Analysis

  • max time kernel
    154s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-12-2022 11:51

General

  • Target

    0911f0bf9c55b8b1388b01524a3d37bbe843c3a3d5a5db4047812ec1a436ec10.exe

  • Size

    694KB

  • MD5

    5113abb28878ff293661fc23685a48bf

  • SHA1

    175aa3169fe7112cead1a550dd702c552bbe832c

  • SHA256

    0911f0bf9c55b8b1388b01524a3d37bbe843c3a3d5a5db4047812ec1a436ec10

  • SHA512

    c4e447cba8dafa4f9744e09a2bbd39b1c59025f1d2f5cf879f0fbae121779a56e42174580cfbd760c48e55a5c997cdec96d1189a4724ff4a6f06d3632dda780f

  • SSDEEP

    12288:RIn+H+LD9IlljoZ9bQGhQwDZF4J40l+BrNGqWOl1u/OfzgYWvwddkydK4akFXRyy:RILOHjoDQGhHQ40loJGts42fz4YTkydp

Malware Config

Extracted

Family

formbook

Campaign

pgnt

Decoy

0WG18LbM4lR9iqMRa4nlBzTb

jcfGYzPgZTqFZVO9FV2yIw==

laIfrdSC8/4CNg==

Q73ilev5GIWuOrAAFV2yIw==

Q2u/pMw7pv4sPA==

TbqvIUHwlQscPo0HFV2yIw==

8PNWfGPyE8n0IQ==

WtgROxXzvY2L

PryaRBNjm4eP

Y9Hdi06Cry1um9Sj68YAu1o=

3Gulyp7CMQtR78jvLkk=

JJ3GasTVTCRQT6Tfz6S6GlI=

RnS42bhb9tI0R6UpD6wOxriNxw==

he1mi2sOGfzTRGHnuA==

eaYjCtjxVjdU5XLRtBMBLKk9quA=

k9rTeEqYzzw8WaTfz6S6GlI=

5luVQwe2vJWKEAiMdF4=

MGW14L9OVk5Y5TaR6w/DqdhYxXVY

mAsYz6k6sQkDC0/DoHj9t1RPWLSgFQ==

y5klhuMbE8n0IQ==

Extracted

Family

xloader

Version

3.�E

Campaign

pgnt

Decoy

0WG18LbM4lR9iqMRa4nlBzTb

jcfGYzPgZTqFZVO9FV2yIw==

laIfrdSC8/4CNg==

Q73ilev5GIWuOrAAFV2yIw==

Q2u/pMw7pv4sPA==

TbqvIUHwlQscPo0HFV2yIw==

8PNWfGPyE8n0IQ==

WtgROxXzvY2L

PryaRBNjm4eP

Y9Hdi06Cry1um9Sj68YAu1o=

3Gulyp7CMQtR78jvLkk=

JJ3GasTVTCRQT6Tfz6S6GlI=

RnS42bhb9tI0R6UpD6wOxriNxw==

he1mi2sOGfzTRGHnuA==

eaYjCtjxVjdU5XLRtBMBLKk9quA=

k9rTeEqYzzw8WaTfz6S6GlI=

5luVQwe2vJWKEAiMdF4=

MGW14L9OVk5Y5TaR6w/DqdhYxXVY

mAsYz6k6sQkDC0/DoHj9t1RPWLSgFQ==

y5klhuMbE8n0IQ==

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Users\Admin\AppData\Local\Temp\0911f0bf9c55b8b1388b01524a3d37bbe843c3a3d5a5db4047812ec1a436ec10.exe
      "C:\Users\Admin\AppData\Local\Temp\0911f0bf9c55b8b1388b01524a3d37bbe843c3a3d5a5db4047812ec1a436ec10.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2444
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        3⤵
          PID:4904
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
          3⤵
            PID:3580
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:4652
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\SysWOW64\cmd.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4588
          • C:\Program Files\Mozilla Firefox\Firefox.exe
            "C:\Program Files\Mozilla Firefox\Firefox.exe"
            3⤵
              PID:1076

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2444-133-0x00007FFAAED70000-0x00007FFAAF831000-memory.dmp

          Filesize

          10.8MB

        • memory/2444-137-0x00007FFAAED70000-0x00007FFAAF831000-memory.dmp

          Filesize

          10.8MB

        • memory/2444-132-0x00000253222C0000-0x0000025322374000-memory.dmp

          Filesize

          720KB

        • memory/3052-144-0x0000000007EF0000-0x0000000007FFE000-memory.dmp

          Filesize

          1.1MB

        • memory/3052-154-0x0000000008000000-0x0000000008143000-memory.dmp

          Filesize

          1.3MB

        • memory/3052-152-0x0000000008000000-0x0000000008143000-memory.dmp

          Filesize

          1.3MB

        • memory/4588-149-0x0000000000BD0000-0x0000000000BFD000-memory.dmp

          Filesize

          180KB

        • memory/4588-148-0x00000000005F0000-0x000000000064A000-memory.dmp

          Filesize

          360KB

        • memory/4588-153-0x0000000000BD0000-0x0000000000BFD000-memory.dmp

          Filesize

          180KB

        • memory/4588-151-0x0000000001580000-0x000000000160F000-memory.dmp

          Filesize

          572KB

        • memory/4588-150-0x0000000001760000-0x0000000001AAA000-memory.dmp

          Filesize

          3.3MB

        • memory/4588-145-0x0000000000000000-mapping.dmp

        • memory/4652-139-0x0000000000401000-0x000000000042F000-memory.dmp

          Filesize

          184KB

        • memory/4652-147-0x0000000000401000-0x000000000042F000-memory.dmp

          Filesize

          184KB

        • memory/4652-146-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/4652-138-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/4652-141-0x0000000001590000-0x00000000018DA000-memory.dmp

          Filesize

          3.3MB

        • memory/4652-142-0x0000000000422000-0x0000000000424000-memory.dmp

          Filesize

          8KB

        • memory/4652-135-0x00000000004012B0-mapping.dmp

        • memory/4652-143-0x0000000001110000-0x0000000001120000-memory.dmp

          Filesize

          64KB

        • memory/4652-134-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB