mpomzx.exe

General
Target

mpomzx.exe

Filesize

309KB

Completed

25-11-2021 16:50

Score
10/10
MD5

586f7a1895ea47a462b1d5f6a43fcd33

SHA1

c41cd420af421d31faede9294af1a2edc638d543

SHA256

1358d88e078f1c59b546256968179bf213928f1e6f4e7afa255681b2cd8f92a2

Malware Config

Extracted

Family formbook
Version 4.1
Campaign vngb
C2

http://www.gvlc0.club/vngb/

Decoy

omertalasvegas.com

payyep.com

modasportss.com

gestionestrategicadl.com

teamolemiss.club

geektranslate.com

versatileventure.com

athletic-hub.com

vitanovaretreats.com

padison8t.com

tutoeasy.com

ediblewholesale.com

kangrungao.com

satode.com

prohibitionfeeds.com

getmorevacations.com

blinkworldbeauty.com

kdlabsallr.com

almanasef.com

transportationservicellc.com

goodtime.photos

pkmpresensi.com

banddwoodworks.com

agoodhotel.com

sec-waliet.com

unitybookkeepingsolutions.com

msbyjenny.com

thefilipinostory.com

nez-care.com

jobsforjabless.com

joeyzelinka.com

springeqx.com

doubletreeankamall.com

tribal-treasures.com

kickbikedepot.com

ez.money

norpandco.com

alanavieira.online

studybugger.net

giaohangtietkiemhcm.com

soundlifeonline.com

mindbodyweightlossmethod.com

arcelius.one

executivecenterlacey.com

summergreenarea.com

skydaddy.guru

peblish.com

croworld.tools

99099888.com

48rmz6.biz

Signatures 14

Filter: none

Discovery
  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • Formbook Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/292-57-0x0000000000400000-0x000000000042F000-memory.dmpformbook
    behavioral1/memory/292-58-0x000000000041F0E0-mapping.dmpformbook
    behavioral1/memory/292-63-0x0000000000400000-0x000000000042F000-memory.dmpformbook
    behavioral1/memory/1648-69-0x0000000000080000-0x00000000000AF000-memory.dmpformbook
  • Deletes itself
    cmd.exe

    Reported IOCs

    pidprocess
    768cmd.exe
  • Loads dropped DLL
    mpomzx.exe

    Reported IOCs

    pidprocess
    1116mpomzx.exe
  • Suspicious use of SetThreadContext
    mpomzx.exempomzx.exeNAPSTAT.EXE

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1116 set thread context of 2921116mpomzx.exempomzx.exe
    PID 292 set thread context of 1380292mpomzx.exeExplorer.EXE
    PID 292 set thread context of 1380292mpomzx.exeExplorer.EXE
    PID 1648 set thread context of 13801648NAPSTAT.EXEExplorer.EXE
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious behavior: EnumeratesProcesses
    mpomzx.exeNAPSTAT.EXE

    Reported IOCs

    pidprocess
    292mpomzx.exe
    292mpomzx.exe
    292mpomzx.exe
    1648NAPSTAT.EXE
    1648NAPSTAT.EXE
    1648NAPSTAT.EXE
    1648NAPSTAT.EXE
    1648NAPSTAT.EXE
    1648NAPSTAT.EXE
    1648NAPSTAT.EXE
    1648NAPSTAT.EXE
    1648NAPSTAT.EXE
    1648NAPSTAT.EXE
    1648NAPSTAT.EXE
    1648NAPSTAT.EXE
    1648NAPSTAT.EXE
    1648NAPSTAT.EXE
    1648NAPSTAT.EXE
    1648NAPSTAT.EXE
    1648NAPSTAT.EXE
    1648NAPSTAT.EXE
    1648NAPSTAT.EXE
    1648NAPSTAT.EXE
    1648NAPSTAT.EXE
    1648NAPSTAT.EXE
    1648NAPSTAT.EXE
    1648NAPSTAT.EXE
    1648NAPSTAT.EXE
    1648NAPSTAT.EXE
    1648NAPSTAT.EXE
  • Suspicious behavior: GetForegroundWindowSpam
    Explorer.EXE

    Reported IOCs

    pidprocess
    1380Explorer.EXE
  • Suspicious behavior: MapViewOfSection
    mpomzx.exeNAPSTAT.EXE

    Reported IOCs

    pidprocess
    292mpomzx.exe
    292mpomzx.exe
    292mpomzx.exe
    292mpomzx.exe
    1648NAPSTAT.EXE
    1648NAPSTAT.EXE
  • Suspicious use of AdjustPrivilegeToken
    mpomzx.exeNAPSTAT.EXE

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege292mpomzx.exe
    Token: SeDebugPrivilege1648NAPSTAT.EXE
  • Suspicious use of FindShellTrayWindow
    Explorer.EXE

    Reported IOCs

    pidprocess
    1380Explorer.EXE
    1380Explorer.EXE
  • Suspicious use of SendNotifyMessage
    Explorer.EXE

    Reported IOCs

    pidprocess
    1380Explorer.EXE
    1380Explorer.EXE
  • Suspicious use of WriteProcessMemory
    mpomzx.exeExplorer.EXENAPSTAT.EXE

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1116 wrote to memory of 2921116mpomzx.exempomzx.exe
    PID 1116 wrote to memory of 2921116mpomzx.exempomzx.exe
    PID 1116 wrote to memory of 2921116mpomzx.exempomzx.exe
    PID 1116 wrote to memory of 2921116mpomzx.exempomzx.exe
    PID 1116 wrote to memory of 2921116mpomzx.exempomzx.exe
    PID 1116 wrote to memory of 2921116mpomzx.exempomzx.exe
    PID 1116 wrote to memory of 2921116mpomzx.exempomzx.exe
    PID 1380 wrote to memory of 16481380Explorer.EXENAPSTAT.EXE
    PID 1380 wrote to memory of 16481380Explorer.EXENAPSTAT.EXE
    PID 1380 wrote to memory of 16481380Explorer.EXENAPSTAT.EXE
    PID 1380 wrote to memory of 16481380Explorer.EXENAPSTAT.EXE
    PID 1648 wrote to memory of 7681648NAPSTAT.EXEcmd.exe
    PID 1648 wrote to memory of 7681648NAPSTAT.EXEcmd.exe
    PID 1648 wrote to memory of 7681648NAPSTAT.EXEcmd.exe
    PID 1648 wrote to memory of 7681648NAPSTAT.EXEcmd.exe
Processes 5
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    Suspicious behavior: GetForegroundWindowSpam
    Suspicious use of FindShellTrayWindow
    Suspicious use of SendNotifyMessage
    Suspicious use of WriteProcessMemory
    PID:1380
    • C:\Users\Admin\AppData\Local\Temp\mpomzx.exe
      "C:\Users\Admin\AppData\Local\Temp\mpomzx.exe"
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1116
      • C:\Users\Admin\AppData\Local\Temp\mpomzx.exe
        "C:\Users\Admin\AppData\Local\Temp\mpomzx.exe"
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        PID:292
    • C:\Windows\SysWOW64\NAPSTAT.EXE
      "C:\Windows\SysWOW64\NAPSTAT.EXE"
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1648
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\mpomzx.exe"
        Deletes itself
        PID:768
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • \Users\Admin\AppData\Local\Temp\nsiDFC5.tmp\advp.dll

                          MD5

                          47a7fbebea22292c405e44ec919c60fc

                          SHA1

                          23c5ee9e29719cd957b629da0901e706259adc46

                          SHA256

                          0feea087bbb6afebb6c50e8d20b2e00263b1db8744c54d11a39a77e0b0bd3473

                          SHA512

                          f142390694e739d498f8148c86e14e6b8f3436a091841574e7683233d0511e2c0896afededad91680423b626aa2cf9ce2bf106a56ead99bb0fce25c5c609068c

                        • memory/292-64-0x0000000000310000-0x0000000000324000-memory.dmp

                        • memory/292-57-0x0000000000400000-0x000000000042F000-memory.dmp

                        • memory/292-58-0x000000000041F0E0-mapping.dmp

                        • memory/292-60-0x0000000000850000-0x0000000000B53000-memory.dmp

                        • memory/292-61-0x00000000002C0000-0x00000000002D4000-memory.dmp

                        • memory/292-63-0x0000000000400000-0x000000000042F000-memory.dmp

                        • memory/768-67-0x0000000000000000-mapping.dmp

                        • memory/1116-55-0x00000000762D1000-0x00000000762D3000-memory.dmp

                        • memory/1380-65-0x00000000070C0000-0x00000000071E6000-memory.dmp

                        • memory/1380-72-0x0000000007BC0000-0x0000000007D0E000-memory.dmp

                        • memory/1380-62-0x0000000005E90000-0x0000000005F8E000-memory.dmp

                        • memory/1648-68-0x00000000008E0000-0x0000000000926000-memory.dmp

                        • memory/1648-69-0x0000000000080000-0x00000000000AF000-memory.dmp

                        • memory/1648-70-0x0000000002000000-0x0000000002303000-memory.dmp

                        • memory/1648-71-0x0000000001DE0000-0x0000000001E73000-memory.dmp

                        • memory/1648-66-0x0000000000000000-mapping.dmp