formbook | 755c44b90198282d2494321b4cb18cab7e4426efd1b7f4a20f2a0793d68a2a1f

General

Target

SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
Size

915KB
MD5

b5678475c3c15fdafff2c5c8b49d5dc1
SHA1

7407554011988292b3e3522e19edb5532f21ee4e
SHA256

755c44b90198282d2494321b4cb18cab7e4426efd1b7f4a20f2a0793d68a2a1f
SHA512

05eb462d04fa52dc64781064305aaf73c960765e35f51ef3eeb87e81e25d2dbdcfe7e2c51840ccc4d25e61a7ffc4d0786232c115a395f5e94eaba9508088aecc
SSDEEP

12288:B0dqU+0zR1NqFgVkN3kXsujtKtVrA8RssJk0cDe1Wa33JzysxUi59zDdzoa1cfN:KvFqgVAU8LrLq0vBhyLiTDdEPf

Score

10^/10

formbook k0ud evasion rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

k0ud

Decoy

KKDeo2UqDEnUCpVOQojSRXBi

2tZJH0HRrIOVDeTfmg==

MKSmj+CZhRhujjE=

s5bXm6Sadg2zBdu7hw==

8mGZiJJg7IwdLLs+pPMOfKhNGytf

ngJVQAUrwkHr

n91w0jH0iJFIpiaP

lWk89cFyI5pIpiaP

3r4L8XkqBgU3dCR30w4ZcMRga0A=

l53c8qJWOTJroVjOHBlgjJs=

y0It19ubd+FIpiaP

9Xqagljz0BeZp7ryuO4I

gxIH4giok36VxknyuO4I

tAZMOEL32FgOEBvnr8gQcg==

w0p+SzTMwKm8BcW1gw==

kxD3oaFJ6xlOeHqH

jp4I7QirduJ8slPyuO4I

LSxuX8BlRh0yWAWTEhlgjJs=

ZrTTvJ49FI8rZ09psvo=

LLSsX0XevItIpiaP

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe

description	pid	process	target process
PID 2804 set thread context of 4080	2804	SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe	SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4064 schtasks.exe

pid	process
4064	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exepowershell.exepowershell.exeSecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe

pid	process
2804	SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
2804	SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
2804	SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
2804	SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
2804	SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
2804	SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
1736	powershell.exe
4108	powershell.exe
1736	powershell.exe
2804	SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
4108	powershell.exe
2804	SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
4080	SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
4080	SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2804	SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	4108	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe

description	pid	process	target process
PID 2804 wrote to memory of 1736	2804	SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe	powershell.exe
PID 2804 wrote to memory of 1736	2804	SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe	powershell.exe
PID 2804 wrote to memory of 1736	2804	SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe	powershell.exe
PID 2804 wrote to memory of 4108	2804	SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe	powershell.exe
PID 2804 wrote to memory of 4108	2804	SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe	powershell.exe
PID 2804 wrote to memory of 4108	2804	SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe	powershell.exe
PID 2804 wrote to memory of 4064	2804	SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe	schtasks.exe
PID 2804 wrote to memory of 4064	2804	SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe	schtasks.exe
PID 2804 wrote to memory of 4064	2804	SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe	schtasks.exe
PID 2804 wrote to memory of 4080	2804	SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe	SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
PID 2804 wrote to memory of 4080	2804	SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe	SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
PID 2804 wrote to memory of 4080	2804	SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe	SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
PID 2804 wrote to memory of 4080	2804	SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe	SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
PID 2804 wrote to memory of 4080	2804	SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe	SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
PID 2804 wrote to memory of 4080	2804	SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe	SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bVgCuQEDo.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4108

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bVgCuQEDo" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9105.tmp"
2⤵
- Creates scheduled task(s)
PID:4064

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
4bf0b78d84caa4f2ec554dbe2b608b80

