Overview

overview

10

Static

static

10

33.exe

windows10-2004-x64

10

34.exe

windows10-2004-x64

10

35.exe

windows10-2004-x64

10

36.exe

windows10-2004-x64

10

37.exe

windows10-2004-x64

10

38.exe

windows10-2004-x64

10

39.exe

windows10-2004-x64

10

40.exe

windows10-2004-x64

10

41.exe

windows10-2004-x64

10

42.exe

windows10-2004-x64

10

43.exe

windows10-2004-x64

10

44.exe

windows10-2004-x64

10

45.exe

windows10-2004-x64

10

46.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-09-2022 03:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    38.exe

  • Size

    176KB

  • MD5

    8d832564ccf944aa80614078e59afca3

  • SHA1

    0eb7785515b2acc2c35fd4ec7b822fe97ef884b9

  • SHA256

    71d20cb55abb01e4cdb1d2f7a5e61f6048c34079970d5850b785386ca53c7c1a

  • SHA512

    c5a1a9acb1da0d57b057e0a1a8141b21f209d50ed838e03ee904364255e4889beaea43173e65d1188cd8057c6ac25f43328f0ba181e7ee34c8b49c34aa41bfc9

  • SSDEEP

    3072:xrtRM59Srdxq5+HIbTS4WGRbQ/0oqcMisygnrs4oEV4oyDaShxt/RZG0TQh/mxrC:9I596dYoo3SYbQMogyUY4hV4oyDa87Zi

Score
10/10
formbookxloaderloaderpersistenceratspywarestealertrojan

Malware Config

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader payload 2 IoCs
    rat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 52 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2556
    • C:\Users\Admin\AppData\Local\Temp\38.exe
      "C:\Users\Admin\AppData\Local\Temp\38.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      PID:5016
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      2⤵
      • Adds policy Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4632
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\38.exe"
        3⤵
          PID:4616
        • C:\Program Files\Mozilla Firefox\Firefox.exe
          "C:\Program Files\Mozilla Firefox\Firefox.exe"
          3⤵
            PID:3116

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2556-134-0x0000000008940000-0x0000000008AC5000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/2556-141-0x0000000008AD0000-0x0000000008BEF000-memory.dmp
        Filesize

        1.1MB

        Download
      • memory/2556-143-0x0000000008AD0000-0x0000000008BEF000-memory.dmp
        Filesize

        1.1MB

        Download
      • memory/4616-138-0x0000000000000000-mapping.dmp
        Download
      • memory/4632-135-0x0000000000000000-mapping.dmp
        Download
      • memory/4632-136-0x0000000000E50000-0x0000000001283000-memory.dmp
        Filesize

        4.2MB

        Download
      • memory/4632-137-0x0000000000940000-0x000000000096C000-memory.dmp
        Filesize

        176KB

        Download
      • memory/4632-139-0x0000000002F80000-0x00000000032CA000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/4632-140-0x0000000002D20000-0x0000000002DB0000-memory.dmp
        Filesize

        576KB

        Download
      • memory/4632-142-0x0000000000940000-0x000000000096C000-memory.dmp
        Filesize

        176KB

        Download
      • memory/5016-132-0x0000000000F80000-0x00000000012CA000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/5016-133-0x00000000009B0000-0x00000000009C1000-memory.dmp
        Filesize

        68KB

        Download