Overview

overview

10

Static

static

New PI PL.exe

windows7_x64

10

New PI PL.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    154s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 01:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New PI PL.exe

  • Size

    945KB

  • MD5

    332e036148c15d2453735b513bb8d693

  • SHA1

    ffe088da337a5d87baeb1f3de49f83ff6a607c0a

  • SHA256

    d4cca60154fcc667ada19dffbac16f84b51691a540daf850a766b91bd46544fe

  • SHA512

    099a9ad6dd681e580e7ab0ab1798a51ccb9ce92a9ed001e7a8e49f0c57a714932cbc20c06670683fdb67be1ab88ba4b54e4f67568884deed1bc8921ecee4aed9

Score
10/10
formbookwusevasionpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

wus

Decoy

generativecoaching.net

skillmosaic.com

practicalmaster.com

12aminmiami.com

instagramsupport.online

mainelse.net

qqysmr.com

wealthxd.com

videoadscreator.com

dltzscl.com

cotaforjulyans.com

forcend.com

shinjukufilm.com

bsq30.com

dragonsrose.net

loganbuys.com

wwwfitnessymusica.com

microbladingdublin.com

corporateiconic.com

sunshinegroupnyc.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Formbook Payload 2 IoCs
    rat
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1052
    • C:\Users\Admin\AppData\Local\Temp\New PI PL.exe
      "C:\Users\Admin\AppData\Local\Temp\New PI PL.exe"
      2⤵
      • Checks BIOS information in registry
      • Maps connected drives based on registry
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:396
      • C:\Users\Admin\AppData\Local\Temp\New PI PL.exe
        "C:\Users\Admin\AppData\Local\Temp\New PI PL.exe"
        3⤵
          PID:3384
        • C:\Users\Admin\AppData\Local\Temp\New PI PL.exe
          "C:\Users\Admin\AppData\Local\Temp\New PI PL.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2196
      • C:\Windows\SysWOW64\raserver.exe
        "C:\Windows\SysWOW64\raserver.exe"
        2⤵
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Drops file in Program Files directory
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2276
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\New PI PL.exe"
          3⤵
            PID:3080
          • C:\Windows\SysWOW64\cmd.exe
            /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
            3⤵
              PID:4100
            • C:\Program Files\Mozilla Firefox\Firefox.exe
              "C:\Program Files\Mozilla Firefox\Firefox.exe"
              3⤵
                PID:3900

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Registry Run Keys / Startup Folder

          1
          T1060

          Privilege Escalation

          Defense Evasion

          Virtualization/Sandbox Evasion

          2
          T1497

          Modify Registry

          2
          T1112

          Credential Access

          Credentials in Files

          1
          T1081

          Discovery

          Query Registry

          4
          T1012

          Virtualization/Sandbox Evasion

          2
          T1497

          System Information Discovery

          2
          T1082

          Peripheral Device Discovery

          1
          T1120

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\DB1
            Filesize

            40KB

            MD5

            b608d407fc15adea97c26936bc6f03f6

            SHA1

            953e7420801c76393902c0d6bb56148947e41571

            SHA256

            b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

            SHA512

            cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

            Download Submit
          • memory/396-130-0x0000000000370000-0x0000000000462000-memory.dmp
            Filesize

            968KB

            Download
          • memory/396-131-0x0000000004EB0000-0x0000000004F4C000-memory.dmp
            Filesize

            624KB

            Download
          • memory/396-132-0x0000000005500000-0x0000000005AA4000-memory.dmp
            Filesize

            5.6MB

            Download
          • memory/396-133-0x0000000004F50000-0x0000000004FE2000-memory.dmp
            Filesize

            584KB

            Download
          • memory/396-134-0x0000000004E10000-0x0000000004E1A000-memory.dmp
            Filesize

            40KB

            Download
          • memory/396-135-0x00000000050E0000-0x0000000005136000-memory.dmp
            Filesize

            344KB

            Download
          • memory/396-136-0x0000000005C20000-0x0000000005C86000-memory.dmp
            Filesize

            408KB

            Download
          • memory/1052-150-0x0000000002F60000-0x0000000003016000-memory.dmp
            Filesize

            728KB

            Download
          • memory/1052-143-0x0000000002B10000-0x0000000002BE3000-memory.dmp
            Filesize

            844KB

            Download
          • memory/2196-140-0x0000000000E70000-0x00000000011BA000-memory.dmp
            Filesize

            3.3MB

            Download
          • memory/2196-142-0x0000000000E00000-0x0000000000E14000-memory.dmp
            Filesize

            80KB

            Download
          • memory/2196-139-0x0000000000400000-0x000000000042D000-memory.dmp
            Filesize

            180KB

            Download
          • memory/2196-138-0x0000000000000000-mapping.dmp
            Download
          • memory/2276-144-0x0000000000000000-mapping.dmp
            Download
          • memory/2276-146-0x0000000000B20000-0x0000000000B4D000-memory.dmp
            Filesize

            180KB

            Download
          • memory/2276-145-0x0000000000970000-0x000000000098F000-memory.dmp
            Filesize

            124KB

            Download
          • memory/2276-147-0x0000000002C30000-0x0000000002F7A000-memory.dmp
            Filesize

            3.3MB

            Download
          • memory/2276-149-0x0000000002F80000-0x0000000003013000-memory.dmp
            Filesize

            588KB

            Download
          • memory/3080-148-0x0000000000000000-mapping.dmp
            Download
          • memory/3384-137-0x0000000000000000-mapping.dmp
            Download
          • memory/4100-151-0x0000000000000000-mapping.dmp
            Download