Overview

overview

10

Static

static

3

Purchase Order.exe

windows7-x64

10

Purchase Order.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30-12-2024 05:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Purchase Order.exe

  • Size

    1.2MB

  • MD5

    4dd9b0d139a7c9618fa5344e6b1387f8

  • SHA1

    53138f14140eb1c253e7985b8385e3853e5a5ac8

  • SHA256

    73820e9bd81ce740a0a3ec45fe10749a64034aab5efbeb12adec9ebf46c0f2ba

  • SHA512

    754b31faed9881071816f2f6a1cd1ae71cae4c0b0590dc22e44211fc2c33d436e62e0b9ac28881284f1e176bdc8ec414db165776391dfa7ba238baa301465ed3

  • SSDEEP

    24576:tdbfh8PGaONqv3Dp2E4xGREkcMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM+MMMMK:vyPGaOgNfREkcMMMMMMMMMMMMMMMMMM+

Score
10/10
formbookcmddiscoveryevasionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cmd

Decoy

marksmanrealestate.com

weeiter.com

dimody.com

tufftech.pro

romber.info

2theothercurb.com

maskibeauty.com

kreativedough.com

adanacatering.com

wordzninja.com

testxyy.xyz

lifeafterbobby.com

sunsageherbs.com

dentoncountyattorneys.media

18176732933.com

fjhgllnrz.icu

cryptobankcustody.com

theinternetproducer.com

motinik.com

getcatickets.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 2 IoCs
    rat
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1188
    • C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
      "C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
      2⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Maps connected drives based on registry
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OtKlDrIky" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8B8D.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:1216
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "{path}"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1932
    • C:\Windows\SysWOW64\autochk.exe
      "C:\Windows\SysWOW64\autochk.exe"
      2⤵
        PID:1924
      • C:\Windows\SysWOW64\autochk.exe
        "C:\Windows\SysWOW64\autochk.exe"
        2⤵
          PID:2384
        • C:\Windows\SysWOW64\autochk.exe
          "C:\Windows\SysWOW64\autochk.exe"
          2⤵
            PID:2784
          • C:\Windows\SysWOW64\autochk.exe
            "C:\Windows\SysWOW64\autochk.exe"
            2⤵
              PID:536
            • C:\Windows\SysWOW64\autochk.exe
              "C:\Windows\SysWOW64\autochk.exe"
              2⤵
                PID:604
              • C:\Windows\SysWOW64\autochk.exe
                "C:\Windows\SysWOW64\autochk.exe"
                2⤵
                  PID:2796
                • C:\Windows\SysWOW64\autochk.exe
                  "C:\Windows\SysWOW64\autochk.exe"
                  2⤵
                    PID:1792
                  • C:\Windows\SysWOW64\autochk.exe
                    "C:\Windows\SysWOW64\autochk.exe"
                    2⤵
                      PID:2052
                    • C:\Windows\SysWOW64\autochk.exe
                      "C:\Windows\SysWOW64\autochk.exe"
                      2⤵
                        PID:2352
                      • C:\Windows\SysWOW64\autochk.exe
                        "C:\Windows\SysWOW64\autochk.exe"
                        2⤵
                          PID:1448
                        • C:\Windows\SysWOW64\autochk.exe
                          "C:\Windows\SysWOW64\autochk.exe"
                          2⤵
                            PID:1000
                          • C:\Windows\SysWOW64\autochk.exe
                            "C:\Windows\SysWOW64\autochk.exe"
                            2⤵
                              PID:1064
                            • C:\Windows\SysWOW64\autochk.exe
                              "C:\Windows\SysWOW64\autochk.exe"
                              2⤵
                                PID:2416
                              • C:\Windows\SysWOW64\autochk.exe
                                "C:\Windows\SysWOW64\autochk.exe"
                                2⤵
                                  PID:276
                                • C:\Windows\SysWOW64\autochk.exe
                                  "C:\Windows\SysWOW64\autochk.exe"
                                  2⤵
                                    PID:2600
                                  • C:\Windows\SysWOW64\autochk.exe
                                    "C:\Windows\SysWOW64\autochk.exe"
                                    2⤵
                                      PID:2252
                                    • C:\Windows\SysWOW64\autochk.exe
                                      "C:\Windows\SysWOW64\autochk.exe"
                                      2⤵
                                        PID:2520
                                      • C:\Windows\SysWOW64\autochk.exe
                                        "C:\Windows\SysWOW64\autochk.exe"
                                        2⤵
                                          PID:1624
                                        • C:\Windows\SysWOW64\autochk.exe
                                          "C:\Windows\SysWOW64\autochk.exe"
                                          2⤵
                                            PID:1884
                                          • C:\Windows\SysWOW64\autochk.exe
                                            "C:\Windows\SysWOW64\autochk.exe"
                                            2⤵
                                              PID:2008
                                            • C:\Windows\SysWOW64\autochk.exe
                                              "C:\Windows\SysWOW64\autochk.exe"
                                              2⤵
                                                PID:1708
                                              • C:\Windows\SysWOW64\autochk.exe
                                                "C:\Windows\SysWOW64\autochk.exe"
                                                2⤵
                                                  PID:1644
                                                • C:\Windows\SysWOW64\autochk.exe
                                                  "C:\Windows\SysWOW64\autochk.exe"
                                                  2⤵
                                                    PID:1976
                                                  • C:\Windows\SysWOW64\autochk.exe
                                                    "C:\Windows\SysWOW64\autochk.exe"
                                                    2⤵
                                                      PID:712
                                                    • C:\Windows\SysWOW64\autochk.exe
                                                      "C:\Windows\SysWOW64\autochk.exe"
                                                      2⤵
                                                        PID:2764
                                                      • C:\Windows\SysWOW64\autochk.exe
                                                        "C:\Windows\SysWOW64\autochk.exe"
                                                        2⤵
                                                          PID:2800
                                                        • C:\Windows\SysWOW64\autochk.exe
                                                          "C:\Windows\SysWOW64\autochk.exe"
                                                          2⤵
                                                            PID:2792
                                                          • C:\Windows\SysWOW64\wlanext.exe
                                                            "C:\Windows\SysWOW64\wlanext.exe"
                                                            2⤵
                                                            • Suspicious use of SetThreadContext
                                                            • System Location Discovery: System Language Discovery
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious behavior: MapViewOfSection
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            • Suspicious use of WriteProcessMemory
                                                            PID:2872
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                              3⤵
                                                              • System Location Discovery: System Language Discovery
                                                              PID:1960

