Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 11:22

General

  • Target

    PO_CS009.exe

  • Size

    362KB

  • MD5

    08b794da39ef13910c12b15e072c1edd

  • SHA1

    b0e926330b4b67e823c2a12e9b8fa789a1b9291f

  • SHA256

    4092b0f7ea14add16e6f6f35071b074458a19d4550af50a80ed5742cc7046568

  • SHA512

    97822a1eb2197352f67037ec6b3c6cf8b0a54ebac288f84d3a254d1b1af2c53e2a5db4e3a13e91df80d4ce127a033485915e01f47fa0ecd6edd0d778655a0156

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

q5e

Decoy

2177.ltd

thanxiety.com

max-width.com

fixti.net

mostmaj.com

mobilteknolojiuzmani.com

historyannals.com

wheelchairmotion.com

mossandmoonstonestudio.com

kastellifournis.com

axokey.net

peekl.com

metsteeshirt.com

abcfinancial-inc.com

btxrsp.com

amydh.com

ccoauthority.com

lumacorretora.com

kimfelixrealtor.com

iconext.biz

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

  • Formbook Payload 3 IoCs
  • ReZer0 packer 1 IoCs

    Detects ReZer0, a packer with multiple versions used in various campaigns.

  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1212
    • C:\Users\Admin\AppData\Local\Temp\PO_CS009.exe
      "C:\Users\Admin\AppData\Local\Temp\PO_CS009.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1280
      • C:\Users\Admin\AppData\Local\Temp\PO_CS009.exe
        "{path}"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1516
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1388
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\PO_CS009.exe"
        3⤵
        • Deletes itself
        PID:604
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:1576

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Collection

    Data from Local System

    1
    T1005

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\17MAR21T\17Mlogim.jpeg
      Filesize

      70KB

      MD5

      3f5ac482a0392a5796aaefe1eb14fe75

      SHA1

      7df22498858a2cc45fcc979990980e5416e5a29f

      SHA256

      05159fd6553b38299148575b3c5a73198905d678d1594bf2a9cd1f6bcb40717c

      SHA512

      6436e55b542b35aec31132083bf9b99f2b1a1d0128c2accfcf8581f64c3eae6193062fb39ef36de2f2fd463f07f8e00a405e256a3b49b2d5c137e44df041a207

    • C:\Users\Admin\AppData\Roaming\17MAR21T\17Mlogrf.ini
      Filesize

      40B

      MD5

      2f245469795b865bdd1b956c23d7893d

      SHA1

      6ad80b974d3808f5a20ea1e766c7d2f88b9e5895

      SHA256

      1662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361

      SHA512

      909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f

    • C:\Users\Admin\AppData\Roaming\17MAR21T\17Mlogri.ini
      Filesize

      40B

      MD5

      d63a82e5d81e02e399090af26db0b9cb

      SHA1

      91d0014c8f54743bba141fd60c9d963f869d76c9

      SHA256

      eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

      SHA512

      38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

    • C:\Users\Admin\AppData\Roaming\17MAR21T\17Mlogrv.ini
      Filesize

      40B

      MD5

      ba3b6bc807d4f76794c4b81b09bb9ba5

      SHA1

      24cb89501f0212ff3095ecc0aba97dd563718fb1

      SHA256

      6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507

      SHA512

      ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf

    • memory/604-68-0x0000000000000000-mapping.dmp
    • memory/1212-73-0x0000000004210000-0x00000000042ED000-memory.dmp
      Filesize

      884KB

    • memory/1212-65-0x0000000004BB0000-0x0000000004D49000-memory.dmp
      Filesize

      1.6MB

    • memory/1280-55-0x00000000004C0000-0x00000000004D6000-memory.dmp
      Filesize

      88KB

    • memory/1280-56-0x00000000047D0000-0x000000000480A000-memory.dmp
      Filesize

      232KB

    • memory/1280-54-0x0000000000110000-0x0000000000170000-memory.dmp
      Filesize

      384KB

    • memory/1388-71-0x0000000002200000-0x0000000002503000-memory.dmp
      Filesize

      3.0MB

    • memory/1388-67-0x00000000756E1000-0x00000000756E3000-memory.dmp
      Filesize

      8KB

    • memory/1388-66-0x0000000000000000-mapping.dmp
    • memory/1388-69-0x00000000005F0000-0x00000000005FE000-memory.dmp
      Filesize

      56KB

    • memory/1388-70-0x0000000000090000-0x00000000000BD000-memory.dmp
      Filesize

      180KB

    • memory/1388-72-0x0000000000530000-0x00000000005C3000-memory.dmp
      Filesize

      588KB

    • memory/1516-64-0x0000000000200000-0x0000000000214000-memory.dmp
      Filesize

      80KB

    • memory/1516-63-0x0000000000AE0000-0x0000000000DE3000-memory.dmp
      Filesize

      3.0MB

    • memory/1516-61-0x000000000041E2A0-mapping.dmp
    • memory/1516-60-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

    • memory/1516-58-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

    • memory/1516-57-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB