Overview

overview

10

Static

static

3

PIsept2020.exe

windows7-x64

10

PIsept2020.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-12-2024 06:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PIsept2020.exe

  • Size

    714KB

  • MD5

    7f63c36771bdf84fdcb80b1b6a8ce300

  • SHA1

    7e027829b30e9795006725712c5666f3ff54bdbe

  • SHA256

    cba7797f53633aeb00ed0c8418ee90e28b7fe7bc4e787521eef333ff6a67c627

  • SHA512

    198cabbf51817d47165c318b3308701ccce4b04ce88712d7984deeda2c52b4baf7bf75758d77a3ceba3c5e22689a8ced13c78322fa2d6a7f950f0bd966f2129f

  • SSDEEP

    12288:EsyixjQfJkrWEm0Zux8Y8nMdByNjolspgZRZu48Jcx0Ksz5XxM4Sh:EsyIjfo0Q6NnasNjoe2vf9x0Ko5Srh

Score
10/10
formbookwt6discoveryevasionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

wt6

Decoy

mdjbjsc.com

twosparrowslsbusiness.com

captipe.info

spirtofafrica.com

teacher4today.com

d9masks.com

americanveteransparks.com

originvinylvermont.com

lifeguardboat.net

neynunescuritiba.com

4activelife.xyz

tiniytie.com

schirmenworld.com

nogbeter.com

bikerm.com

higherpurposeproject.com

melloband.com

cremgrs.com

chengyuanwai.com

multiplewealthsecrets.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Formbook payload 2 IoCs
    rat
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3524
    • C:\Users\Admin\AppData\Local\Temp\PIsept2020.exe
      "C:\Users\Admin\AppData\Local\Temp\PIsept2020.exe"
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Windows security modification
      • Maps connected drives based on registry
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:540
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Get-MpPreference -verbose
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1652
      • C:\Users\Admin\AppData\Local\Temp\PIsept2020.exe
        "C:\Users\Admin\AppData\Local\Temp\PIsept2020.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3344
    • C:\Windows\SysWOW64\chkdsk.exe
      "C:\Windows\SysWOW64\chkdsk.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1884
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\PIsept2020.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:372
      • C:\Windows\SysWOW64\cmd.exe
        /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4564
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:3300

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Defense Evasion

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    2
    T1562.001

    Modify Registry

    4
    T1112

    Virtualization/Sandbox Evasion

    2
    T1497

    Credential Access

    Credentials from Password Stores

    1
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Peripheral Device Discovery

    1
    T1120

    Query Registry

    5
    T1012

    System Information Discovery

    3
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Virtualization/Sandbox Evasion

    2
    T1497

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\DB1
      Filesize

      40KB

      MD5

      a182561a527f929489bf4b8f74f65cd7

      SHA1

      8cd6866594759711ea1836e86a5b7ca64ee8911f

      SHA256

      42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

      SHA512

      9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q0lgmyzc.mgn.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/540-6-0x00000000054C0000-0x00000000054CA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/540-3-0x0000000005410000-0x00000000054A2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/540-4-0x0000000005550000-0x00000000055EC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/540-5-0x0000000074740000-0x0000000074EF0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/540-2-0x00000000058D0000-0x0000000005E74000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/540-7-0x0000000005510000-0x0000000005518000-memory.dmp

      Filesize

      32KB

      Download

    • memory/540-8-0x000000007474E000-0x000000007474F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/540-9-0x0000000074740000-0x0000000074EF0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/540-10-0x0000000005F80000-0x0000000005FD6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/540-11-0x00000000064C0000-0x00000000064F6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/540-1-0x0000000000AC0000-0x0000000000B78000-memory.dmp

      Filesize

      736KB

      Download

    • memory/540-60-0x0000000074740000-0x0000000074EF0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/540-0-0x000000007474E000-0x000000007474F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1652-32-0x0000000070140000-0x000000007018C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1652-49-0x0000000007B80000-0x0000000007C16000-memory.dmp

      Filesize

      600KB

      Download

    • memory/1652-17-0x0000000005E80000-0x0000000005EE6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1652-18-0x0000000005FA0000-0x0000000006006000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1652-15-0x00000000056E0000-0x0000000005D08000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/1652-28-0x0000000006010000-0x0000000006364000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1652-29-0x00000000065D0000-0x00000000065EE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1652-30-0x0000000006610000-0x000000000665C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1652-31-0x0000000006BA0000-0x0000000006BD2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/1652-14-0x0000000074740000-0x0000000074EF0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1652-33-0x0000000074740000-0x0000000074EF0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1652-44-0x0000000074740000-0x0000000074EF0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1652-43-0x0000000006C10000-0x0000000006C2E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1652-45-0x00000000077D0000-0x0000000007873000-memory.dmp

      Filesize

      652KB

      Download

    • memory/1652-46-0x0000000007F40000-0x00000000085BA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/1652-47-0x0000000007900000-0x000000000791A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1652-48-0x0000000007970000-0x000000000797A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1652-16-0x0000000005610000-0x0000000005632000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1652-50-0x0000000007B00000-0x0000000007B11000-memory.dmp

      Filesize

      68KB

      Download

    • memory/1652-51-0x0000000007B30000-0x0000000007B3E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1652-52-0x0000000007B40000-0x0000000007B54000-memory.dmp

      Filesize

      80KB

      Download

    • memory/1652-53-0x0000000007C40000-0x0000000007C5A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1652-54-0x0000000007C20000-0x0000000007C28000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1652-57-0x0000000074740000-0x0000000074EF0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1652-12-0x0000000005070000-0x00000000050A6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1652-13-0x0000000074740000-0x0000000074EF0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1884-66-0x0000000000740000-0x000000000074A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1884-67-0x0000000000740000-0x000000000074A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3344-61-0x0000000001540000-0x000000000188A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3344-64-0x0000000001020000-0x0000000001034000-memory.dmp

      Filesize

      80KB

      Download

    • memory/3344-63-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/3344-58-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/3524-65-0x0000000004350000-0x00000000044A0000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3524-71-0x00000000086B0000-0x00000000087BE000-memory.dmp

      Filesize

      1.1MB

      Download