Analysis
-
max time kernel
199s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 12:28
Static task
static1
Behavioral task
behavioral1
Sample
ScanPMT.exe
Resource
win7-20220414-en
General
-
Target
ScanPMT.exe
-
Size
753KB
-
MD5
07635d52fc102dc84f5922736c158677
-
SHA1
8f120df33ef24f6917d9eeecb85e96a49049ecab
-
SHA256
8288e9e21f28be24c2d3839e26c3c726dc90e9955a8506816fb498044f9846b6
-
SHA512
f5f34d62be8ad42435c554391d9406713ced9c19b73a1d9de33f3e6bbc150b5b0b165313e152408893b08900d367532ff4961b3fbb4729ef82792a8ced6e7c8d
Malware Config
Extracted
formbook
4.1
vcd
lacittauniversitaria.com
godsdigger.info
stxfwj.com
sing-uk.com
crazyedu.com
sunchermical.com
cocaparis2024.com
ahazm.com
li021.com
bizzspire.com
jb-o8y.com
ssconlineadmitcard.com
merkled.net
nesaraconstruction.com
viba.ltd
rasshoferconsulting.com
slingersdlbrbhjs.download
higgins-plastering.com
prostickusa.com
szryyl.com
crfmail.com
758elpintadord.com
things4dogs.com
skyhub.solutions
casavillaesperanza.com
xulynuocthainhiemdau.com
danarebecca.net
tongren119.com
k-908.com
zedbloggeronline.com
loqiri.com
fhjej.info
weihuimao.com
biokinemetrics.info
thevistatoledo.com
b2btechemail.com
duhe.ltd
artgarfunkelbooks.com
lessentielstudio.com
sdoubote.com
perfectdiveform.com
hanguoxuebingguanwang.com
readlies.com
xn--fiqa07aw9y6mlc3hiqb4w5k.net
sabkimaggi.com
keyways-lnt.com
xn--snapcht-bxa.com
whatsthebestfrench.com
saddamakhtar.net
tpscrtcnsltng.com
ysiemprendes.com
abcconcours.info
lienvision.com
97ping.com
canthihocduong.info
shjdfc.com
yinghuatianyi.com
fincasyvecinos.com
thefoodieboo.com
leafworkdna.com
ads-strong.com
juhao.site
thsavingsbankohio.com
matthewjgardner.com
godhep.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2560-137-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral2/memory/2916-145-0x0000000000330000-0x000000000035D000-memory.dmp formbook -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\MRXXHBMXCNY = "C:\\Program Files (x86)\\Ejzd09bmx\\qxqxgzixzz5p4tbp.exe" svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
ScanPMT.exeScanPMT.exesvchost.exedescription pid process target process PID 3184 set thread context of 2560 3184 ScanPMT.exe ScanPMT.exe PID 2560 set thread context of 2604 2560 ScanPMT.exe Explorer.EXE PID 2916 set thread context of 2604 2916 svchost.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Program Files (x86)\Ejzd09bmx\qxqxgzixzz5p4tbp.exe svchost.exe -
Processes:
svchost.exedescription ioc process Key created \Registry\User\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 svchost.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
ScanPMT.exesvchost.exepid process 2560 ScanPMT.exe 2560 ScanPMT.exe 2560 ScanPMT.exe 2560 ScanPMT.exe 2916 svchost.exe 2916 svchost.exe 2916 svchost.exe 2916 svchost.exe 2916 svchost.exe 2916 svchost.exe 2916 svchost.exe 2916 svchost.exe 2916 svchost.exe 2916 svchost.exe 2916 svchost.exe 2916 svchost.exe 2916 svchost.exe 2916 svchost.exe 2916 svchost.exe 2916 svchost.exe 2916 svchost.exe 2916 svchost.exe 2916 svchost.exe 2916 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2604 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
ScanPMT.exesvchost.exepid process 2560 ScanPMT.exe 2560 ScanPMT.exe 2560 ScanPMT.exe 2916 svchost.exe 2916 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ScanPMT.exesvchost.exedescription pid process Token: SeDebugPrivilege 2560 ScanPMT.exe Token: SeDebugPrivilege 2916 svchost.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
ScanPMT.exeExplorer.EXEsvchost.exedescription pid process target process PID 3184 wrote to memory of 2560 3184 ScanPMT.exe ScanPMT.exe PID 3184 wrote to memory of 2560 3184 ScanPMT.exe ScanPMT.exe PID 3184 wrote to memory of 2560 3184 ScanPMT.exe ScanPMT.exe PID 3184 wrote to memory of 2560 3184 ScanPMT.exe ScanPMT.exe PID 3184 wrote to memory of 2560 3184 ScanPMT.exe ScanPMT.exe PID 3184 wrote to memory of 2560 3184 ScanPMT.exe ScanPMT.exe PID 2604 wrote to memory of 2916 2604 Explorer.EXE svchost.exe PID 2604 wrote to memory of 2916 2604 Explorer.EXE svchost.exe PID 2604 wrote to memory of 2916 2604 Explorer.EXE svchost.exe PID 2916 wrote to memory of 3840 2916 svchost.exe cmd.exe PID 2916 wrote to memory of 3840 2916 svchost.exe cmd.exe PID 2916 wrote to memory of 3840 2916 svchost.exe cmd.exe PID 2916 wrote to memory of 216 2916 svchost.exe cmd.exe PID 2916 wrote to memory of 216 2916 svchost.exe cmd.exe PID 2916 wrote to memory of 216 2916 svchost.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ScanPMT.exe"C:\Users\Admin\AppData\Local\Temp\ScanPMT.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ScanPMT.exe"C:\Users\Admin\AppData\Local\Temp\ScanPMT.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\ScanPMT.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/216-149-0x0000000000000000-mapping.dmp
-
memory/2560-136-0x0000000000000000-mapping.dmp
-
memory/2560-137-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/2560-139-0x00000000015A0000-0x00000000018EA000-memory.dmpFilesize
3.3MB
-
memory/2560-140-0x0000000001030000-0x0000000001044000-memory.dmpFilesize
80KB
-
memory/2604-148-0x0000000002EB0000-0x0000000003030000-memory.dmpFilesize
1.5MB
-
memory/2604-141-0x0000000002D60000-0x0000000002E27000-memory.dmpFilesize
796KB
-
memory/2916-145-0x0000000000330000-0x000000000035D000-memory.dmpFilesize
180KB
-
memory/2916-147-0x0000000001200000-0x0000000001293000-memory.dmpFilesize
588KB
-
memory/2916-146-0x0000000000B50000-0x0000000000E9A000-memory.dmpFilesize
3.3MB
-
memory/2916-144-0x0000000000F40000-0x0000000000F4E000-memory.dmpFilesize
56KB
-
memory/2916-142-0x0000000000000000-mapping.dmp
-
memory/3184-134-0x0000000007890000-0x000000000789A000-memory.dmpFilesize
40KB
-
memory/3184-135-0x0000000007BF0000-0x0000000007C46000-memory.dmpFilesize
344KB
-
memory/3184-130-0x0000000000960000-0x0000000000A22000-memory.dmpFilesize
776KB
-
memory/3184-133-0x0000000007980000-0x0000000007A12000-memory.dmpFilesize
584KB
-
memory/3184-132-0x0000000007F30000-0x00000000084D4000-memory.dmpFilesize
5.6MB
-
memory/3184-131-0x00000000078E0000-0x000000000797C000-memory.dmpFilesize
624KB
-
memory/3840-143-0x0000000000000000-mapping.dmp