Overview

overview

10

Static

static

SecuriteIn...21.exe

windows7_x64

10

SecuriteIn...21.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    106s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-06-2022 03:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.W32.AIDetectNet.01.29221.exe

  • Size

    478KB

  • MD5

    cd6b78a456e3f72a4a48c866602bc617

  • SHA1

    8e56e555ba4a208f038730c1d89a8fc1b93b77f5

  • SHA256

    4b8c3b49cc5ceaea396ffc0444d625d7cc3c231b973f2775a23ab3cafece504d

  • SHA512

    be706bbfa28e6de8d1721739c505ab77762563f47a65578119620e5ceca1e7b9f2010171abce9d4b79f7c2250f6dc5433448a0825038be96d5a1578a44f6a933

Score
10/10
formbookt19gratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

t19g

Decoy

playstationspiele.com

cakesbyannal.com

racepin.space

anti-offender.com

magnetque.com

farragorealtybrokerage.com

khuludmohammed.com

v33696.com

84ggg.com

d440.com

soccersmarthome.com

ofthis.world

fivestaryardcards.com

lusyard.com

gghft.com

viajesfortur.com

rationalirrationality.com

hanaramenrestaurant.com

exactlycleanse.com

martensenargentina.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.29221.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.29221.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2960
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SjfqCPE.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3316
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SjfqCPE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFA6D.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3880
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.29221.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.29221.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:400

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpFA6D.tmp
    Filesize

    1KB

    MD5

    aa0492f8e0bb3b6ed37c5aa3169d86b9

    SHA1

    56a010eec0afeb065813725754ac87fa9d0d5eb6

    SHA256

    6aefcea2f586d072f79b2b84e5401ccba0bc5d932a234200df72d6b3a41af101

    SHA512

    d37a7364411c88a731c4145ba76959a45bf5db4d347ba7bd6aa277d1dd37001033c31a461225208d9e9185bb0259b615f5cb5e98473c712b935fdef697f6ed8a

    Download Submit
  • memory/400-146-0x00000000014C0000-0x000000000180A000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/400-140-0x0000000000000000-mapping.dmp
    Download
  • memory/400-141-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/2960-131-0x0000000005000000-0x00000000055A4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/2960-132-0x0000000004AF0000-0x0000000004B82000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2960-133-0x0000000004A90000-0x0000000004A9A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2960-134-0x00000000086D0000-0x000000000876C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/2960-130-0x0000000000080000-0x00000000000FE000-memory.dmp
    Filesize

    504KB

    Download
  • memory/3316-142-0x0000000005860000-0x0000000005882000-memory.dmp
    Filesize

    136KB

    Download
  • memory/3316-148-0x0000000074C70000-0x0000000074CBC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/3316-137-0x0000000004A20000-0x0000000004A56000-memory.dmp
    Filesize

    216KB

    Download
  • memory/3316-135-0x0000000000000000-mapping.dmp
    Download
  • memory/3316-144-0x0000000005C10000-0x0000000005C76000-memory.dmp
    Filesize

    408KB

    Download
  • memory/3316-143-0x0000000005910000-0x0000000005976000-memory.dmp
    Filesize

    408KB

    Download
  • memory/3316-156-0x0000000007610000-0x0000000007618000-memory.dmp
    Filesize

    32KB

    Download
  • memory/3316-145-0x0000000005FE0000-0x0000000005FFE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/3316-147-0x00000000065D0000-0x0000000006602000-memory.dmp
    Filesize

    200KB

    Download
  • memory/3316-138-0x0000000005190000-0x00000000057B8000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/3316-149-0x00000000065B0000-0x00000000065CE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/3316-151-0x00000000072F0000-0x000000000730A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/3316-150-0x0000000007930000-0x0000000007FAA000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/3316-152-0x0000000007360000-0x000000000736A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3316-153-0x0000000007570000-0x0000000007606000-memory.dmp
    Filesize

    600KB

    Download
  • memory/3316-154-0x0000000007520000-0x000000000752E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/3316-155-0x0000000007630000-0x000000000764A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/3880-136-0x0000000000000000-mapping.dmp
    Download