Analysis
-
max time kernel
154s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 01:29
Static task
static1
Behavioral task
behavioral1
Sample
New PI PL.exe
Resource
win7-20220414-en
General
-
Target
New PI PL.exe
-
Size
945KB
-
MD5
332e036148c15d2453735b513bb8d693
-
SHA1
ffe088da337a5d87baeb1f3de49f83ff6a607c0a
-
SHA256
d4cca60154fcc667ada19dffbac16f84b51691a540daf850a766b91bd46544fe
-
SHA512
099a9ad6dd681e580e7ab0ab1798a51ccb9ce92a9ed001e7a8e49f0c57a714932cbc20c06670683fdb67be1ab88ba4b54e4f67568884deed1bc8921ecee4aed9
Malware Config
Extracted
formbook
4.1
wus
generativecoaching.net
skillmosaic.com
practicalmaster.com
12aminmiami.com
instagramsupport.online
mainelse.net
qqysmr.com
wealthxd.com
videoadscreator.com
dltzscl.com
cotaforjulyans.com
forcend.com
shinjukufilm.com
bsq30.com
dragonsrose.net
loganbuys.com
wwwfitnessymusica.com
microbladingdublin.com
corporateiconic.com
sunshinegroupnyc.com
cpc000.com
aerialliftland.com
50j6tfl4t7.biz
phransus.com
sepez.com
alephmim.com
mobster.tech
armanismiami.com
maviswancyzk.com
prephurricane.com
danielryanwrites.com
niruli96.party
westgastro-lbc.com
gofoodieweb.com
daveselectricalco.com
treasuresofwallstreet.com
ebaychinadirect.com
michaelmaffait.com
konnect-4.com
weiguanwo.com
joycestravels.com
allstatehurricaneirmaclaims.com
necoservicios.com
kuishei.com
twentydc.scot
semohomesource.com
graymensociety.com
jswmpc.com
tlpropertybuyers.com
azteccar.com
thesourcespirit.com
fhtps.com
sabrinacameron.com
130aa4.com
junowagashi.com
seocherubin.com
fashionnpva.com
photoidrental.com
sierraassets.net
zhubao258.com
athenscraftbeerexpo.com
zzizzle.net
greengoenvironmental.com
goveducc.com
howcuty.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2196-139-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral2/memory/2276-146-0x0000000000B20000-0x0000000000B4D000-memory.dmp formbook -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
New PI PL.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion New PI PL.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion New PI PL.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
raserver.exedescription ioc process Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run raserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\9RO0ZLWPZ0 = "C:\\Program Files (x86)\\Ejzih0\\edehxthxb8i0.exe" raserver.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
New PI PL.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 New PI PL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum New PI PL.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
New PI PL.exeNew PI PL.exeraserver.exedescription pid process target process PID 396 set thread context of 2196 396 New PI PL.exe New PI PL.exe PID 2196 set thread context of 1052 2196 New PI PL.exe Explorer.EXE PID 2276 set thread context of 1052 2276 raserver.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
raserver.exedescription ioc process File opened for modification C:\Program Files (x86)\Ejzih0\edehxthxb8i0.exe raserver.exe -
Processes:
raserver.exedescription ioc process Key created \Registry\User\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 raserver.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
New PI PL.exeNew PI PL.exeraserver.exepid process 396 New PI PL.exe 396 New PI PL.exe 2196 New PI PL.exe 2196 New PI PL.exe 2196 New PI PL.exe 2196 New PI PL.exe 2276 raserver.exe 2276 raserver.exe 2276 raserver.exe 2276 raserver.exe 2276 raserver.exe 2276 raserver.exe 2276 raserver.exe 2276 raserver.exe 2276 raserver.exe 2276 raserver.exe 2276 raserver.exe 2276 raserver.exe 2276 raserver.exe 2276 raserver.exe 2276 raserver.exe 2276 raserver.exe 2276 raserver.exe 2276 raserver.exe 2276 raserver.exe 2276 raserver.exe 2276 raserver.exe 2276 raserver.exe 2276 raserver.exe 2276 raserver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1052 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
