Overview

overview

10

Static

static

PI Confirmation.exe

windows7_x64

10

PI Confirmation.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    182s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 11:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PI Confirmation.exe

  • Size

    669KB

  • MD5

    39c13f82ae8a3803684959e14772c5b0

  • SHA1

    5284c7308994dbe3348c320499c3756aeae50f1d

  • SHA256

    f4c535616a04819e9553cb3dbac66db0021065fb89a5e5c799c0b4eb301fb582

  • SHA512

    55f7bfbf2cf916bee80d51827fbb8394f97c2fee12c2ea060b52e06b51c996c43bd4475dae7464cce71915e14ed7151dbee23252fb2e6f4046542488d68cf442

Score
10/10
formbookev08ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

ev08

Decoy

elysianhomesanddesign.com

emplytics.com

rx-server.com

yunkeguanjia.com

069xke.info

xgltnpzoai.biz

vizebasvurusuislemi.com

willenochhardscape.com

luciovicencio.com

369zhangting.com

dealsamzn.com

epsilontech.net

longzhimy.com

drfenxiyi.com

perfecttiger.win

jon-lisa.com

projeen.com

tpak4.com

telurasinjulak.com

grhcew.men

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3168
    • C:\Users\Admin\AppData\Local\Temp\PI Confirmation.exe
      "C:\Users\Admin\AppData\Local\Temp\PI Confirmation.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1808
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\btbKAIclCxOrzu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC004.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:4480
      • C:\Users\Admin\AppData\Local\Temp\PI Confirmation.exe
        "{path}"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:4264
    • C:\Windows\SysWOW64\cmstp.exe
      "C:\Windows\SysWOW64\cmstp.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:228
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\PI Confirmation.exe"
        3⤵
          PID:3856

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpC004.tmp
      Filesize

      1KB

      MD5

      780c9fef86f39cbdeba019f98d62f311

      SHA1

      d483b876b2ad4893374d3a990f1d17d5eaafd8c7

      SHA256

      db8c07fdb95c31df469fb2bb919581fd256c18e5b0f331d775031ece4db5fc3c

      SHA512

      238cfc561e1abd85dba5c12c683cf61d0a6b839aa0251d2362c2aa536e091d41732a94ae8471d935622e56457800afda7262f694d4a1553de1328cfbaf030f41

      Download Submit
    • memory/228-146-0x00000000004C0000-0x00000000004D6000-memory.dmp
      Filesize

      88KB

      Download
    • memory/228-145-0x0000000000000000-mapping.dmp
      Download
    • memory/228-150-0x0000000002FA0000-0x0000000003033000-memory.dmp
      Filesize

      588KB

      Download
    • memory/228-147-0x0000000000F50000-0x0000000000F7A000-memory.dmp
      Filesize

      168KB

      Download
    • memory/228-149-0x00000000030A0000-0x00000000033EA000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/1808-131-0x0000000005020000-0x00000000055C4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/1808-133-0x0000000004C90000-0x0000000004D2C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/1808-130-0x0000000000100000-0x00000000001AE000-memory.dmp
      Filesize

      696KB

      Download
    • memory/1808-132-0x0000000004B50000-0x0000000004BE2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3168-144-0x0000000008130000-0x00000000082BF000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3168-151-0x00000000082C0000-0x0000000008421000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/3168-141-0x0000000007EF0000-0x0000000007FF7000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/3856-148-0x0000000000000000-mapping.dmp
      Download
    • memory/4264-136-0x0000000000000000-mapping.dmp
      Download
    • memory/4264-138-0x0000000001840000-0x0000000001B8A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4264-143-0x00000000017D0000-0x00000000017E4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/4264-142-0x0000000000400000-0x000000000042A000-memory.dmp
      Filesize

      168KB

      Download
    • memory/4264-137-0x0000000000400000-0x000000000042A000-memory.dmp
      Filesize

      168KB

      Download
    • memory/4264-140-0x0000000001750000-0x0000000001764000-memory.dmp
      Filesize

      80KB

      Download
    • memory/4480-134-0x0000000000000000-mapping.dmp
      Download