Overview

overview

10

Static

static

PO.exe

windows7_x64

10

PO.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    10-05-2021 19:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO.exe

  • Size

    58.0MB

  • MD5

    39452d43693baa6d75c1a57e58186d8e

  • SHA1

    55d035bb23f2b9581a791d841067a4169d4b2221

  • SHA256

    b87631dd4125cdc5775d67fb2ec619c9772d47151d7196af7793cd10e8a377ab

  • SHA512

    07dbb8b08d02a499f8b713519110b90856b5e63314c4790552186ff3f875575408f561cec8b36e4e5f5bf9654a1fd3a2e3ab832a3217f0e37a616654d3691d9e

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.monsunconsulting.com/gnf/

Decoy

phongthuythienan.website

andreaknightteacherauthor.com

lifeswatercolors.com

572215.com

kolm-polymers.com

turkishmarket.guru

jonnybravoarmory.com

wedatseasonings.com

worstdread.com

arisealf.com

gpsemployerservices.com

glorybit.com

purposeprowrestling.com

funlifecycle.com

bprattservices.com

pumpkinpundit.com

kustomhydraulics.com

accounteyei.com

visionagny.com

iddomum.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Users\Admin\AppData\Local\Temp\PO.exe
      "C:\Users\Admin\AppData\Local\Temp\PO.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:856
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bJSaprQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3545.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:1324
      • C:\Users\Admin\AppData\Local\Temp\PO.exe
        "C:\Users\Admin\AppData\Local\Temp\PO.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2308
    • C:\Windows\SysWOW64\help.exe
      "C:\Windows\SysWOW64\help.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2180
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\PO.exe"
        3⤵
          PID:2864

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp3545.tmp
      MD5

      cb3f6d3e57bcf3ea6e788be412c6b0db

      SHA1

      0f4710ae306e522bdef0155b25ec63ed199ffd4c

      SHA256

      e58c45cb8223a462901870e6a43ad7f789680e8404bcc12febe484409eb20d6b

      SHA512

      88dc470327915a2b2ae1e4b5da3dfba43266c34bef85cd773c9561e5089ecd659259716b60c383aa7f851924275616f46b2daf154cc9922c5b41c65ef74496fa

      Download Submit

    • memory/856-116-0x0000000004F00000-0x0000000004F01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/856-117-0x0000000005530000-0x0000000005531000-memory.dmp

      Filesize

      4KB

      Download

    • memory/856-118-0x00000000050D0000-0x00000000050D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/856-119-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/856-120-0x0000000005170000-0x0000000005171000-memory.dmp

      Filesize

      4KB

      Download

    • memory/856-121-0x0000000005030000-0x000000000552E000-memory.dmp

      Filesize

      5.0MB

      Download

    • memory/856-122-0x0000000005300000-0x0000000005304000-memory.dmp

      Filesize

      16KB

      Download

    • memory/856-123-0x0000000000F00000-0x0000000000F7E000-memory.dmp

      Filesize

      504KB

      Download

    • memory/856-124-0x0000000008360000-0x0000000008398000-memory.dmp

      Filesize

      224KB

      Download

    • memory/856-114-0x0000000000680000-0x0000000000681000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1324-125-0x0000000000000000-mapping.dmp

      Download

    • memory/2180-133-0x0000000000000000-mapping.dmp

      Download

    • memory/2180-134-0x0000000000850000-0x0000000000857000-memory.dmp

      Filesize

      28KB

      Download

    • memory/2180-135-0x0000000002C00000-0x0000000002F20000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2180-136-0x00000000007F0000-0x000000000081E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/2308-127-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/2308-128-0x000000000041EBF0-mapping.dmp

      Download

    • memory/2308-130-0x00000000016E0000-0x0000000001A00000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2308-131-0x0000000001AD0000-0x0000000001AE4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2864-137-0x0000000000000000-mapping.dmp

      Download

    • memory/3052-132-0x0000000002670000-0x0000000002735000-memory.dmp

      Filesize

      788KB

      Download