Overview

overview

10

Static

static

P.O-119370.QDT.js

windows7_x64

10

P.O-119370.QDT.js

windows10-2004_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    05-07-2022 12:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    P.O-119370.QDT.js

  • Size

    372KB

  • MD5

    2cf2b9a9a03292d7733f06e49cb29e11

  • SHA1

    608d9f8a14814a4fabf64b2ee48a0f9b1278bbd2

  • SHA256

    d2bdd71059b32be6cdf3fde2ff853b1dcb0f131568e983d625aed7007afd1850

  • SHA512

    c7680a9137360da375ad234957a1736634d2b9c68def8bc9223854a0339c961855819de74d9ba05d5c0df36160d20b9fa98885c8d4ed5c9b5017a1df036a54de

Score
10/10
formbookxloaderloaderpersistenceratspywarestealersuricatatrojan

Malware Config

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    suricata
  • Xloader Payload 6 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\P.O-119370.QDT.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3804
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\FuRyoeswyz.js"
      2⤵
        PID:3624
      • C:\Users\Admin\AppData\Local\Temp\mich.exe
        "C:\Users\Admin\AppData\Local\Temp\mich.exe"
        2⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1732
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Drops file in Program Files directory
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of WriteProcessMemory
      PID:2604
      • C:\Windows\SysWOW64\systray.exe
        "C:\Windows\SysWOW64\systray.exe"
        2⤵
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Drops file in Program Files directory
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1904
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\mich.exe"
          3⤵
            PID:2868
          • C:\Program Files\Mozilla Firefox\Firefox.exe
            "C:\Program Files\Mozilla Firefox\Firefox.exe"
            3⤵
              PID:3560
          • C:\Program Files (x86)\A4h7xefg\configelzl0rw.exe
            "C:\Program Files (x86)\A4h7xefg\configelzl0rw.exe"
            2⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2456

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        2
        T1112

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\A4h7xefg\configelzl0rw.exe
          Filesize

          176KB

          MD5

          1fc7c4722c38fc29370e0269923e0300

          SHA1

          00afe50634a01a27a0d6c016bb2234798b80d0bc

          SHA256

          62a159f3419411b25c59be1648c95f5798c1936a6ab081003c9f60f2bddb6a57

          SHA512

          4445835f602cc6c0a7ad75d7765e95e31e13684129ed67009c8ecb9a01db1e6e6e59c231cd2c53eaa8c5f181323c265a450325069b40d8cb851fb1faa8d1ef62

          Download Submit
        • C:\Program Files (x86)\A4h7xefg\configelzl0rw.exe
          Filesize

          176KB

          MD5

          1fc7c4722c38fc29370e0269923e0300

          SHA1

          00afe50634a01a27a0d6c016bb2234798b80d0bc

          SHA256

          62a159f3419411b25c59be1648c95f5798c1936a6ab081003c9f60f2bddb6a57

          SHA512

          4445835f602cc6c0a7ad75d7765e95e31e13684129ed67009c8ecb9a01db1e6e6e59c231cd2c53eaa8c5f181323c265a450325069b40d8cb851fb1faa8d1ef62

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\mich.exe
          Filesize

          176KB

          MD5

          1fc7c4722c38fc29370e0269923e0300

          SHA1

          00afe50634a01a27a0d6c016bb2234798b80d0bc

          SHA256

          62a159f3419411b25c59be1648c95f5798c1936a6ab081003c9f60f2bddb6a57

          SHA512

          4445835f602cc6c0a7ad75d7765e95e31e13684129ed67009c8ecb9a01db1e6e6e59c231cd2c53eaa8c5f181323c265a450325069b40d8cb851fb1faa8d1ef62

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\mich.exe
          Filesize

          176KB

          MD5

          1fc7c4722c38fc29370e0269923e0300

          SHA1

          00afe50634a01a27a0d6c016bb2234798b80d0bc

          SHA256

          62a159f3419411b25c59be1648c95f5798c1936a6ab081003c9f60f2bddb6a57

          SHA512

          4445835f602cc6c0a7ad75d7765e95e31e13684129ed67009c8ecb9a01db1e6e6e59c231cd2c53eaa8c5f181323c265a450325069b40d8cb851fb1faa8d1ef62

          Download Submit
        • C:\Users\Admin\AppData\Roaming\FuRyoeswyz.js
          Filesize

          18KB

          MD5

          41236d778eba797fbbee9ccf91ab6867

          SHA1

          438bc929b4a439ec5eda7b897b3356a9dbb73acb

          SHA256

          aebc5a943fee52e41ffbf2aeacb6ad1ab5b16ba4cbea53039f98834e6c25ddeb

          SHA512

          65169a40903876982f1abc4141d39a6c9b5a3f9b3d95091edc9bc19e3ea011077bbebce9447a8ca48b26dd32463a15948ba24d3a773e88d14cdf56feb3191496

          Download Submit
        • memory/1732-132-0x0000000000000000-mapping.dmp
          Download
        • memory/1732-135-0x00000000010B0000-0x00000000013FA000-memory.dmp
          Filesize

          3.3MB

          Download
        • memory/1732-136-0x0000000001070000-0x0000000001081000-memory.dmp
          Filesize

          68KB

          Download
        • memory/1904-140-0x0000000000670000-0x0000000000676000-memory.dmp
          Filesize

          24KB

          Download
        • memory/1904-141-0x0000000002CA0000-0x0000000002FEA000-memory.dmp
          Filesize

          3.3MB

          Download
        • memory/1904-142-0x0000000000D00000-0x0000000000D2C000-memory.dmp
          Filesize

          176KB

          Download
        • memory/1904-143-0x0000000002A00000-0x0000000002A90000-memory.dmp
          Filesize

          576KB

          Download
        • memory/1904-145-0x0000000000D00000-0x0000000000D2C000-memory.dmp
          Filesize

          176KB

          Download
        • memory/1904-138-0x0000000000000000-mapping.dmp
          Download
        • memory/2456-147-0x0000000000000000-mapping.dmp
          Download
        • memory/2456-150-0x0000000001830000-0x0000000001B7A000-memory.dmp
          Filesize

          3.3MB

          Download
        • memory/2604-144-0x0000000002890000-0x000000000296E000-memory.dmp
          Filesize

          888KB

          Download
        • memory/2604-146-0x0000000002890000-0x000000000296E000-memory.dmp
          Filesize

          888KB

          Download
        • memory/2604-137-0x00000000084E0000-0x000000000867E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/2868-139-0x0000000000000000-mapping.dmp
          Download
        • memory/3624-130-0x0000000000000000-mapping.dmp
          Download