                                                        Network

                                                        MITRE ATT&CK Enterprise v15

                                                        Replay Monitor

                                                        Loading Replay Monitor...

                                                        Downloads

                                                        • C:\Users\Admin\AppData\Local\Temp\tmp8B8D.tmp
                                                          Filesize

                                                          1KB

                                                          MD5

                                                          1165b1dab2d92d757a8ca0238a15480d

                                                          SHA1

                                                          57b6268535f894dff393a50f2256ef8f075b3fa9

                                                          SHA256

                                                          23d2940ab9f4fb53a3a36f6e4139457530ac5e37fdd6c3db325f9d26d7ee862e

                                                          SHA512

                                                          8c43c328d1253e90a78f77d0a1954c9519a285c27448667db609eb2ed154eca3a2f5c7e8240de5f71471dab4fad3ebc848644733ad100a94b6d73cadb44253c0

                                                          Download Submit

                                                        • memory/1188-25-0x0000000004DC0000-0x0000000004EC0000-memory.dmp

                                                          Filesize

                                                          1024KB

                                                          Download

                                                        • memory/1188-21-0x0000000004DC0000-0x0000000004EC0000-memory.dmp

                                                          Filesize

                                                          1024KB

                                                          Download

                                                        • memory/1932-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                                          Filesize

                                                          4KB

                                                          Download

                                                        • memory/1932-19-0x0000000000400000-0x000000000042E000-memory.dmp

                                                          Filesize

                                                          184KB

                                                          Download

                                                        • memory/1932-17-0x0000000000AC0000-0x0000000000DC3000-memory.dmp

                                                          Filesize

                                                          3.0MB

                                                          Download

                                                        • memory/1932-20-0x00000000002A0000-0x00000000002B4000-memory.dmp

                                                          Filesize

                                                          80KB

                                                          Download

                                                        • memory/1932-11-0x0000000000400000-0x000000000042E000-memory.dmp

                                                          Filesize

                                                          184KB

                                                          Download

                                                        • memory/1932-12-0x0000000000400000-0x000000000042E000-memory.dmp

                                                          Filesize

                                                          184KB

                                                          Download

                                                        • memory/1932-16-0x0000000000400000-0x000000000042E000-memory.dmp

                                                          Filesize

                                                          184KB

                                                          Download

                                                        • memory/2664-0-0x0000000074D3E000-0x0000000074D3F000-memory.dmp

                                                          Filesize

                                                          4KB

                                                          Download

                                                        • memory/2664-3-0x0000000074D30000-0x000000007541E000-memory.dmp

                                                          Filesize

                                                          6.9MB

                                                          Download

                                                        • memory/2664-7-0x0000000005440000-0x0000000005486000-memory.dmp

                                                          Filesize

                                                          280KB

                                                          Download

                                                        • memory/2664-6-0x0000000000A80000-0x0000000000ADE000-memory.dmp

                                                          Filesize

                                                          376KB

                                                          Download

                                                        • memory/2664-22-0x0000000074D30000-0x000000007541E000-memory.dmp

                                                          Filesize

                                                          6.9MB

                                                          Download

                                                        • memory/2664-2-0x0000000000490000-0x000000000049A000-memory.dmp

                                                          Filesize

                                                          40KB

                                                          Download

                                                        • memory/2664-4-0x0000000074D3E000-0x0000000074D3F000-memory.dmp

                                                          Filesize

                                                          4KB

                                                          Download

                                                        • memory/2664-5-0x0000000074D30000-0x000000007541E000-memory.dmp

                                                          Filesize

                                                          6.9MB

                                                          Download

                                                        • memory/2664-1-0x0000000000B80000-0x0000000000CB2000-memory.dmp

                                                          Filesize

                                                          1.2MB

                                                          Download

                                                        • memory/2872-23-0x0000000000CF0000-0x0000000000D06000-memory.dmp

                                                          Filesize

                                                          88KB

                                                          Download