Overview

overview

10

Static

static

SecuriteIn...65.exe

windows7_x64

10

SecuriteIn...65.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    158s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    15-06-2022 03:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.W32.AIDetectNet.01.22665.exe

  • Size

    590KB

  • MD5

    e49800b715646a9d30281adb67eedc80

  • SHA1

    cde536845aa356ad2913f19145156a8289c999c6

  • SHA256

    262fb779ec6fd7c58573c11480f2293f7680b38d3b62eb9acea9d228ed0a2f09

  • SHA512

    df455c186e1a4c14d5bcd484ab18f97717887cbffe313abebbca8ed3f924492eab1f719b2e2fd4387a6e9ea99c119452c05de380d1daa4e8936fcd4a17eb408a

Score
10/10
formbookt19gratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

t19g

Decoy

playstationspiele.com

cakesbyannal.com

racepin.space

anti-offender.com

magnetque.com

farragorealtybrokerage.com

khuludmohammed.com

v33696.com

84ggg.com

d440.com

soccersmarthome.com

ofthis.world

fivestaryardcards.com

lusyard.com

gghft.com

viajesfortur.com

rationalirrationality.com

hanaramenrestaurant.com

exactlycleanse.com

martensenargentina.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.22665.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.22665.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1748
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qEPKLo.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1716
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qEPKLo" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3EC9.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1528
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.22665.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.22665.exe"
      2⤵
        PID:2008
      • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.22665.exe
        "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.22665.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4564

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp3EC9.tmp
      Filesize

      1KB

      MD5

      c3fa64d19ff104e87cc157934a3d1949

      SHA1

      0edbf116df170b3cb7df7c61afcc3987a28d2edf

      SHA256

      13f04250008f7d61fe6ad7ba60e9e90a7c556bc44fc84127e202efecdac72a39

      SHA512

      e6f1f6629a175a86cb5f029bd142874598729818aba8d42aa8a8e2e075433098b79fef50eb94bfbfe6b29fa31ea38ed7fc81bfbccf660f98c698881bffa4485a

      Download Submit
    • memory/1528-136-0x0000000000000000-mapping.dmp
      Download
    • memory/1716-148-0x0000000007AD0000-0x0000000007B02000-memory.dmp
      Filesize

      200KB

      Download
    • memory/1716-145-0x0000000006140000-0x00000000061A6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1716-152-0x0000000007C80000-0x0000000007C9A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/1716-135-0x0000000000000000-mapping.dmp
      Download
    • memory/1716-151-0x0000000008300000-0x000000000897A000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/1716-150-0x0000000001420000-0x000000000143E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/1716-138-0x0000000002FB0000-0x0000000002FE6000-memory.dmp
      Filesize

      216KB

      Download
    • memory/1716-149-0x00000000717D0000-0x000000007181C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/1716-144-0x0000000005920000-0x0000000005942000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1716-147-0x00000000068D0000-0x00000000068EE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/1716-153-0x0000000007CD0000-0x0000000007CDA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1716-146-0x00000000061B0000-0x0000000006216000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1716-140-0x0000000005B10000-0x0000000006138000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/1748-134-0x00000000012E0000-0x000000000137C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/1748-133-0x0000000005470000-0x000000000547A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1748-130-0x0000000000A20000-0x0000000000ABA000-memory.dmp
      Filesize

      616KB

      Download
    • memory/1748-131-0x00000000059F0000-0x0000000005F94000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/1748-132-0x00000000054E0000-0x0000000005572000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2008-139-0x0000000000000000-mapping.dmp
      Download
    • memory/4564-141-0x0000000000000000-mapping.dmp
      Download
    • memory/4564-143-0x0000000001A00000-0x0000000001D4A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4564-142-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download