Overview

overview

10

Static

static

8

SecuriteIn...61.msi

windows7_x64

10

SecuriteIn...61.msi

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    07-05-2021 09:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Gen.Variant.Androm.29.27447.31261.msi

  • Size

    252KB

  • MD5

    2e8b3260047d829ba61205befbaf93fd

  • SHA1

    cc2a109e5faa29d3465c5262edbe2775e8da4bf7

  • SHA256

    1171bee7f280dad2201f6be582f08bf56771c54e4e0912964d93d320f4b1f32a

  • SHA512

    7b0d8d7bf7f08a2c6aa44bbee7da16322a0361df1f3254d31b5e5aa618aa57d9bf45ac296cab05746337f45b863e9f7efc57c3c6e25999e85bd1e4102e9a9964

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.craftsman-vail.com/cca/

Decoy

whenpigsflyhigh.com

artistiklounge.com

tinytrendstique.com

projektpartner-ag.com

charvelevh.com

easycompliances.net

zengheqiye.com

professionalmallorca.com

bonzerstudio.com

nelivo.com

yangxeric.com

aredntech.com

twincitieshousingmarket.com

allshadesunscreen.com

xiang-life.net

qmcp00011.com

lindsayeandmarkv.com

fbcsbvsbvsjbvjs.com

saveonthrivelife.com

newdpo.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 6 IoCs
    installer
  • Modifies data under HKEY_USERS 44 IoCs
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1292
    • C:\Windows\system32\msiexec.exe
      msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Androm.29.27447.31261.msi
      2⤵
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1116
    • C:\Windows\SysWOW64\autoconv.exe
      "C:\Windows\SysWOW64\autoconv.exe"
      2⤵
        PID:1208
      • C:\Windows\SysWOW64\autoconv.exe
        "C:\Windows\SysWOW64\autoconv.exe"
        2⤵
          PID:324
        • C:\Windows\SysWOW64\autoconv.exe
          "C:\Windows\SysWOW64\autoconv.exe"
          2⤵
            PID:1308
          • C:\Windows\SysWOW64\autoconv.exe
            "C:\Windows\SysWOW64\autoconv.exe"
            2⤵
              PID:924
            • C:\Windows\SysWOW64\autoconv.exe
              "C:\Windows\SysWOW64\autoconv.exe"
              2⤵
                PID:1912
              • C:\Windows\SysWOW64\autoconv.exe
                "C:\Windows\SysWOW64\autoconv.exe"
                2⤵
                  PID:1132
                • C:\Windows\SysWOW64\raserver.exe
                  "C:\Windows\SysWOW64\raserver.exe"
                  2⤵
                  • Suspicious use of SetThreadContext
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: MapViewOfSection
                  • Suspicious use of WriteProcessMemory
                  PID:1724
                  • C:\Windows\SysWOW64\cmd.exe
                    /c del "C:\Windows\Installer\MSI2242.tmp"
                    3⤵
                      PID:1464
                • C:\Windows\system32\msiexec.exe
                  C:\Windows\system32\msiexec.exe /V
                  1⤵
                  • Enumerates connected drives
                  • Drops file in Windows directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1944
                  • C:\Windows\Installer\MSI2242.tmp
                    "C:\Windows\Installer\MSI2242.tmp"
                    2⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Suspicious use of SetThreadContext
                    • Suspicious behavior: MapViewOfSection
                    • Suspicious use of WriteProcessMemory
                    PID:2020
                    • C:\Windows\Installer\MSI2242.tmp
                      "C:\Windows\Installer\MSI2242.tmp"
                      3⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: MapViewOfSection
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1772
                • C:\Windows\system32\vssvc.exe
                  C:\Windows\system32\vssvc.exe
                  1⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1748
                • C:\Windows\system32\DrvInst.exe
                  DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot12" "" "" "6d110b0a3" "0000000000000000" "00000000000005B0" "000000000000049C"
                  1⤵
                  • Drops file in Windows directory
                  • Modifies data under HKEY_USERS
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1476

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Windows\Installer\MSI2242.tmp
                  MD5

