Overview

overview

10

Static

static

8

SecuriteIn...88.msi

windows7_x64

10

SecuriteIn...88.msi

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    07-05-2021 16:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Gen.Variant.Androm.29.12612.8788.msi

  • Size

    252KB

  • MD5

    2a284fbd7e5e4f010e9322e93a238fde

  • SHA1

    1d4621ba747111332fd2f8c9bae67c5c44fc768a

  • SHA256

    c09b2348606b04620b185f4658474843eef3d9ec99ae70145a481b955d50aebf

  • SHA512

    3707c20b942b05e6146f2d4ec20dcd28f73bbb9b5ff279bbc599cd5365c4940aefba2d619dd842b0a4b7a6df16a28536462630f7dbe6a82e4918123eaa40d1d7

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.craftsman-vail.com/cca/

Decoy

whenpigsflyhigh.com

artistiklounge.com

tinytrendstique.com

projektpartner-ag.com

charvelevh.com

easycompliances.net

zengheqiye.com

professionalmallorca.com

bonzerstudio.com

nelivo.com

yangxeric.com

aredntech.com

twincitieshousingmarket.com

allshadesunscreen.com

xiang-life.net

qmcp00011.com

lindsayeandmarkv.com

fbcsbvsbvsjbvjs.com

saveonthrivelife.com

newdpo.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 6 IoCs
    installer
  • Modifies data under HKEY_USERS 44 IoCs
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 63 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1256
    • C:\Windows\system32\msiexec.exe
      msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Androm.29.12612.8788.msi
      2⤵
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1200
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\SysWOW64\wscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:760
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Installer\MSI2158.tmp"
        3⤵
          PID:868
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Enumerates connected drives
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1152
      • C:\Windows\Installer\MSI2158.tmp
        "C:\Windows\Installer\MSI2158.tmp"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1644
        • C:\Windows\Installer\MSI2158.tmp
          "C:\Windows\Installer\MSI2158.tmp"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1300
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1708
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot12" "" "" "6d110b0a3" "0000000000000000" "00000000000005B0" "00000000000003D0"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:656

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Installer\MSI2158.tmp
      MD5

      caccaec6ca54e341eb266b3b98978178

      SHA1

      e02d383072613e1e65a8991adc941b65a82f8be7

      SHA256

      20b92c186a1abf1b15f080ae6c7ec6e995c712158df4869827ecc8e1df9e9479

      SHA512

      838e18e94b8b6523feb2263475a238fceae6cb8703b69eb05a1ee3a8052389daf91b898fef692e51173c7fee7840b046663a808d556a75d6b62c431cb835cf0e

      Download Submit
    • C:\Windows\Installer\MSI2158.tmp
      MD5

      caccaec6ca54e341eb266b3b98978178

      SHA1

      e02d383072613e1e65a8991adc941b65a82f8be7

      SHA256

      20b92c186a1abf1b15f080ae6c7ec6e995c712158df4869827ecc8e1df9e9479

      SHA512

      838e18e94b8b6523feb2263475a238fceae6cb8703b69eb05a1ee3a8052389daf91b898fef692e51173c7fee7840b046663a808d556a75d6b62c431cb835cf0e

      Download Submit
    • C:\Windows\Installer\MSI2158.tmp
      MD5

      caccaec6ca54e341eb266b3b98978178

      SHA1

      e02d383072613e1e65a8991adc941b65a82f8be7

      SHA256

      20b92c186a1abf1b15f080ae6c7ec6e995c712158df4869827ecc8e1df9e9479

      SHA512

      838e18e94b8b6523feb2263475a238fceae6cb8703b69eb05a1ee3a8052389daf91b898fef692e51173c7fee7840b046663a808d556a75d6b62c431cb835cf0e

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nsx2212.tmp\0djwv1e4o91gu5.dll
      MD5

      b8efcf07411a1081f73080bd83f3bf1e

      SHA1

      b534be3372f363f2ae50be8fa8fd94fec8c0dae2

      SHA256

      7faeba7a3e10c3eccd92d119327a0d7e8b0aa99c7ca956326bff1c83ce011440

      SHA512

      3ba6a145c27d62f4d8cfea644945a86d1321e61e0677bae217cc5003f4fad486e56481354f8fd7c46aceea69c6f1824b8efbe17461e319a48940d8b63a53f79c

      Download Submit
    • memory/760-76-0x0000000000EF0000-0x0000000000F16000-memory.dmp
      Filesize

      152KB

      Download
    • memory/760-74-0x0000000000000000-mapping.dmp
      Download
    • memory/760-79-0x0000000000460000-0x00000000004F3000-memory.dmp
      Filesize

      588KB

      Download
    • memory/760-78-0x0000000000B80000-0x0000000000E83000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/760-77-0x0000000000070000-0x000000000009E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/868-75-0x0000000000000000-mapping.dmp
      Download
    • memory/1200-60-0x000007FEFC221000-0x000007FEFC223000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1256-73-0x0000000006AD0000-0x0000000006C50000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/1256-80-0x0000000006DB0000-0x0000000006F15000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1300-71-0x00000000006E0000-0x00000000009E3000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1300-72-0x00000000002C0000-0x00000000002D4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1300-70-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/1300-67-0x000000000041EB70-mapping.dmp
      Download
    • memory/1644-64-0x00000000768B1000-0x00000000768B3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1644-69-0x0000000001BE0000-0x0000000001BE2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1644-62-0x0000000000000000-mapping.dmp
      Download