SHA1
6c0dc781f06bce8d451adabf76ab86e0be7f9966

SHA256
b2a40a3138dbb0e951d789a8bca94b9c2416c782c4eb6a460cb522208051ec25

SHA512
3ef25d55b4aca709b42c02093497b67411f21249f41d1257c4a847092dc318c7eb1236c44b7723161845853365815657407c4167638b6b9828a38f1d2dfd98bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9105.tmp
Filesize
1KB

MD5
925656951c17b5b79319b1acbeea21e2

SHA1
3c796ac55e818cc9f6afac079a35fd6760c092c9

SHA256
bdee644f8a0b68f07f6061d1af8d0c578d1a035d047a2f83e422f7844c4568a0

SHA512
847991a8e558897d4d2838832cc2c438fa322d059e9f2582d75db4a8a7a9d4d28b26dc02b7623b6bdfd208f653f04b4bb26dca1ca3f893a001c0f79b68b1923b

Download Submit
memory/1736-149-0x0000000005EA0000-0x0000000005EBE000-memory.dmp

Filesize
120KB

Download
memory/1736-160-0x0000000007420000-0x00000000074B6000-memory.dmp

Filesize
600KB

Download
memory/1736-154-0x0000000074E90000-0x0000000074EDC000-memory.dmp

Filesize
304KB

Download
memory/1736-137-0x0000000000000000-mapping.dmp

Download
memory/1736-139-0x0000000002570000-0x00000000025A6000-memory.dmp

Filesize
216KB

Download
memory/1736-140-0x0000000005240000-0x0000000005868000-memory.dmp

Filesize
6.2MB

Download
memory/1736-141-0x0000000004F00000-0x0000000004F22000-memory.dmp

Filesize
136KB

Download
memory/1736-142-0x0000000004FA0000-0x0000000005006000-memory.dmp

Filesize
408KB

Download
memory/1736-153-0x0000000006460000-0x0000000006492000-memory.dmp

Filesize
200KB

Download
memory/1736-158-0x00000000071A0000-0x00000000071BA000-memory.dmp

Filesize
104KB

Download
memory/2804-132-0x0000000000FC0000-0x00000000010AA000-memory.dmp

Filesize
936KB

Download
memory/2804-135-0x0000000005BE0000-0x0000000005BEA000-memory.dmp

Filesize
40KB

Download
memory/2804-134-0x0000000005A30000-0x0000000005AC2000-memory.dmp

Filesize
584KB

Download
memory/2804-138-0x0000000008940000-0x00000000089A6000-memory.dmp

Filesize
408KB

Download
memory/2804-133-0x0000000005EE0000-0x0000000006484000-memory.dmp

Filesize
5.6MB

Download
memory/2804-136-0x0000000008630000-0x00000000086CC000-memory.dmp

Filesize
624KB

Download
memory/4064-144-0x0000000000000000-mapping.dmp

Download
memory/4080-166-0x0000000001720000-0x0000000001A6A000-memory.dmp

Filesize
3.3MB

Download
memory/4080-146-0x0000000000000000-mapping.dmp

Download
memory/4080-151-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/4080-152-0x0000000001720000-0x0000000001A6A000-memory.dmp

Filesize
3.3MB

Download
memory/4080-150-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4080-147-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4108-157-0x0000000008090000-0x000000000870A000-memory.dmp

Filesize
6.5MB

Download
memory/4108-159-0x0000000007AB0000-0x0000000007ABA000-memory.dmp

Filesize
40KB

Download
memory/4108-161-0x0000000007C70000-0x0000000007C7E000-memory.dmp

Filesize
56KB

Download
memory/4108-162-0x0000000007D80000-0x0000000007D9A000-memory.dmp

Filesize
104KB

Download
memory/4108-163-0x0000000007D60000-0x0000000007D68000-memory.dmp

Filesize
32KB

Download
memory/4108-143-0x0000000000000000-mapping.dmp

Download
memory/4108-156-0x0000000006D00000-0x0000000006D1E000-memory.dmp

Filesize
120KB

Download
memory/4108-155-0x0000000074E90000-0x0000000074EDC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads