Overview

overview

10

Static

static

SecuriteIn...52.exe

windows7-x64

10

SecuriteIn...52.exe

windows10-2004-x64

10

Resubmissions

23-09-2022 06:55

220923-hpzsgshdcm 10

23-09-2022 05:40

220923-gcv34ahbhj 10

Analysis

  • max time kernel
    597s
  • max time network
    600s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-09-2022 06:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.MSIL.Kryptik.AGMJ.tr.27252.exe

  • Size

    922KB

  • MD5

    2c3af67b622e7995777c91f9b64d37fa

  • SHA1

    d63b0f44eff73bbfa2949a47c503d3fa1ff2a224

  • SHA256

    db1446aa0758623a0dcebe15dd6742166f391ed938914b3e8339188b21513ebc

  • SHA512

    4949e4ebadf894e3304c317e0b664b64056c7107f967f311df968dd6b4d198f6b6a3bea2b69197f4cb27d7d7f173374756a5129cb15fdecb57d91f4c921412b4

  • SSDEEP

    12288:cd/yNU/TuF4sC0HuV/ldxf9eOBx0mLtOCyOeULosAj6yFiVC3nGv/Oj:wyOLuFEpV/nh9eM6fOeUU

Score
10/10
formbooknhg6ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

nhg6

Decoy

FSZGb3Of7ECMIOG9mh1ql/w=

DAPP3Pm63eo+zg==

khOZTuClxYsKQsZALgy3ob9TFAk=

5uWol2f/RF3CAwFd

P70LqPOi2iE9g4vpPH1Lk8E0K6tC

KBRl7TSt3eo+zg==

rqedJWUJXKkDbORa

lpORtIg8lvMKbJ77PQW9kes=

Qinv+gsohAIooqyTcfUYgZ/IVxQ=

J0L2ggPAiE2gxm4=

r/I6qOGI5noJCghf

khJg6HKM6l9okVK+pg==

HRMTK/6p3eo+zg==

HqMiuv2JaKYJCghf

+FzGYtsGTpK46OkKkh5C

BBrOUpUY91R/r8gkPwrcuw==

klWfn2smdNcqog581h6vX7px

t8uvr7+R7IPaHSOH1hqvX7px

bHdghkj64OjzY2hOLa/WObrRkkeJjQ==

s3/smhoylh1J0mPS4aDHBDRyJw==

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1260
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.Kryptik.AGMJ.tr.27252.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.Kryptik.AGMJ.tr.27252.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1076
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZWLXkesmLC.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1396
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZWLXkesmLC" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA9A8.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:1432
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:560
        • C:\Windows\SysWOW64\msdt.exe
          "C:\Windows\SysWOW64\msdt.exe"
          4⤵
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1748
          • C:\Program Files\Mozilla Firefox\Firefox.exe
            "C:\Program Files\Mozilla Firefox\Firefox.exe"
            5⤵
              PID:1672
      • C:\Windows\SysWOW64\autofmt.exe
        "C:\Windows\SysWOW64\autofmt.exe"
        2⤵
          PID:1964
        • C:\Windows\SysWOW64\autofmt.exe
          "C:\Windows\SysWOW64\autofmt.exe"
          2⤵
            PID:324
          • C:\Windows\SysWOW64\autofmt.exe
            "C:\Windows\SysWOW64\autofmt.exe"
            2⤵
              PID:1320
            • C:\Windows\SysWOW64\autofmt.exe
              "C:\Windows\SysWOW64\autofmt.exe"
              2⤵
                PID:972

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Scheduled Task

            1
            T1053

            Persistence

            Scheduled Task

            1
            T1053

            Privilege Escalation

            Scheduled Task

            1
            T1053

            Defense Evasion

            Modify Registry

            1
            T1112

            Credential Access

            Discovery

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmpA9A8.tmp
              Filesize

              1KB

              MD5

              41b125bc1b181b3154e57139e9d20098

              SHA1

              02acbb1c01826d9940308c885274af8d48113160

              SHA256

              fe2aafe5a35683f959d6ca84e83f189942e34490546aebaace1f0d3680c4101e

              SHA512

              4a1be9f8fcd0ec81466ded35b1c32026170eeee6be79f07731336afae33d19c1996a776bf5b5bff9b5555352f93eec2497611ac46c88be9c247f3d3432e678b0

              Download Submit
            • \Users\Admin\AppData\Local\Temp\sqlite3.dll
              Filesize

