Overview

overview

10

Static

static

1

PO45021513...el.exe

windows7_x64

10

PO45021513...el.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    141s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    25-10-2021 11:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO4502151388.excel.exe

  • Size

    310KB

  • MD5

    042981e463e96d427fb66d475ff62c17

  • SHA1

    588a8cc23b96a5f0c3744729f114b67da78bf183

  • SHA256

    d2b2d54f03ed22179f9317d2c7bfbcdf669e1378a35727cde4147ac41f669dd1

  • SHA512

    6aded5d389779bafc5dabae3b7d589d67e4a0b7fa3cacccf3191aa518e6c5416ac216c6d24855cc6cdb5c387f25e924acdf02e09831d8e76218b31d5c717ef32

Score
10/10
formbookct6sratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ct6s

C2

http://www.metalzj.quest/ct6s/

Decoy

liaquatsibtian.com

erisa.cymru

theultimateone.world

petpartner.info

edison-press.com

ryanmurazik.icu

bukasystems.com

kitsusimplex.com

qatarstyleart.com

brkhot.top

paehdfdtrujdfhs.xyz

createdbybonk.com

kuihoon.com

deathtocustomerservice.com

iotimb.com

greendiamond.pw

millionaireproducers.academy

websitemolsa.com

cbshomeimprovement.com

eardunder.quest

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Formbook Payload 3 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3056
    • C:\Users\Admin\AppData\Local\Temp\PO4502151388.excel.exe
      "C:\Users\Admin\AppData\Local\Temp\PO4502151388.excel.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2268
      • C:\Users\Admin\AppData\Local\Temp\PO4502151388.excel.exe
        "C:\Users\Admin\AppData\Local\Temp\PO4502151388.excel.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1956
    • C:\Windows\SysWOW64\chkdsk.exe
      "C:\Windows\SysWOW64\chkdsk.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3744
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\PO4502151388.excel.exe"
        3⤵
          PID:920

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\nsoCDD1.tmp\bpgoeab.dll
      MD5

      f2f838f6f712004c0241e7fd01ade606

      SHA1

      4f7a810c38ca6bfcfaccef702f4fc6e215c03b37

      SHA256

      3be058bf9a059946f869bc4e791b71dd7aaf7b303e30832696181d0ae3925e2b

      SHA512

      0e0844d3af3488bd986317df53f11f770bba3e0854a491764e47a49f9d69fe9b4cfbb14a770b12adda9f47200b52de6b2c42d1a2ff9530a0ed38227fd82d1c57

      Download Submit
    • memory/920-125-0x0000000000000000-mapping.dmp
      Download
    • memory/1956-119-0x0000000000A40000-0x0000000000D60000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/1956-117-0x000000000041F0C0-mapping.dmp
      Download
    • memory/1956-120-0x00000000005F0000-0x0000000000604000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1956-116-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/3056-121-0x0000000005050000-0x00000000051B7000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/3056-128-0x0000000006B20000-0x0000000006C90000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/3744-122-0x0000000000000000-mapping.dmp
      Download
    • memory/3744-124-0x0000000000980000-0x00000000009AF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/3744-123-0x0000000000BB0000-0x0000000000BBA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3744-126-0x0000000005420000-0x0000000005740000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/3744-127-0x0000000005180000-0x0000000005213000-memory.dmp
      Filesize

      588KB

      Download