                  32b4cdd8df63b6e2fd06d9c3f70983e2

                  SHA1

                  56a0cb8f39d7740fa2eb4a3803b20235a9750eb4

                  SHA256

                  5432639b7cf4aff9b0511e5afa6ef16e5eff79cd7236562c15ea681973569f61

                  SHA512

                  b89c80661d1240df84a71c2c4bff66e86d41bcc61c9cc1263c0be2dbb64fbc0f7907468faf4098f7ae3eb8f6386aaab2a568747549431cbc7987eb95ba696bde

                  Download Submit

                • C:\Windows\Installer\MSI2242.tmp
                  MD5

                  32b4cdd8df63b6e2fd06d9c3f70983e2

                  SHA1

                  56a0cb8f39d7740fa2eb4a3803b20235a9750eb4

                  SHA256

                  5432639b7cf4aff9b0511e5afa6ef16e5eff79cd7236562c15ea681973569f61

                  SHA512

                  b89c80661d1240df84a71c2c4bff66e86d41bcc61c9cc1263c0be2dbb64fbc0f7907468faf4098f7ae3eb8f6386aaab2a568747549431cbc7987eb95ba696bde

                  Download Submit

                • C:\Windows\Installer\MSI2242.tmp
                  MD5

                  32b4cdd8df63b6e2fd06d9c3f70983e2

                  SHA1

                  56a0cb8f39d7740fa2eb4a3803b20235a9750eb4

                  SHA256

                  5432639b7cf4aff9b0511e5afa6ef16e5eff79cd7236562c15ea681973569f61

                  SHA512

                  b89c80661d1240df84a71c2c4bff66e86d41bcc61c9cc1263c0be2dbb64fbc0f7907468faf4098f7ae3eb8f6386aaab2a568747549431cbc7987eb95ba696bde

                  Download Submit

                • \Users\Admin\AppData\Local\Temp\nsi22ED.tmp\juw9gxx34fgqj.dll
                  MD5

                  c0903517afa29eb5aa5ce627b447f031

                  SHA1

                  b337659ad551e409836e5d51e161ae5b46269378

                  SHA256

                  4bd83d6b82767ff08aaade6bee60bdb5717b1462dac53997adf2ae831ae0f462

                  SHA512

                  5e086cbac7010f6a88ac7c2dfcd8dce6dcf1e459434fac1536424921660a7bb8390a14103821e6db007c3846907fb7dc904312fc25b1519e40215a754903656d

                  Download Submit

                • memory/1116-60-0x000007FEFC301000-0x000007FEFC303000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/1292-73-0x0000000004750000-0x0000000004859000-memory.dmp

                  Filesize

                  1.0MB

                  Download

                • memory/1292-81-0x0000000006D00000-0x0000000006E0F000-memory.dmp

                  Filesize

                  1.1MB

                  Download

                • memory/1464-79-0x0000000000000000-mapping.dmp

                  Download

                • memory/1724-74-0x0000000000000000-mapping.dmp

                  Download

                • memory/1724-80-0x0000000001DA0000-0x0000000001E33000-memory.dmp

                  Filesize

                  588KB

                  Download

                • memory/1724-77-0x0000000000080000-0x00000000000AE000-memory.dmp

                  Filesize

                  184KB

                  Download

                • memory/1724-78-0x0000000001F30000-0x0000000002233000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/1724-76-0x0000000000400000-0x000000000041C000-memory.dmp

                  Filesize

                  112KB

                  Download

                • memory/1772-71-0x0000000000770000-0x0000000000A73000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/1772-70-0x0000000000400000-0x000000000042E000-memory.dmp

                  Filesize

                  184KB

                  Download

                • memory/1772-72-0x00000000003E0000-0x00000000003F4000-memory.dmp

                  Filesize

                  80KB

                  Download

                • memory/1772-68-0x000000000041EB70-mapping.dmp

                  Download

                • memory/2020-62-0x0000000000000000-mapping.dmp

                  Download

                • memory/2020-67-0x00000000004B0000-0x00000000004B2000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2020-64-0x00000000767B1000-0x00000000767B3000-memory.dmp

                  Filesize

                  8KB

                  Download