Overview

overview

10

Static

static

PMP-INS-93...17.exe

windows7-x64

10

Analysis

  • max time kernel
    175s
  • max time network
    180s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    14-10-2022 12:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PMP-INS-93-2436-IN-1017.exe

  • Size

    265KB

  • MD5

    a0a1f5ff78c714b094a5fb386e02a7a3

  • SHA1

    10fd01e713a5b96d19fd636e646f231bdb059bf1

  • SHA256

    187fda2b830429934ff2d59c014f05098bfb323d639be258f075efa4309f5c0f

  • SHA512

    6db4734f3b1f13f4ad87dd3b604a8c6b37698e7b788604d53fd42a3cf0af9155c96f54ce5d2651ba2f905a385eddf0c57284bda0078bba4ad5f71adde9e05fe2

  • SSDEEP

    6144:xNeZBEmUT5ohIP1DT1SDLiXoina7ZnkOnIhB:xN+BI5yWHOiXlKkHB

Score
10/10
formbookfkkuratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

fkku

Decoy

ItLUfbYmkw6ODl8lnvwkR/8=

oUKMUSjydqzVWxG/CqjK3ngAhQ==

HB9lfRtFwT/XlJ9Lxw==

hBYXuorq7a3WwPq1NSezCMStlQ==

ciRqfQbLgwx/+e2rLqTZ8oMLc2LYY4o=

9vb76Nc8JzKlj4YEQyPAx2dx86U=

fB9041xJgwl1

ND8juoNyH6x5XqlZ2Q==

QEaot04y8XLjFOBp1Cg=

SG6vmdmmpmFmDosczg==

WWCorUT756r1F+aD3cd7Cij6nSFQ

Yl63zVL2NnFph44XcKkiP/k=

s2RfFNOd3fuBEJNZ2ig=

u1p6Ucr2uCketwGD

0vD8lFkSfRCHEJdebbrb

qzlqgxrsrDRmDosczg==

H5aTYXc2rHXjzQ==

S/pFbexYx0S+Ex7SN5rC

9kOIkRTWkA136nA2Ua/R

ojOElJ50E1N40ZNanCbEZw==

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 4 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Checks processor information in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1304
    • C:\Users\Admin\AppData\Local\Temp\PMP-INS-93-2436-IN-1017.exe
      "C:\Users\Admin\AppData\Local\Temp\PMP-INS-93-2436-IN-1017.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1168
      • C:\Users\Admin\AppData\Local\Temp\xscfbjx.exe
        "C:\Users\Admin\AppData\Local\Temp\xscfbjx.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1628
        • C:\Users\Admin\AppData\Local\Temp\xscfbjx.exe
          "C:\Users\Admin\AppData\Local\Temp\xscfbjx.exe"
          4⤵
          • Checks computer location settings
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1360
    • C:\Windows\SysWOW64\NETSTAT.EXE
      "C:\Windows\SysWOW64\NETSTAT.EXE"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Gathers network information
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:764
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:1228
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        2⤵
          PID:320
        • C:\Windows\system32\cmd.exe
          cmd /c ""C:\Users\Admin\Desktop\CompleteCopy.cmd" "
          2⤵
            PID:1800
        • C:\Windows\system32\AUDIODG.EXE
          C:\Windows\system32\AUDIODG.EXE 0x514
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:860

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Command-Line Interface

        1
        T1059

        Persistence

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Query Registry

        2
        T1012

        System Information Discovery

        4
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\ryaxdj.tz
          Filesize

          4KB

          MD5

          58661627bbc5a0309c8c80c5886b2c78

          SHA1

          74a8ce5fa8a70b5493ede45a71df09bfe05d50b4

          SHA256

          5332de813671b1190f3d39ab8e2a0342823563c9626137015e970e832fa7bc98

          SHA512

          f515c00e50366c39a80b3097b1d197bf3f8cd426c5c6699e70ce3e77471f91ffc93540188afd9d25e088f13a0e4bd07cedf9ead39d79a34942ec785d9a1a4c35

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\vkyytyjpxe.df
          Filesize

          185KB

          MD5

          2045e2fba3e4e549f31ada7008b2af16

          SHA1

          f97571e97a60f39be18af949c0971ccaaa88ef2e

          SHA256

          c6b1b5674d75f753f483c25c44eb2c90e0a348372cf4ebcf5fb2cb57304bc239

          SHA512

          b93ac0f34b23b809ff146cf42cb2b04a761ffaf3b48f3dcd45e1fc93ea5cf2bd46dd69d180e61a2c59742637b6079b32c5790ddfd100c0cb33854542a88251ac

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\xscfbjx.exe
          Filesize

          74KB

          MD5

          08b101029a510d1467056305f8bda101

          SHA1

          938d534e3584b132ece92f01e0089304b9587803

          SHA256

          3d897c1632a6234082cafef209af7ddb9f91a0af33b03e6d004e153a54d622c0

          SHA512

          631cc7c7a08b9492661983200ecc9b96c2d958d756808ed8b5b431a1a29ec92d360866c41c5d8307a3d185bcdedb4e66d661ec812d47d1ae057013a8cbc0ccbd

