Analysis
-
max time kernel
152s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 11:40
Static task
static1
Behavioral task
behavioral1
Sample
PI Confirmation.exe
Resource
win7-20220414-en
General
-
Target
PI Confirmation.exe
-
Size
669KB
-
MD5
39c13f82ae8a3803684959e14772c5b0
-
SHA1
5284c7308994dbe3348c320499c3756aeae50f1d
-
SHA256
f4c535616a04819e9553cb3dbac66db0021065fb89a5e5c799c0b4eb301fb582
-
SHA512
55f7bfbf2cf916bee80d51827fbb8394f97c2fee12c2ea060b52e06b51c996c43bd4475dae7464cce71915e14ed7151dbee23252fb2e6f4046542488d68cf442
Malware Config
Extracted
formbook
3.9
ev08
elysianhomesanddesign.com
emplytics.com
rx-server.com
yunkeguanjia.com
069xke.info
xgltnpzoai.biz
vizebasvurusuislemi.com
willenochhardscape.com
luciovicencio.com
369zhangting.com
dealsamzn.com
epsilontech.net
longzhimy.com
drfenxiyi.com
perfecttiger.win
jon-lisa.com
projeen.com
tpak4.com
telurasinjulak.com
grhcew.men
demirevent.com
haisichou.com
bringwisdom.com
riyadh.school
gzmeijin.com
mtabram.net
lesbiansvid.com
partnersfinder.info
946s.com
houdaoxny.com
brinkpro.online
branchcreekoutfitters.com
xn--xhq8b70l5mk61k1yrvi5c.com
wwwwnsr108.com
neevfund.com
xaxiaobanma.com
nb-yy.net
howtobeafreak.com
qinu.ltd
bolle.network
postnlpakket2.info
leiguan88.com
cabditect.com
xiaohanlin.net
theduangjittphuket.com
abeautyfulmind.com
desheng-info.com
pickafight.email
britishral.com
ee8xhs5kxu.info
devinandcaroline.com
mysupersweet15.com
airport-parking-heathrow.info
jememedia.com
pay-number.com
cleanly.info
footatconstruction.com
yepchain.com
dinroseal.com
descubreelmundo.com
theysaycheap.com
os-sys.net
vailtrappings.com
vitaligentjobs.com
mansiobok.info
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4264-137-0x0000000000400000-0x000000000042A000-memory.dmp formbook behavioral2/memory/4264-142-0x0000000000400000-0x000000000042A000-memory.dmp formbook behavioral2/memory/228-147-0x0000000000F50000-0x0000000000F7A000-memory.dmp formbook -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
PI Confirmation.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation PI Confirmation.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
PI Confirmation.exePI Confirmation.execmstp.exedescription pid process target process PID 1808 set thread context of 4264 1808 PI Confirmation.exe PI Confirmation.exe PID 4264 set thread context of 3168 4264 PI Confirmation.exe Explorer.EXE PID 4264 set thread context of 3168 4264 PI Confirmation.exe Explorer.EXE PID 228 set thread context of 3168 228 cmstp.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
PI Confirmation.execmstp.exepid process 4264 PI Confirmation.exe 4264 PI Confirmation.exe 4264 PI Confirmation.exe 4264 PI Confirmation.exe 4264 PI Confirmation.exe 4264 PI Confirmation.exe 228 cmstp.exe 228 cmstp.exe 228 cmstp.exe 228 cmstp.exe 228 cmstp.exe 228 cmstp.exe 228 cmstp.exe 228 cmstp.exe 228 cmstp.exe 228 cmstp.exe 228 cmstp.exe 228 cmstp.exe 228 cmstp.exe 228 cmstp.exe 228 cmstp.exe 228 cmstp.exe 228 cmstp.exe 228 cmstp.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
PI Confirmation.execmstp.exepid process 4264 PI Confirmation.exe 4264 PI Confirmation.exe 4264 PI Confirmation.exe 4264 PI Confirmation.exe 228 cmstp.exe 228 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PI Confirmation.execmstp.exedescription pid process Token: SeDebugPrivilege 4264 PI Confirmation.exe Token: SeDebugPrivilege 228 cmstp.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
PI Confirmation.exeExplorer.EXEcmstp.exedescription pid process target process PID 1808 wrote to memory of 4480 1808 PI Confirmation.exe schtasks.exe PID 1808 wrote to memory of 4480 1808 PI Confirmation.exe schtasks.exe PID 1808 wrote to memory of 4480 1808 PI Confirmation.exe schtasks.exe PID 1808 wrote to memory of 4264 1808 PI Confirmation.exe PI Confirmation.exe PID 1808 wrote to memory of 4264 1808 PI Confirmation.exe PI Confirmation.exe PID 1808 wrote to memory of 4264 1808 PI Confirmation.exe PI Confirmation.exe PID 1808 wrote to memory of 4264 1808 PI Confirmation.exe PI Confirmation.exe PID 1808 wrote to memory of 4264 1808 PI Confirmation.exe PI Confirmation.exe PID 1808 wrote to memory of 4264 1808 PI Confirmation.exe PI Confirmation.exe PID 3168 wrote to memory of 228 3168 Explorer.EXE cmstp.exe PID 3168 wrote to memory of 228 3168 Explorer.EXE cmstp.exe PID 3168 wrote to memory of 228 3168 Explorer.EXE cmstp.exe PID 228 wrote to memory of 3856 228 cmstp.exe cmd.exe PID 228 wrote to memory of 3856 228 cmstp.exe cmd.exe PID 228 wrote to memory of 3856 228 cmstp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PI Confirmation.exe"C:\Users\Admin\AppData\Local\Temp\PI Confirmation.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\btbKAIclCxOrzu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC004.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\PI Confirmation.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PI Confirmation.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpC004.tmpFilesize
1KB
MD5780c9fef86f39cbdeba019f98d62f311
SHA1d483b876b2ad4893374d3a990f1d17d5eaafd8c7
SHA256db8c07fdb95c31df469fb2bb919581fd256c18e5b0f331d775031ece4db5fc3c
SHA512238cfc561e1abd85dba5c12c683cf61d0a6b839aa0251d2362c2aa536e091d41732a94ae8471d935622e56457800afda7262f694d4a1553de1328cfbaf030f41
-
memory/228-146-0x00000000004C0000-0x00000000004D6000-memory.dmpFilesize
88KB
-
memory/228-145-0x0000000000000000-mapping.dmp
-
memory/228-150-0x0000000002FA0000-0x0000000003033000-memory.dmpFilesize
588KB
-
memory/228-147-0x0000000000F50000-0x0000000000F7A000-memory.dmpFilesize
168KB
-
memory/228-149-0x00000000030A0000-0x00000000033EA000-memory.dmpFilesize
3.3MB
-
memory/1808-131-0x0000000005020000-0x00000000055C4000-memory.dmpFilesize
5.6MB
-
memory/1808-133-0x0000000004C90000-0x0000000004D2C000-memory.dmpFilesize
624KB
-
memory/1808-130-0x0000000000100000-0x00000000001AE000-memory.dmpFilesize
696KB
-
memory/1808-132-0x0000000004B50000-0x0000000004BE2000-memory.dmpFilesize
584KB
-
memory/3168-144-0x0000000008130000-0x00000000082BF000-memory.dmpFilesize
1.6MB
-
memory/3168-151-0x00000000082C0000-0x0000000008421000-memory.dmpFilesize
1.4MB
-
memory/3168-141-0x0000000007EF0000-0x0000000007FF7000-memory.dmpFilesize
1.0MB
-
memory/3856-148-0x0000000000000000-mapping.dmp
-
memory/4264-136-0x0000000000000000-mapping.dmp
-
memory/4264-138-0x0000000001840000-0x0000000001B8A000-memory.dmpFilesize
3.3MB
-
memory/4264-143-0x00000000017D0000-0x00000000017E4000-memory.dmpFilesize
80KB
-
memory/4264-142-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/4264-137-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/4264-140-0x0000000001750000-0x0000000001764000-memory.dmpFilesize
80KB
-
memory/4480-134-0x0000000000000000-mapping.dmp