Overview

overview

10

Static

static

PO 0131.exe

windows7_x64

10

PO 0131.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    31-01-2022 10:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO 0131.exe

  • Size

    601KB

  • MD5

    eb437cbf64c34aebc51d6fd32ceec985

  • SHA1

    2a1d8901240f6079da9c6978aabb658d55114d12

  • SHA256

    3d4e25f876b2007b8b03a1d79109a52fcb5602644fb4554eb065f97853daa5de

  • SHA512

    af5a6a5c4479ac2a5dc6988d8a283ff022914347159440bb8f292fa426253cb6eefe67809701eb4996de4f92a85e933003796669523cd99500f5337e547d9d38

Score
10/10
formbookje16persistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

je16

Decoy

antonavt.com

sdfvlog.xyz

xn--arbetslivsaktren-ywb.com

propelcolor.com

uniqueclsssiccars.com

colorbells.com

synjive.com

cloudymellows.com

walltage.com

qterps.com

kezorup.online

soakedindelight.online

thefirstgroupscam.biz

miclanka.com

mwm-security.com

trinksaifenradiodocumentary.com

spineklinik.com

javacodecafe.com

groovyrelease-toknowtoday.info

ventadesillasymesas.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Formbook Payload 2 IoCs
    rat
  • Sets service image path in registry 2 TTPs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2424
    • C:\Users\Admin\AppData\Local\Temp\PO 0131.exe
      "C:\Users\Admin\AppData\Local\Temp\PO 0131.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3412
      • C:\Users\Admin\AppData\Local\Temp\PO 0131.exe
        "C:\Users\Admin\AppData\Local\Temp\PO 0131.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:776
    • C:\Windows\SysWOW64\ipconfig.exe
      "C:\Windows\SysWOW64\ipconfig.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Gathers network information
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2816
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\PO 0131.exe"
        3⤵
          PID:3784
    • C:\Windows\System32\WaaSMedicAgent.exe
      C:\Windows\System32\WaaSMedicAgent.exe 6bf4c037a60f74c25680af0f18ccb626 C25sboTFCk+5gsrP8JQ7OQ.0.1.0.0.0
      1⤵
      • Modifies data under HKEY_USERS
      PID:432
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
      1⤵
        PID:2228

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Command-Line Interface

      1
      T1059

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/776-135-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/776-138-0x0000000000F90000-0x0000000000FA4000-memory.dmp
        Filesize

        80KB

        Download
      • memory/776-137-0x0000000001040000-0x00000000017EA000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/2424-144-0x0000000008A60000-0x0000000008BE2000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/2424-139-0x0000000002D10000-0x0000000002E0F000-memory.dmp
        Filesize

        1020KB

        Download
      • memory/2816-141-0x0000000002AA0000-0x0000000002ACF000-memory.dmp
        Filesize

        188KB

        Download
      • memory/2816-140-0x00000000006E0000-0x00000000006EB000-memory.dmp
        Filesize

        44KB

        Download
      • memory/2816-142-0x0000000003170000-0x00000000034BA000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/2816-143-0x0000000003080000-0x0000000003113000-memory.dmp
        Filesize

        588KB

        Download
      • memory/3412-134-0x0000000005AB0000-0x0000000006054000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/3412-133-0x00000000050F0000-0x000000000518C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/3412-132-0x0000000004E50000-0x0000000004EE2000-memory.dmp
        Filesize

        584KB

        Download
      • memory/3412-130-0x00000000001D0000-0x000000000026C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/3412-131-0x0000000004E40000-0x0000000004E41000-memory.dmp
        Filesize

        4KB

        Download