Overview

overview

10

Static

static

1

SecuriteIn...69.exe

windows7-x64

10

SecuriteIn...69.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    193s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    02-12-2022 02:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Win32.InjectorX-gen.829.1269.exe

  • Size

    385KB

  • MD5

    f9b1312ac8ff70011ddbd11607c93d65

  • SHA1

    4a94f5870ea9e181760548a3ca306e168a29af86

  • SHA256

    66ddd2146468f179b633aa6f51de9e8905f3cb0726007e6f5c254a870e07fd1a

  • SHA512

    635011bfbba11cefc2131877a0ef51caeb88aac5a38c33e9dc0dfba87c6673e85bed08384cccc76bfdc4c3cea22d953a455e3f687d2699fc9a55b744f68d9ea2

  • SSDEEP

    6144:hBn7A5jMUCoQcDeFkAOPapOsFBUVIlnWD+a8m3qSimcHRZ7N5D:vrcMkAJnyVIFWD+aiSimg3D

Score
10/10
formbookm9aepersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

m9ae

Decoy

nWTQpX6TYm6dfT3Lcw==

7JaBLgMm8EKn2AlTy5Ksj4Jq

yWRJIhE3viQgqEpZS3o=

ES9dFo0bytF8vlvRcg==

aX/aBZn29pD+cg==

lU64sYOZV7ZVpUy1ag==

9BpOCYAPv8L8TyIFAiTp2PSqLg==

uEJ2RyQ1BcBXfFr8kT5Z1KV0

oVM42Ury9pD+cg==

0Zl3VkcuKaY+

OjZeGI8dw67Z6eWtnOoBfoI=

ytwFn9j4i+N8nKYRSgcfh3xn5LU=

xMb1+YkOyxmbxJ53JsP7Pg==

HODQpzTBS1gVoi4X0hStKQ==

fQ417ycwD+ziKt1u0hStKQ==

nsApOqE62sA8uS735uCXVP+YcrQ=

4aobG3oZ3AHqTPs=

P2LEwJatZbQZUTayTW0=

/bopO7NR6clCfT3Lcw==

bBxRRkFY01R+20pZS3o=

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Blocklisted process makes network request 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1228
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.InjectorX-gen.829.1269.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.InjectorX-gen.829.1269.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1252
      • C:\Users\Admin\AppData\Local\Temp\ndteryle.exe
        "C:\Users\Admin\AppData\Local\Temp\ndteryle.exe" C:\Users\Admin\AppData\Local\Temp\ocnbvdevo.as
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1316
        • C:\Users\Admin\AppData\Local\Temp\ndteryle.exe
          "C:\Users\Admin\AppData\Local\Temp\ndteryle.exe"
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1176
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1356
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:556

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\lqvas.pkv
      Filesize

      185KB

      MD5

      40807db09771d538ff90931d1d57521d

      SHA1

      64e2076ea18f5f8f4adaa923786b7bdc441106b3

      SHA256

      81f9c727a1049cdbeef998ad98b58f0c7b401103db1bfbbd99cf2be8492356fb

      SHA512

      e478f5849ea7a44287c8bc1ac05dc0905b4df7110598c5f700a0ef8f080d78b8d59f913b7bc976012bcf7655e36964a998168575938a51cfa9854542a2fdefa7

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\ndteryle.exe
      Filesize

      104KB

      MD5

      0c5f8d9d08895f59fe74455d145e0b6c

      SHA1

      166eca0d136def18f42309f2010cd758c79f2912

      SHA256

      eb609c776304e0c7056f7953663e7b626d9b7b88341795075c6af1f093f4b9f1

      SHA512

      97a78a76ccd0b93f18af2224c8a63eb829b0c9ad142bdc50df3410c512ad6be620f707c3e9b808fdff3ff9fa2fc1a7b1279891ed5c696166ab90e95ee562a2a0

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\ndteryle.exe
      Filesize

      104KB

      MD5

      0c5f8d9d08895f59fe74455d145e0b6c

      SHA1

      166eca0d136def18f42309f2010cd758c79f2912

      SHA256

      eb609c776304e0c7056f7953663e7b626d9b7b88341795075c6af1f093f4b9f1

      SHA512

      97a78a76ccd0b93f18af2224c8a63eb829b0c9ad142bdc50df3410c512ad6be620f707c3e9b808fdff3ff9fa2fc1a7b1279891ed5c696166ab90e95ee562a2a0

