Overview

overview

10

Static

static

400000.Ins...il.exe

windows7_x64

10

400000.Ins...il.exe

windows10-2004_x64

10

Resubmissions

06-07-2022 16:55

220706-ve9wxsfafp 10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    06-07-2022 16:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    400000.InstallUtil.exe

  • Size

    180KB

  • MD5

    fe24b17cba6092bd2da1e5a172a33846

  • SHA1

    df46ed6222eee121dd697e4ff6c7bab3d077c4cf

  • SHA256

    cd375b3eeffbdb97aaaaa7d568e04c92ecb76d99c43894c291c31c24dd0f4e98

  • SHA512

    ba8852dbf1cdb30fcc84b97e12b629f3229d83f2d1217ba172917059bc33e9c4227067e13e42346248f33f047cb04632599d2cdcbb96c4fff36aca028553c40b

Score
10/10
formbookpersistencespywarestealersuricatatrojan

Malware Config

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    suricata
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:384
    • C:\Users\Admin\AppData\Local\Temp\400000.InstallUtil.exe
      "C:\Users\Admin\AppData\Local\Temp\400000.InstallUtil.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      PID:3296
    • C:\Windows\SysWOW64\chkdsk.exe
      "C:\Windows\SysWOW64\chkdsk.exe"
      2⤵
      • Adds policy Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4136
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\400000.InstallUtil.exe"
        3⤵
          PID:3020
        • C:\Program Files\Mozilla Firefox\Firefox.exe
          "C:\Program Files\Mozilla Firefox\Firefox.exe"
          3⤵
            PID:2972
        • C:\Program Files (x86)\Qqz74lloh\rrd0pllhizx.exe
          "C:\Program Files (x86)\Qqz74lloh\rrd0pllhizx.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4712

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Query Registry

      2
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Qqz74lloh\rrd0pllhizx.exe
        Filesize

        180KB

        MD5

        fe24b17cba6092bd2da1e5a172a33846

        SHA1

        df46ed6222eee121dd697e4ff6c7bab3d077c4cf

        SHA256

        cd375b3eeffbdb97aaaaa7d568e04c92ecb76d99c43894c291c31c24dd0f4e98

        SHA512

        ba8852dbf1cdb30fcc84b97e12b629f3229d83f2d1217ba172917059bc33e9c4227067e13e42346248f33f047cb04632599d2cdcbb96c4fff36aca028553c40b

        Download Submit
      • C:\Program Files (x86)\Qqz74lloh\rrd0pllhizx.exe
        Filesize

        180KB

        MD5

        fe24b17cba6092bd2da1e5a172a33846

        SHA1

        df46ed6222eee121dd697e4ff6c7bab3d077c4cf

        SHA256

        cd375b3eeffbdb97aaaaa7d568e04c92ecb76d99c43894c291c31c24dd0f4e98

        SHA512

        ba8852dbf1cdb30fcc84b97e12b629f3229d83f2d1217ba172917059bc33e9c4227067e13e42346248f33f047cb04632599d2cdcbb96c4fff36aca028553c40b

        Download Submit
      • memory/384-132-0x0000000002B40000-0x0000000002C22000-memory.dmp
        Filesize

        904KB

        Download
      • memory/384-141-0x0000000008370000-0x000000000844B000-memory.dmp
        Filesize

        876KB

        Download
      • memory/384-140-0x0000000008370000-0x000000000844B000-memory.dmp
        Filesize

        876KB

        Download
      • memory/3020-134-0x0000000000000000-mapping.dmp
        Download
      • memory/3296-130-0x0000000000FB0000-0x00000000012FA000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/3296-131-0x0000000000910000-0x0000000000921000-memory.dmp
        Filesize

        68KB

        Download
      • memory/4136-138-0x0000000001830000-0x00000000018C0000-memory.dmp
        Filesize

        576KB

        Download
      • memory/4136-139-0x00000000012E0000-0x000000000130D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/4136-137-0x0000000001AE0000-0x0000000001E2A000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/4136-135-0x0000000000E90000-0x0000000000E9A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/4136-136-0x00000000012E0000-0x000000000130D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/4136-133-0x0000000000000000-mapping.dmp
        Download
      • memory/4712-142-0x0000000000000000-mapping.dmp
        Download
      • memory/4712-145-0x00000000018D0000-0x0000000001C1A000-memory.dmp
        Filesize

        3.3MB

        Download