Overview

overview

10

Static

static

1

PI.exe

windows7_x64

10

PI.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    135s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    05-05-2021 12:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PI.exe

  • Size

    229KB

  • MD5

    faa85d608853f8f467909b19eac68daa

  • SHA1

    2eafec60349d9a3cefd12e031f2597ca21c279b3

  • SHA256

    c7b835a38f13c18350ba953a8f57f8c90a237804c377ba32d6fd212daa08e98c

  • SHA512

    c3ccd2494c336d7479ec4cd70dbe61900c3ff2c9882fee7f84314151e2682ef2b335da85e3df175bb04b39a4148f376a4f279ae9009a961ee66ba60b51f9eb00

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.knighttechinca.com/dxe/

Decoy

sardarfarm.com

959tremont.com

privat-livecam.net

ansel-homebakery.com

joysupermarket.com

peninsulamatchmakers.net

northsytyle.com

radioconexaoubermusic.com

relocatingrealtor.com

desyrnan.com

onlinehoortoestel.online

enpointe.online

rvvikings.com

paulpoirier.com

shitarpa.net

kerneis.net

rokitreach.com

essentiallygaia.com

prestiged.net

fuerzaagavera.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2460
    • C:\Users\Admin\AppData\Local\Temp\PI.exe
      "C:\Users\Admin\AppData\Local\Temp\PI.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1704
      • C:\Users\Admin\AppData\Local\Temp\PI.exe
        "C:\Users\Admin\AppData\Local\Temp\PI.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2220
    • C:\Windows\SysWOW64\colorcpl.exe
      "C:\Windows\SysWOW64\colorcpl.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1592
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
        3⤵
          PID:3720

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\nso112E.tmp\al7n3.dll
      MD5

      d7b3e7bbb1ba396ae0a092b5dc4b9ed4

      SHA1

      1af08aca3583c37cd83c23c4b1f0eafb477c48b0

      SHA256

      a4361c7bf7b9859df0b622ee7c421c216cc036b910e70861f107d487e257c162

      SHA512

      123138e9a75bbe78e47bef5fb4e6f5e024efe094bf3fce13c3919c916dce9e8382e212fa83a97604afeb6c161205df5f8d83e0536ada82cffa7f9866d1545ded

      Download Submit
    • memory/1592-121-0x0000000000000000-mapping.dmp
      Download
    • memory/1592-126-0x0000000000D40000-0x0000000000DD3000-memory.dmp
      Filesize

      588KB

      Download
    • memory/1592-125-0x0000000000E80000-0x00000000011A0000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/1592-124-0x0000000000410000-0x000000000043E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/1592-123-0x0000000001330000-0x0000000001349000-memory.dmp
      Filesize

      100KB

      Download
    • memory/1704-115-0x0000000002170000-0x0000000002172000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2220-117-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/2220-118-0x0000000000A90000-0x0000000000DB0000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/2220-119-0x0000000000500000-0x000000000064A000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2220-116-0x000000000041EAF0-mapping.dmp
      Download
    • memory/2460-120-0x0000000005F50000-0x000000000609B000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2460-127-0x00000000007F0000-0x000000000088C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/3720-122-0x0000000000000000-mapping.dmp
      Download