Analysis
-
max time kernel
155s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
25-11-2022 04:29
General
-
Target
SecuriteInfo.com.Win64.Evo-gen.8877.18401.exe
-
Size
448KB
-
MD5
19570ae7d752c7f688b833193352a7cb
-
SHA1
c5b129ea601cd6b1bb2d3fbd3b597ed434ed70af
-
SHA256
6eec1a8da601b90f81fdb28221702581d5a1698201976958fb160b2d956edb19
-
SHA512
1cfa750a02c23bf3b9d2545033a210d2bbfc3947b472be62e485d09f683f864acc146e6b3af880d46150bd77fae17285ed0be1420540e7674e4b4c0d9a439c5a
-
SSDEEP
12288:cYEsiw+tb/EPYxNdaGJd4t6O59rxjDqIwjOS5tKl6Nz3OFTj:1ElXtLDgGct7pRwjR5El6NTOB
Malware Config
Extracted
formbook
codp
WLwbp9IgDF0DRbuq
oNQ7DHBzVHVMTxxxFCORk65Z5w==
eKyDm2P0S8i8tXrGSRxyN/GB+g==
DWLDupksnDvfKi7Q7PI=
JAaYbOFx1G0f4pcM36gDB3YaG796
KWQ71Z4U7+2Nv8K72OXED5M9oe8=
YJpvEHW5TU/wL02R9TiN0A==
tpQX78fPprFMi7ocSgXfUNYKpTq33Icp
a9Z0eju3FKFA/YBy+MQfG3QaG796
uQzt58fSssDUenxacQCY2g==
vijGzYPYOfi2gxZLhlbA
kZfzlQg7IGPxc29BJA==
dcQu+blQlxGyZu7qw5P4L6s=
TTIXAcXMr85yqqvxWBMqdrw=
xZb/tyGC8sOjIS7Q7PI=
KnzenvO+cXkVS3biKfRDwJ9Q5Q==
ZqZvDt9+yYxqh1Si
vZD8CtVZigY/cqnmLA==
QJy2dd/p0MO1Ji7Q7PI=
l+Hmoea3jsiAcqnmLA==
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 62 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious behavior: MapViewOfSection 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.8877.18401.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.8877.18401.exe"2⤵
- Sets service image path in registry
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
464KB
-
Filesize
3.3MB
-
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
184KB
-
Filesize
188KB
-
Filesize
64KB
-
Filesize
1008KB
-
Filesize
612KB
-
Filesize
612KB
-
-
Filesize
40KB
-
Filesize
180KB
-
Filesize
3.3MB
-
Filesize
572KB
-
Filesize
180KB