Overview

overview

10

Static

static

Purchase O...nt.exe

windows7_x64

10

Purchase O...nt.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    180s
  • max time network
    184s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 11:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Purchase Order 77809 for acknowledgment.exe

  • Size

    281KB

  • MD5

    48884ebe9169015be3e42f68ad14d7be

  • SHA1

    4c0fe63fe5090ed8ac71f3af10dfc84c9b8b0f5e

  • SHA256

    b36d0b4952457c89f455f2333a815b0a1d7530a108bf43ea0ef1a7c17fe2774b

  • SHA512

    9258362c161b710264767cb180913c3190c6594961d40d1fdc976babfeeb4494aab31678cc9eb75662bf48e1055c8d62de0c8c9d2f4061e3917afb325c6bc0b4

Score
10/10
formbooky22persistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

y22

Decoy

hashafriyat.com

autoaccessorieshub.com

simelautomazioni.com

bulkappothecary.com

streaminglowcost.com

pixelraps.com

yyy9928.com

pigmansion.net

keyunix.com

bjbangshou.com

mindfulrace.com

fibuv.life

cambridgedesignpartnership.com

plumbeus.com

somebodydial911.com

atrishq.com

circcountry.com

ellenandjames.info

jeeprevivalstore.com

thetouchofjo.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    suricata
  • Formbook Payload 3 IoCs
    rat
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 56 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:796
    • C:\Users\Admin\AppData\Local\Temp\Purchase Order 77809 for acknowledgment.exe
      "C:\Users\Admin\AppData\Local\Temp\Purchase Order 77809 for acknowledgment.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1164
      • C:\Users\Admin\AppData\Local\Temp\Purchase Order 77809 for acknowledgment.exe
        "C:\Users\Admin\AppData\Local\Temp\Purchase Order 77809 for acknowledgment.exe"
        3⤵
          PID:4296
        • C:\Users\Admin\AppData\Local\Temp\Purchase Order 77809 for acknowledgment.exe
          "C:\Users\Admin\AppData\Local\Temp\Purchase Order 77809 for acknowledgment.exe"
          3⤵
            PID:4272
          • C:\Users\Admin\AppData\Local\Temp\Purchase Order 77809 for acknowledgment.exe
            "C:\Users\Admin\AppData\Local\Temp\Purchase Order 77809 for acknowledgment.exe"
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:4200
        • C:\Windows\SysWOW64\explorer.exe
          "C:\Windows\SysWOW64\explorer.exe"
          2⤵
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Drops file in Program Files directory
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4364
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Users\Admin\AppData\Local\Temp\Purchase Order 77809 for acknowledgment.exe"
            3⤵
              PID:4540
            • C:\Windows\SysWOW64\cmd.exe
              /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
              3⤵
                PID:4672

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\DB1
            Filesize

            40KB

            MD5

            b608d407fc15adea97c26936bc6f03f6

            SHA1

            953e7420801c76393902c0d6bb56148947e41571

            SHA256

            b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

            SHA512

            cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

            Download Submit

          • C:\Users\Admin\AppData\Roaming\1P02057U\1P0logim.jpeg
            Filesize

            81KB

            MD5

            a361d971db0d1bc52b4eb0b95242367a

            SHA1

            964c0dd9bba610901e7ca29c711e3acccced7a6c

            SHA256

            237f988750ec59aa94bfab69677687315aa3f2466b5058609d8319ef5f6a5a89

            SHA512

            733a07b59b0715ffdb1123565b1c6f4bc07e7d7a10972dec06f81abdea7ebf8d4b777f0e028e6a719f72bf9df4378c66c36d8a84cced42978b8e4100732511b0

            Download Submit

          • C:\Users\Admin\AppData\Roaming\1P02057U\1P0logrg.ini
            Filesize

            38B

            MD5

            4aadf49fed30e4c9b3fe4a3dd6445ebe

            SHA1

            1e332822167c6f351b99615eada2c30a538ff037

            SHA256

            75034beb7bded9aeab5748f4592b9e1419256caec474065d43e531ec5cc21c56

            SHA512

            eb5b3908d5e7b43ba02165e092f05578f45f15a148b4c3769036aa542c23a0f7cd2bc2770cf4119a7e437de3f681d9e398511f69f66824c516d9b451bb95f945

            Download Submit

          • C:\Users\Admin\AppData\Roaming\1P02057U\1P0logri.ini
            Filesize

            40B

            MD5

            d63a82e5d81e02e399090af26db0b9cb

            SHA1

            91d0014c8f54743bba141fd60c9d963f869d76c9

            SHA256

            eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

            SHA512

            38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

            Download Submit

          • C:\Users\Admin\AppData\Roaming\1P02057U\1P0logrv.ini
            Filesize

            872B

            MD5

            bbc41c78bae6c71e63cb544a6a284d94

            SHA1

            33f2c1d9fa0e9c99b80bc2500621e95af38b1f9a

            SHA256

            ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb

            SHA512

            0aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4

            Download Submit

          • memory/796-143-0x0000000002CB0000-0x0000000002D6F000-memory.dmp

            Filesize

            764KB

            Download

          • memory/796-150-0x0000000002D70000-0x0000000002EF7000-memory.dmp

            Filesize

            1.5MB

            Download

          • memory/1164-134-0x0000000006940000-0x00000000069DC000-memory.dmp

            Filesize

            624KB

            Download

          • memory/1164-130-0x0000000000EF0000-0x0000000000F3C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/1164-133-0x0000000005C80000-0x0000000005C8A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/1164-132-0x0000000005AF0000-0x0000000005B82000-memory.dmp

            Filesize

            584KB

            Download

          • memory/1164-131-0x0000000005EC0000-0x0000000006464000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/4200-138-0x0000000000400000-0x000000000042A000-memory.dmp

            Filesize

            168KB

            Download

          • memory/4200-140-0x0000000000400000-0x000000000042A000-memory.dmp

            Filesize

            168KB

            Download

          • memory/4200-141-0x00000000017E0000-0x0000000001B2A000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/4200-142-0x00000000017A0000-0x00000000017B4000-memory.dmp

            Filesize

            80KB

            Download

          • memory/4200-137-0x0000000000000000-mapping.dmp

            Download

          • memory/4272-136-0x0000000000000000-mapping.dmp

            Download

          • memory/4296-135-0x0000000000000000-mapping.dmp

            Download

          • memory/4364-149-0x0000000002AE0000-0x0000000002B73000-memory.dmp

            Filesize

            588KB

            Download

          • memory/4364-148-0x0000000002C90000-0x0000000002FDA000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/4364-147-0x0000000000B10000-0x0000000000B3A000-memory.dmp

            Filesize

            168KB

            Download

          • memory/4364-146-0x00000000005C0000-0x00000000009F3000-memory.dmp

            Filesize

            4.2MB

            Download

          • memory/4364-144-0x0000000000000000-mapping.dmp

            Download

          • memory/4540-145-0x0000000000000000-mapping.dmp

            Download

          • memory/4672-151-0x0000000000000000-mapping.dmp

            Download