Overview

overview

10

Static

static

8

SecuriteIn...91.msi

windows7_x64

10

SecuriteIn...91.msi

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    112s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    07-05-2021 09:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Gen.Variant.Androm.29.9877.8691.msi

  • Size

    252KB

  • MD5

    e329a2ae51067a9ae8a508fb7dd34ca8

  • SHA1

    e2371038a5cac558e52297cb808ead02c2150c36

  • SHA256

    9de1892b227f07e8896b3dfa4d1f8b450bf2af962b1ec34f3075acc7a4187259

  • SHA512

    e76add738078a81d9465e0e9f40638dc385b9909428d684d5048ae3c6549de040012d8a2310f05e10e94cef4528d3e08490a96774dbb848003ef31f70886febc

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.111bjs.com/ccr/

Decoy

abdullahlodhi.com

jevya.com

knoxvillerestaurant.com

mekarauroko7389.com

cricketspowder.net

johannchirinos.com

orangeorganical.com

libero-tt.com

lorenaegianluca.com

wintab.net

modernmillievintage.com

zgdqcyw.com

jeffabildgaardmd.com

nurulfikrimakassar.com

findyourchef.com

innovationsservicegroup.com

destek-taleplerimiz.com

whfqqco.icu

kosmetikmadeingermany.com

dieteticos.net

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 6 IoCs
    installer
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies data under HKEY_USERS 44 IoCs
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1196
    • C:\Windows\system32\msiexec.exe
      msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Androm.29.9877.8691.msi
      2⤵
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:484
    • C:\Windows\SysWOW64\chkdsk.exe
      "C:\Windows\SysWOW64\chkdsk.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1404
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Installer\MSI8EE9.tmp"
        3⤵
          PID:1224
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Enumerates connected drives
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2000
      • C:\Windows\Installer\MSI8EE9.tmp
        "C:\Windows\Installer\MSI8EE9.tmp"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1736
        • C:\Windows\Installer\MSI8EE9.tmp
          "C:\Windows\Installer\MSI8EE9.tmp"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1636
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1796
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot12" "" "" "6d110b0a3" "0000000000000000" "00000000000005A8" "000000000000005C"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:956

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Installer\MSI8EE9.tmp
      MD5

      d8a19f13154e81e9d526077422655453

      SHA1

      573e6aed1534203b36f9a8e5121c125b02e11b0f

      SHA256

      b525832c63ea5d05a8afde822fcb39e5fb759497e7c2c986a5673fec721ed853

      SHA512

      193344e672c7fb66fbd6acc2608c1d9acf360091ddf8086e5609e5a8ed511e1117fc2b7eb7cb43b56e984bf9f98f6a7648f8f1b0defc1416b2dca3c557ae39ae

      Download Submit
    • C:\Windows\Installer\MSI8EE9.tmp
      MD5

      d8a19f13154e81e9d526077422655453

      SHA1

      573e6aed1534203b36f9a8e5121c125b02e11b0f

      SHA256

      b525832c63ea5d05a8afde822fcb39e5fb759497e7c2c986a5673fec721ed853

      SHA512

      193344e672c7fb66fbd6acc2608c1d9acf360091ddf8086e5609e5a8ed511e1117fc2b7eb7cb43b56e984bf9f98f6a7648f8f1b0defc1416b2dca3c557ae39ae

      Download Submit
    • C:\Windows\Installer\MSI8EE9.tmp
      MD5

      d8a19f13154e81e9d526077422655453

      SHA1

      573e6aed1534203b36f9a8e5121c125b02e11b0f

      SHA256

      b525832c63ea5d05a8afde822fcb39e5fb759497e7c2c986a5673fec721ed853

      SHA512

      193344e672c7fb66fbd6acc2608c1d9acf360091ddf8086e5609e5a8ed511e1117fc2b7eb7cb43b56e984bf9f98f6a7648f8f1b0defc1416b2dca3c557ae39ae

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nss903F.tmp\3dd73lht.dll
      MD5

      df8beafa8d4250032a73e261c80e35e3

      SHA1

      3ced0abd9f02d24d79ede5052f661108b01df997

      SHA256

      a57717b0b91bb128761a4363d12cacd45431c7e512d5a8d307b40cf30e6a26da

      SHA512

      bf9fd7009e3c4919b2b230748c8f3795423b4e7e57d82d531a31682916dfb589c2df2b20320a51b532e21dec98ce597a4a80589ec5fa442417274661e1c9d1ce

      Download Submit
    • memory/484-59-0x000007FEFB761000-0x000007FEFB763000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1196-79-0x0000000006050000-0x000000000614C000-memory.dmp
      Filesize

      1008KB

      Download
    • memory/1196-72-0x0000000004280000-0x000000000433C000-memory.dmp
      Filesize

      752KB

      Download
    • memory/1224-74-0x0000000000000000-mapping.dmp
      Download
    • memory/1404-76-0x0000000000080000-0x00000000000AE000-memory.dmp
      Filesize

      184KB

      Download
    • memory/1404-73-0x0000000000000000-mapping.dmp
      Download
    • memory/1404-77-0x0000000002150000-0x0000000002453000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1404-75-0x00000000002C0000-0x00000000002C7000-memory.dmp
      Filesize

      28KB

      Download
    • memory/1404-78-0x0000000001F20000-0x0000000001FB3000-memory.dmp
      Filesize

      588KB

      Download
    • memory/1636-70-0x0000000000910000-0x0000000000C13000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1636-71-0x0000000000350000-0x0000000000364000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1636-67-0x000000000041EBB0-mapping.dmp
      Download
    • memory/1636-69-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/1736-66-0x0000000000380000-0x0000000000382000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1736-63-0x0000000075AD1000-0x0000000075AD3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1736-61-0x0000000000000000-mapping.dmp
      Download