New PI PL.exeraserver.exepid process 2196 New PI PL.exe 2196 New PI PL.exe 2196 New PI PL.exe 2276 raserver.exe 2276 raserver.exe 2276 raserver.exe 2276 raserver.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
New PI PL.exeNew PI PL.exeraserver.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 396 New PI PL.exe Token: SeDebugPrivilege 2196 New PI PL.exe Token: SeDebugPrivilege 2276 raserver.exe Token: SeShutdownPrivilege 1052 Explorer.EXE Token: SeCreatePagefilePrivilege 1052 Explorer.EXE Token: SeShutdownPrivilege 1052 Explorer.EXE Token: SeCreatePagefilePrivilege 1052 Explorer.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
New PI PL.exeExplorer.EXEraserver.exedescription pid process target process PID 396 wrote to memory of 3384 396 New PI PL.exe New PI PL.exe PID 396 wrote to memory of 3384 396 New PI PL.exe New PI PL.exe PID 396 wrote to memory of 3384 396 New PI PL.exe New PI PL.exe PID 396 wrote to memory of 2196 396 New PI PL.exe New PI PL.exe PID 396 wrote to memory of 2196 396 New PI PL.exe New PI PL.exe PID 396 wrote to memory of 2196 396 New PI PL.exe New PI PL.exe PID 396 wrote to memory of 2196 396 New PI PL.exe New PI PL.exe PID 396 wrote to memory of 2196 396 New PI PL.exe New PI PL.exe PID 396 wrote to memory of 2196 396 New PI PL.exe New PI PL.exe PID 1052 wrote to memory of 2276 1052 Explorer.EXE raserver.exe PID 1052 wrote to memory of 2276 1052 Explorer.EXE raserver.exe PID 1052 wrote to memory of 2276 1052 Explorer.EXE raserver.exe PID 2276 wrote to memory of 3080 2276 raserver.exe cmd.exe PID 2276 wrote to memory of 3080 2276 raserver.exe cmd.exe PID 2276 wrote to memory of 3080 2276 raserver.exe cmd.exe PID 2276 wrote to memory of 4100 2276 raserver.exe cmd.exe PID 2276 wrote to memory of 4100 2276 raserver.exe cmd.exe PID 2276 wrote to memory of 4100 2276 raserver.exe cmd.exe PID 2276 wrote to memory of 3900 2276 raserver.exe Firefox.exe PID 2276 wrote to memory of 3900 2276 raserver.exe Firefox.exe PID 2276 wrote to memory of 3900 2276 raserver.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\New PI PL.exe"C:\Users\Admin\AppData\Local\Temp\New PI PL.exe"2⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\New PI PL.exe"C:\Users\Admin\AppData\Local\Temp\New PI PL.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\New PI PL.exe"C:\Users\Admin\AppData\Local\Temp\New PI PL.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\New PI PL.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
memory/396-130-0x0000000000370000-0x0000000000462000-memory.dmpFilesize
968KB
-
memory/396-131-0x0000000004EB0000-0x0000000004F4C000-memory.dmpFilesize
624KB
-
memory/396-132-0x0000000005500000-0x0000000005AA4000-memory.dmpFilesize
5.6MB
-
memory/396-133-0x0000000004F50000-0x0000000004FE2000-memory.dmpFilesize
584KB
-
memory/396-134-0x0000000004E10000-0x0000000004E1A000-memory.dmpFilesize
40KB
-
memory/396-135-0x00000000050E0000-0x0000000005136000-memory.dmpFilesize
344KB
-
memory/396-136-0x0000000005C20000-0x0000000005C86000-memory.dmpFilesize
408KB
-
memory/1052-150-0x0000000002F60000-0x0000000003016000-memory.dmpFilesize
728KB
-
memory/1052-143-0x0000000002B10000-0x0000000002BE3000-memory.dmpFilesize
844KB
-
memory/2196-140-0x0000000000E70000-0x00000000011BA000-memory.dmpFilesize
3.3MB
-
memory/2196-142-0x0000000000E00000-0x0000000000E14000-memory.dmpFilesize
80KB
-
memory/2196-139-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/2196-138-0x0000000000000000-mapping.dmp
-
memory/2276-144-0x0000000000000000-mapping.dmp
-
memory/2276-146-0x0000000000B20000-0x0000000000B4D000-memory.dmpFilesize
180KB
-
memory/2276-145-0x0000000000970000-0x000000000098F000-memory.dmpFilesize
124KB
-
memory/2276-147-0x0000000002C30000-0x0000000002F7A000-memory.dmpFilesize
3.3MB
-
memory/2276-149-0x0000000002F80000-0x0000000003013000-memory.dmpFilesize
588KB
-
memory/3080-148-0x0000000000000000-mapping.dmp
-
memory/3384-137-0x0000000000000000-mapping.dmp
-
memory/4100-151-0x0000000000000000-mapping.dmp