20b0a1592f383f456107668ebe8bc49ab31f8004537fe33f595400ea5b70cb9ab878593534883c472bf

      Download Submit
    • C:\Users\Admin\AppData\Roaming\N3R349B2\N3Rlogim.jpeg
      MD5

      cf8a8802b06dd68a55c5aff625af1fa7

      SHA1

      f5fbb30f335c9f002c68b92ab91949b91e261496

      SHA256

      90a8dd6b0b68969b7140f1658160f26bf1a6411e3e3e39fc14af5fd863fa07db

      SHA512

      37fbbf92539d3a9ac09c0df854eaf13c0abf36d7f1fc0af7e205ac5ef003ac5410451598576902673fd85bc7de8cfff1f131c001411caf1824048fb1945a52e6

      Download Submit
    • C:\Users\Admin\AppData\Roaming\N3R349B2\N3Rlogrf.ini
      MD5

      2f245469795b865bdd1b956c23d7893d

      SHA1

      6ad80b974d3808f5a20ea1e766c7d2f88b9e5895

      SHA256

      1662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361

      SHA512

      909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f

      Download Submit
    • C:\Users\Admin\AppData\Roaming\N3R349B2\N3Rlogri.ini
      MD5

      d63a82e5d81e02e399090af26db0b9cb

      SHA1

      91d0014c8f54743bba141fd60c9d963f869d76c9

      SHA256

      eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

      SHA512

      38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

      Download Submit
    • C:\Users\Admin\AppData\Roaming\N3R349B2\N3Rlogrv.ini
      MD5

      bbc41c78bae6c71e63cb544a6a284d94

      SHA1

      33f2c1d9fa0e9c99b80bc2500621e95af38b1f9a

      SHA256

      ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb

      SHA512

      0aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4

      Download Submit
    • \Users\Admin\AppData\Roaming\FMPlayerSoftware\libtag9.dll
      MD5

      a05c09ea0f3fd5dbdc528dbeb8815bb3

      SHA1

      9f19f5ee4af5f13efc35908d69a2b6e501878be3

      SHA256

      b4e4ab0157dc276773e416e92f9cd216d763d7f6fb1ba4fa5223b2a7ec47f2ff

      SHA512

      58f981e5b0a2f4f72b821718e637c1df9edc77df68aea20b0a1592f383f456107668ebe8bc49ab31f8004537fe33f595400ea5b70cb9ab878593534883c472bf

      Download Submit
    • memory/1284-129-0x0000000000000000-mapping.dmp
      Download
    • memory/1284-131-0x0000025715530000-0x0000025715618000-memory.dmp
      Filesize

      928KB

      Download
    • memory/1284-130-0x00007FF6FBC20000-0x00007FF6FBCB3000-memory.dmp
      Filesize

      588KB

      Download
    • memory/2732-124-0x00000000001C0000-0x00000000001D7000-memory.dmp
      Filesize

      92KB

      Download
    • memory/2732-125-0x0000000002A00000-0x0000000002A2E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/2732-126-0x0000000002DE0000-0x0000000003100000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/2732-127-0x0000000002D20000-0x0000000002DB3000-memory.dmp
      Filesize

      588KB

      Download
    • memory/2732-123-0x0000000000000000-mapping.dmp
      Download
    • memory/3060-128-0x0000000006950000-0x0000000006ABB000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/3060-122-0x0000000005AD0000-0x0000000005C00000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/3648-114-0x0000000000000000-mapping.dmp
      Download
    • memory/3648-121-0x00000000018E0000-0x00000000018F4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/3648-120-0x0000000003AF0000-0x0000000003E10000-memory.dmp
      Filesize

      3.1MB

      Download