Overview

overview

10

Static

static

8

SecuriteIn...91.msi

windows7_x64

10

SecuriteIn...91.msi

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    130s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    07-05-2021 09:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Gen.Variant.Androm.29.9877.8691.msi

  • Size

    252KB

  • MD5

    e329a2ae51067a9ae8a508fb7dd34ca8

  • SHA1

    e2371038a5cac558e52297cb808ead02c2150c36

  • SHA256

    9de1892b227f07e8896b3dfa4d1f8b450bf2af962b1ec34f3075acc7a4187259

  • SHA512

    e76add738078a81d9465e0e9f40638dc385b9909428d684d5048ae3c6549de040012d8a2310f05e10e94cef4528d3e08490a96774dbb848003ef31f70886febc

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.111bjs.com/ccr/

Decoy

abdullahlodhi.com

jevya.com

knoxvillerestaurant.com

mekarauroko7389.com

cricketspowder.net

johannchirinos.com

orangeorganical.com

libero-tt.com

lorenaegianluca.com

wintab.net

modernmillievintage.com

zgdqcyw.com

jeffabildgaardmd.com

nurulfikrimakassar.com

findyourchef.com

innovationsservicegroup.com

destek-taleplerimiz.com

whfqqco.icu

kosmetikmadeingermany.com

dieteticos.net

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 6 IoCs
    installer
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Windows\system32\msiexec.exe
      msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Androm.29.9877.8691.msi
      2⤵
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:3172
    • C:\Windows\SysWOW64\raserver.exe
      "C:\Windows\SysWOW64\raserver.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3744
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Installer\MSI432B.tmp"
        3⤵
          PID:3736
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Enumerates connected drives
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:348
      • C:\Windows\system32\srtasks.exe
        C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3528
      • C:\Windows\Installer\MSI432B.tmp
        "C:\Windows\Installer\MSI432B.tmp"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:3204
        • C:\Windows\Installer\MSI432B.tmp
          "C:\Windows\Installer\MSI432B.tmp"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:3520
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1336
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
      1⤵
      • Checks SCSI registry key(s)
      • Modifies data under HKEY_USERS
      PID:1056

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    Peripheral Device Discovery

    2
    T1120

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Installer\MSI432B.tmp
      MD5

      d8a19f13154e81e9d526077422655453

      SHA1

      573e6aed1534203b36f9a8e5121c125b02e11b0f

      SHA256

      b525832c63ea5d05a8afde822fcb39e5fb759497e7c2c986a5673fec721ed853

      SHA512

      193344e672c7fb66fbd6acc2608c1d9acf360091ddf8086e5609e5a8ed511e1117fc2b7eb7cb43b56e984bf9f98f6a7648f8f1b0defc1416b2dca3c557ae39ae

      Download Submit
    • C:\Windows\Installer\MSI432B.tmp
      MD5

      d8a19f13154e81e9d526077422655453

      SHA1

      573e6aed1534203b36f9a8e5121c125b02e11b0f

      SHA256

      b525832c63ea5d05a8afde822fcb39e5fb759497e7c2c986a5673fec721ed853

      SHA512

      193344e672c7fb66fbd6acc2608c1d9acf360091ddf8086e5609e5a8ed511e1117fc2b7eb7cb43b56e984bf9f98f6a7648f8f1b0defc1416b2dca3c557ae39ae

      Download Submit
    • C:\Windows\Installer\MSI432B.tmp
      MD5

      d8a19f13154e81e9d526077422655453

      SHA1

      573e6aed1534203b36f9a8e5121c125b02e11b0f

      SHA256

      b525832c63ea5d05a8afde822fcb39e5fb759497e7c2c986a5673fec721ed853

      SHA512

      193344e672c7fb66fbd6acc2608c1d9acf360091ddf8086e5609e5a8ed511e1117fc2b7eb7cb43b56e984bf9f98f6a7648f8f1b0defc1416b2dca3c557ae39ae

      Download Submit
    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      MD5

      f69927642f4fd62866696d4f6b581790

      SHA1

      8036cd0677d04d02088580f8397611b24fcb5e15

      SHA256

      0c9cb2d2f96acabe91bdd040f4f677226a795c8994fe92ddc9996b10aae8d25f

      SHA512

      613c0f27129b9baa6833fb0bdd3803a0e1b8c4a61e6e4fb97de82829fcafeb435dea9d2e42913e1a40a333cdcc1d9c68f32fee42217b3986ce1b4ac5801a32f3

      Download Submit
    • \??\Volume{266d1ca4-0000-0000-0000-500600000000}\System Volume Information\SPP\OnlineMetadataCache\{93580094-de29-4fcb-b2ce-21191f83b157}_OnDiskSnapshotProp
      MD5

      547e9e4200c6277aae5d0df8d09eea22

      SHA1

      ba6d074b70698c524f7463ef4ec17ca1a09f1194

      SHA256

      fe9d5c57604f8f5b2df434dcf1142d7060d6a7c87e4158f2851b8e28ae2644bb

      SHA512

      48065332d41c399b1ac2744a8b4846999c6c3a9f525484c396385cf2b504d69679b1eea731e3bbcceadd5571d69f38065ef5e37b6995302b93a7f46182bafd91

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nso44DF.tmp\3dd73lht.dll
      MD5

      df8beafa8d4250032a73e261c80e35e3

      SHA1

      3ced0abd9f02d24d79ede5052f661108b01df997

      SHA256

      a57717b0b91bb128761a4363d12cacd45431c7e512d5a8d307b40cf30e6a26da

      SHA512

      bf9fd7009e3c4919b2b230748c8f3795423b4e7e57d82d531a31682916dfb589c2df2b20320a51b532e21dec98ce597a4a80589ec5fa442417274661e1c9d1ce

      Download Submit
    • memory/3052-131-0x0000000002AD0000-0x0000000002BB6000-memory.dmp
      Filesize

      920KB

      Download
    • memory/3052-138-0x0000000006540000-0x0000000006668000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/3204-119-0x0000000000000000-mapping.dmp
      Download
    • memory/3204-127-0x00000000023A0000-0x00000000023A2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3520-128-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/3520-129-0x0000000000A50000-0x0000000000D70000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/3520-130-0x00000000009F0000-0x0000000000A04000-memory.dmp
      Filesize

      80KB

      Download
    • memory/3520-123-0x000000000041EBB0-mapping.dmp
      Download
    • memory/3528-118-0x0000000000000000-mapping.dmp
      Download
    • memory/3736-133-0x0000000000000000-mapping.dmp
      Download
    • memory/3744-132-0x0000000000000000-mapping.dmp
      Download
    • memory/3744-134-0x00000000009E0000-0x00000000009FF000-memory.dmp
      Filesize

      124KB

      Download
    • memory/3744-135-0x0000000000570000-0x000000000059E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/3744-136-0x00000000042B0000-0x00000000045D0000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/3744-137-0x0000000004130000-0x00000000041C3000-memory.dmp
      Filesize

      588KB

      Download