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\ndteryle.exe
      Filesize

      104KB

      MD5

      0c5f8d9d08895f59fe74455d145e0b6c

      SHA1

      166eca0d136def18f42309f2010cd758c79f2912

      SHA256

      eb609c776304e0c7056f7953663e7b626d9b7b88341795075c6af1f093f4b9f1

      SHA512

      97a78a76ccd0b93f18af2224c8a63eb829b0c9ad142bdc50df3410c512ad6be620f707c3e9b808fdff3ff9fa2fc1a7b1279891ed5c696166ab90e95ee562a2a0

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\ocnbvdevo.as
      Filesize

      7KB

      MD5

      b17e5c62bca52304eb649d424d1989c2

      SHA1

      889c91ce68438793bdb6c78936c8cd6851599886

      SHA256

      7b980f8e90494442b292fd15541bd3d21aa0aa3625161c653fa06845c6c07dc1

      SHA512

      dd061cc63b51c88c9b0036cee9b4834475f7d9a235f238ae3fc381c2cfa647a66c113676b1bc878bc7c6f153604525c01a131fa7dc2bd0bed89583878371c5ac

      Download Submit
    • \Users\Admin\AppData\Local\Temp\ndteryle.exe
      Filesize

      104KB

      MD5

      0c5f8d9d08895f59fe74455d145e0b6c

      SHA1

      166eca0d136def18f42309f2010cd758c79f2912

      SHA256

      eb609c776304e0c7056f7953663e7b626d9b7b88341795075c6af1f093f4b9f1

      SHA512

      97a78a76ccd0b93f18af2224c8a63eb829b0c9ad142bdc50df3410c512ad6be620f707c3e9b808fdff3ff9fa2fc1a7b1279891ed5c696166ab90e95ee562a2a0

      Download Submit
    • \Users\Admin\AppData\Local\Temp\ndteryle.exe
      Filesize

      104KB

      MD5

      0c5f8d9d08895f59fe74455d145e0b6c

      SHA1

      166eca0d136def18f42309f2010cd758c79f2912

      SHA256

      eb609c776304e0c7056f7953663e7b626d9b7b88341795075c6af1f093f4b9f1

      SHA512

      97a78a76ccd0b93f18af2224c8a63eb829b0c9ad142bdc50df3410c512ad6be620f707c3e9b808fdff3ff9fa2fc1a7b1279891ed5c696166ab90e95ee562a2a0

      Download Submit
    • \Users\Admin\AppData\Local\Temp\sqlite3.dll
      Filesize

      1.1MB

      MD5

      f55e5766477de5997da50f12c9c74c91

      SHA1

      4dc98900a887be95411f07b9e597c57bdc7dbab3

      SHA256

      90be88984ee60864256378c952d44b13d55ac032ab6a7b8c698885176bcece69

      SHA512

      983417a297e68b58fbd1c07fed7a1697d249110a2c10644b2dc96e3facedd3fbfbcac6a7809631ffd62894f02cadd4d3e62022b9e5e026e5bf434f1eb1878f05

      Download Submit
    • memory/1176-67-0x0000000000990000-0x0000000000C93000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1176-69-0x00000000003B0000-0x00000000003C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1176-63-0x00000000004012B0-mapping.dmp
      Download
    • memory/1176-66-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1176-65-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1176-68-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1228-77-0x0000000003C20000-0x0000000003CCE000-memory.dmp
      Filesize

      696KB

      Download
    • memory/1228-70-0x0000000004C40000-0x0000000004DBF000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/1228-79-0x0000000003C20000-0x0000000003CCE000-memory.dmp
      Filesize

      696KB

      Download
    • memory/1252-54-0x0000000076381000-0x0000000076383000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1316-56-0x0000000000000000-mapping.dmp
      Download
    • memory/1356-71-0x0000000000000000-mapping.dmp
      Download
    • memory/1356-73-0x0000000000100000-0x0000000000114000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1356-74-0x0000000000120000-0x000000000014D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/1356-75-0x0000000002140000-0x0000000002443000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1356-76-0x0000000001E70000-0x0000000001EFF000-memory.dmp
      Filesize

      572KB

      Download
    • memory/1356-78-0x0000000000120000-0x000000000014D000-memory.dmp
      Filesize

      180KB

      Download