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\xscfbjx.exe
          Filesize

          74KB

          MD5

          08b101029a510d1467056305f8bda101

          SHA1

          938d534e3584b132ece92f01e0089304b9587803

          SHA256

          3d897c1632a6234082cafef209af7ddb9f91a0af33b03e6d004e153a54d622c0

          SHA512

          631cc7c7a08b9492661983200ecc9b96c2d958d756808ed8b5b431a1a29ec92d360866c41c5d8307a3d185bcdedb4e66d661ec812d47d1ae057013a8cbc0ccbd

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\xscfbjx.exe
          Filesize

          74KB

          MD5

          08b101029a510d1467056305f8bda101

          SHA1

          938d534e3584b132ece92f01e0089304b9587803

          SHA256

          3d897c1632a6234082cafef209af7ddb9f91a0af33b03e6d004e153a54d622c0

          SHA512

          631cc7c7a08b9492661983200ecc9b96c2d958d756808ed8b5b431a1a29ec92d360866c41c5d8307a3d185bcdedb4e66d661ec812d47d1ae057013a8cbc0ccbd

          Download Submit
        • \Users\Admin\AppData\Local\Temp\sqlite3.dll
          Filesize

          932KB

          MD5

          661fd92d4eaeea3740649af5a484d7c8

          SHA1

          c93f868890fee1475f8ec9e7607e26f5dce67d54

          SHA256

          58a478f0560ea22c1bc194263f07cf6f3ecfe47d0c8b534a7bba185f28a1141f

          SHA512

          1fac03c20139fde41d121e0adbd02d127261ce061509996087fc1c80baf2fe0d0f70fed6b83d38a85cfa2e07d038ff809161c7ecce31ec44ac8b89740d3db15d

          Download Submit
        • \Users\Admin\AppData\Local\Temp\xscfbjx.exe
          Filesize

          74KB

          MD5

          08b101029a510d1467056305f8bda101

          SHA1

          938d534e3584b132ece92f01e0089304b9587803

          SHA256

          3d897c1632a6234082cafef209af7ddb9f91a0af33b03e6d004e153a54d622c0

          SHA512

          631cc7c7a08b9492661983200ecc9b96c2d958d756808ed8b5b431a1a29ec92d360866c41c5d8307a3d185bcdedb4e66d661ec812d47d1ae057013a8cbc0ccbd

          Download Submit
        • \Users\Admin\AppData\Local\Temp\xscfbjx.exe
          Filesize

          74KB

          MD5

          08b101029a510d1467056305f8bda101

          SHA1

          938d534e3584b132ece92f01e0089304b9587803

          SHA256

          3d897c1632a6234082cafef209af7ddb9f91a0af33b03e6d004e153a54d622c0

          SHA512

          631cc7c7a08b9492661983200ecc9b96c2d958d756808ed8b5b431a1a29ec92d360866c41c5d8307a3d185bcdedb4e66d661ec812d47d1ae057013a8cbc0ccbd

          Download Submit
        • memory/320-72-0x0000000000000000-mapping.dmp
          Download
        • memory/320-73-0x000007FEFBBF1000-0x000007FEFBBF3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/764-74-0x0000000000A20000-0x0000000000AAF000-memory.dmp
          Filesize

          572KB

          Download
        • memory/764-70-0x0000000000080000-0x00000000000AD000-memory.dmp
          Filesize

          180KB

          Download
        • memory/764-76-0x0000000000080000-0x00000000000AD000-memory.dmp
          Filesize

          180KB

          Download
        • memory/764-68-0x0000000000000000-mapping.dmp
          Download
        • memory/764-71-0x0000000002270000-0x0000000002573000-memory.dmp
          Filesize

          3.0MB

          Download
        • memory/764-69-0x0000000000CD0000-0x0000000000CD9000-memory.dmp
          Filesize

          36KB

          Download
        • memory/1168-54-0x00000000760E1000-0x00000000760E3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1304-67-0x0000000006960000-0x0000000006ADE000-memory.dmp
          Filesize

          1.5MB

          Download
        • memory/1304-75-0x0000000006B60000-0x0000000006C99000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1304-78-0x0000000006B60000-0x0000000006C99000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1360-65-0x0000000000A40000-0x0000000000D43000-memory.dmp
          Filesize

          3.0MB

          Download
        • memory/1360-64-0x0000000000400000-0x000000000042F000-memory.dmp
          Filesize

          188KB

          Download
        • memory/1360-62-0x00000000004012B0-mapping.dmp
          Download
        • memory/1360-66-0x00000000000B0000-0x00000000000C0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1628-56-0x0000000000000000-mapping.dmp
          Download
        • memory/1800-80-0x0000000000000000-mapping.dmp
          Download