              1.0MB

              MD5

              f1e5f58f9eb43ecec773acbdb410b888

              SHA1

              f1b8076b0bbde696694bbc0ab259a77893839464

              SHA256

              a15fd84ee61b54c92bb099dfb78226548f43d550c67fb6adf4cce3d064ab1c14

              SHA512

              0aff96430dd99bb227285fefc258014c301f85216c84e40f45702d26cdd7e77261a41fd3811d686f5fb2ee363cc651a014e8ffa339384004cece645a36486456

              Download Submit
            • memory/560-73-0x0000000000400000-0x000000000042F000-memory.dmp
              Filesize

              188KB

              Download
            • memory/560-71-0x0000000000400000-0x000000000042F000-memory.dmp
              Filesize

              188KB

              Download
            • memory/560-85-0x0000000000401000-0x000000000042F000-memory.dmp
              Filesize

              184KB

              Download
            • memory/560-75-0x0000000000990000-0x0000000000C93000-memory.dmp
              Filesize

              3.0MB

              Download
            • memory/560-83-0x0000000000400000-0x000000000042F000-memory.dmp
              Filesize

              188KB

              Download
            • memory/560-80-0x00000000001C0000-0x00000000001D0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/560-74-0x0000000000401000-0x000000000042F000-memory.dmp
              Filesize

              184KB

              Download
            • memory/560-76-0x00000000000C0000-0x00000000000D0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/560-65-0x0000000000400000-0x000000000042F000-memory.dmp
              Filesize

              188KB

              Download
            • memory/560-66-0x0000000000400000-0x000000000042F000-memory.dmp
              Filesize

              188KB

              Download
            • memory/560-69-0x00000000004012B0-mapping.dmp
              Download
            • memory/560-68-0x0000000000400000-0x000000000042F000-memory.dmp
              Filesize

              188KB

              Download
            • memory/1076-64-0x00000000048D0000-0x0000000004904000-memory.dmp
              Filesize

              208KB

              Download
            • memory/1076-54-0x0000000000970000-0x0000000000A5C000-memory.dmp
              Filesize

              944KB

              Download
            • memory/1076-56-0x00000000004E0000-0x00000000004F4000-memory.dmp
              Filesize

              80KB

              Download
            • memory/1076-59-0x0000000005FC0000-0x000000000604E000-memory.dmp
              Filesize

              568KB

              Download
            • memory/1076-57-0x00000000005F0000-0x0000000000604000-memory.dmp
              Filesize

              80KB

              Download
            • memory/1076-55-0x0000000075C51000-0x0000000075C53000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1076-58-0x00000000006F0000-0x00000000006FC000-memory.dmp
              Filesize

              48KB

              Download
            • memory/1260-77-0x0000000006850000-0x0000000006970000-memory.dmp
              Filesize

              1.1MB

              Download
            • memory/1260-92-0x00000000040D0000-0x00000000041D0000-memory.dmp
              Filesize

              1024KB

              Download
            • memory/1260-90-0x00000000040D0000-0x00000000041D0000-memory.dmp
              Filesize

              1024KB

              Download
            • memory/1260-81-0x0000000006C90000-0x0000000006DAB000-memory.dmp
              Filesize

              1.1MB

              Download
            • memory/1396-60-0x0000000000000000-mapping.dmp
              Download
            • memory/1396-78-0x000000006E550000-0x000000006EAFB000-memory.dmp
              Filesize

              5.7MB

              Download
            • memory/1396-72-0x000000006E550000-0x000000006EAFB000-memory.dmp
              Filesize

              5.7MB

              Download
            • memory/1432-61-0x0000000000000000-mapping.dmp
              Download
            • memory/1748-82-0x0000000000000000-mapping.dmp
              Download
            • memory/1748-86-0x0000000000F30000-0x0000000001024000-memory.dmp
              Filesize

              976KB

              Download
            • memory/1748-87-0x0000000000080000-0x00000000000AD000-memory.dmp
              Filesize

              180KB

              Download
            • memory/1748-88-0x0000000002430000-0x0000000002733000-memory.dmp
              Filesize

              3.0MB

              Download
            • memory/1748-89-0x00000000009D0000-0x0000000000A5F000-memory.dmp
              Filesize

              572KB

              Download
            • memory/1748-91-0x0000000000080000-0x00000000000AD000-memory.dmp
              Filesize

              180KB

              Download