Overview

overview

10

Static

static

New_PI.exe

windows7-x64

1

New_PI.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-08-2022 09:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New_PI.exe

  • Size

    715KB

  • MD5

    484023caa63a03b4f0483b62ecf09e2a

  • SHA1

    064718bb184f76e999e4978812c9913973db5ea2

  • SHA256

    aaad3f9720410e623a7081b425f1eb39fa230cfe90b0e5c6991ba17fc9d15cd0

  • SHA512

    fe82ec2f1fb1e7e1a80861c18c60899a591815f6739de40d3fea79b9ca1548239ee524f46d2f600861b2337704aeefcc7fd1cd3d416173743a7e0aae746e581e

Score
10/10
formbookmodiloadere2e7persistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

e2e7

Decoy

spicepano.site

17045.uk

pjkai.com

needamarketer.com

transformingjustice.report

westsideoccupationaltherapy.com

myhealthtrackr.com

happyfeetboca.com

goldenretrievertube.com

aresdevgroup.com

dosedspray.life

moxtun.online

togelmimpi.com

cdhkh.com

immagineallthe.com

stori-game.com

eco-tanques.com

thesagesky.com

aliaaestheticsllc.com

nayadesert-marrakech.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Formbook payload 4 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 56 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2620
    • C:\Users\Admin\AppData\Local\Temp\New_PI.exe
      "C:\Users\Admin\AppData\Local\Temp\New_PI.exe"
      2⤵
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4128
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2124
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      2⤵
        PID:4188
      • C:\Windows\SysWOW64\control.exe
        "C:\Windows\SysWOW64\control.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2020
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Windows\SysWOW64\cmd.exe"
          3⤵
            PID:772

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/772-194-0x0000000000000000-mapping.dmp
        Download
      • memory/2020-191-0x0000000000000000-mapping.dmp
        Download
      • memory/2020-196-0x0000000002250000-0x00000000022E3000-memory.dmp
        Filesize

        588KB

        Download
      • memory/2020-198-0x0000000000350000-0x000000000037F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/2020-195-0x00000000023B0000-0x00000000026FA000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/2020-193-0x0000000000350000-0x000000000037F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/2020-192-0x00000000002C0000-0x00000000002E7000-memory.dmp
        Filesize

        156KB

        Download
      • memory/2124-145-0x0000000000000000-mapping.dmp
        Download
      • memory/2124-189-0x0000000001020000-0x0000000001034000-memory.dmp
        Filesize

        80KB

        Download
      • memory/2124-187-0x0000000050410000-0x000000005043F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/2124-188-0x0000000001610000-0x000000000195A000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/2620-190-0x00000000078D0000-0x0000000007A70000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2620-197-0x0000000002A60000-0x0000000002BAE000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2620-199-0x0000000002A60000-0x0000000002BAE000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/4128-147-0x0000000050410000-0x000000005043F000-memory.dmp
        Filesize

        188KB

        Download