Overview

overview

10

Static

static

1

SecuriteIn...69.exe

windows7-x64

10

SecuriteIn...69.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-12-2022 02:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Win32.InjectorX-gen.829.1269.exe

  • Size

    385KB

  • MD5

    f9b1312ac8ff70011ddbd11607c93d65

  • SHA1

    4a94f5870ea9e181760548a3ca306e168a29af86

  • SHA256

    66ddd2146468f179b633aa6f51de9e8905f3cb0726007e6f5c254a870e07fd1a

  • SHA512

    635011bfbba11cefc2131877a0ef51caeb88aac5a38c33e9dc0dfba87c6673e85bed08384cccc76bfdc4c3cea22d953a455e3f687d2699fc9a55b744f68d9ea2

  • SSDEEP

    6144:hBn7A5jMUCoQcDeFkAOPapOsFBUVIlnWD+a8m3qSimcHRZ7N5D:vrcMkAJnyVIFWD+aiSimg3D

Score
10/10
formbookxloaderm9aeloaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

m9ae

Decoy

nWTQpX6TYm6dfT3Lcw==

7JaBLgMm8EKn2AlTy5Ksj4Jq

yWRJIhE3viQgqEpZS3o=

ES9dFo0bytF8vlvRcg==

aX/aBZn29pD+cg==

lU64sYOZV7ZVpUy1ag==

9BpOCYAPv8L8TyIFAiTp2PSqLg==

uEJ2RyQ1BcBXfFr8kT5Z1KV0

oVM42Ury9pD+cg==

0Zl3VkcuKaY+

OjZeGI8dw67Z6eWtnOoBfoI=

ytwFn9j4i+N8nKYRSgcfh3xn5LU=

xMb1+YkOyxmbxJ53JsP7Pg==

HODQpzTBS1gVoi4X0hStKQ==

fQ417ycwD+ziKt1u0hStKQ==

nsApOqE62sA8uS735uCXVP+YcrQ=

4aobG3oZ3AHqTPs=

P2LEwJatZbQZUTayTW0=

/bopO7NR6clCfT3Lcw==

bBxRRkFY01R+20pZS3o=

Extracted

Family

xloader

Version

3.Æ…

Campaign

m9ae

Decoy

nWTQpX6TYm6dfT3Lcw==

7JaBLgMm8EKn2AlTy5Ksj4Jq

yWRJIhE3viQgqEpZS3o=

ES9dFo0bytF8vlvRcg==

aX/aBZn29pD+cg==

lU64sYOZV7ZVpUy1ag==

9BpOCYAPv8L8TyIFAiTp2PSqLg==

uEJ2RyQ1BcBXfFr8kT5Z1KV0

oVM42Ury9pD+cg==

0Zl3VkcuKaY+

OjZeGI8dw67Z6eWtnOoBfoI=

ytwFn9j4i+N8nKYRSgcfh3xn5LU=

xMb1+YkOyxmbxJ53JsP7Pg==

HODQpzTBS1gVoi4X0hStKQ==

fQ417ycwD+ziKt1u0hStKQ==

nsApOqE62sA8uS735uCXVP+YcrQ=

4aobG3oZ3AHqTPs=

P2LEwJatZbQZUTayTW0=

/bopO7NR6clCfT3Lcw==

bBxRRkFY01R+20pZS3o=

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:760
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.InjectorX-gen.829.1269.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.InjectorX-gen.829.1269.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2404
      • C:\Users\Admin\AppData\Local\Temp\ndteryle.exe
        "C:\Users\Admin\AppData\Local\Temp\ndteryle.exe" C:\Users\Admin\AppData\Local\Temp\ocnbvdevo.as
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:4804
        • C:\Users\Admin\AppData\Local\Temp\ndteryle.exe
          "C:\Users\Admin\AppData\Local\Temp\ndteryle.exe"
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:4492
    • C:\Windows\SysWOW64\cmstp.exe
      "C:\Windows\SysWOW64\cmstp.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:888
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:1280

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\lqvas.pkv
      Filesize

      185KB

      MD5

      40807db09771d538ff90931d1d57521d

      SHA1

      64e2076ea18f5f8f4adaa923786b7bdc441106b3

      SHA256

      81f9c727a1049cdbeef998ad98b58f0c7b401103db1bfbbd99cf2be8492356fb

      SHA512

      e478f5849ea7a44287c8bc1ac05dc0905b4df7110598c5f700a0ef8f080d78b8d59f913b7bc976012bcf7655e36964a998168575938a51cfa9854542a2fdefa7

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\ndteryle.exe
      Filesize

      104KB

      MD5

      0c5f8d9d08895f59fe74455d145e0b6c

      SHA1

      166eca0d136def18f42309f2010cd758c79f2912

      SHA256

      eb609c776304e0c7056f7953663e7b626d9b7b88341795075c6af1f093f4b9f1

      SHA512

      97a78a76ccd0b93f18af2224c8a63eb829b0c9ad142bdc50df3410c512ad6be620f707c3e9b808fdff3ff9fa2fc1a7b1279891ed5c696166ab90e95ee562a2a0

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\ndteryle.exe
      Filesize

      104KB

      MD5

      0c5f8d9d08895f59fe74455d145e0b6c

      SHA1

      166eca0d136def18f42309f2010cd758c79f2912

      SHA256

      eb609c776304e0c7056f7953663e7b626d9b7b88341795075c6af1f093f4b9f1

      SHA512

      97a78a76ccd0b93f18af2224c8a63eb829b0c9ad142bdc50df3410c512ad6be620f707c3e9b808fdff3ff9fa2fc1a7b1279891ed5c696166ab90e95ee562a2a0

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\ndteryle.exe
      Filesize

      104KB

      MD5

      0c5f8d9d08895f59fe74455d145e0b6c

      SHA1

      166eca0d136def18f42309f2010cd758c79f2912

      SHA256

      eb609c776304e0c7056f7953663e7b626d9b7b88341795075c6af1f093f4b9f1

      SHA512

      97a78a76ccd0b93f18af2224c8a63eb829b0c9ad142bdc50df3410c512ad6be620f707c3e9b808fdff3ff9fa2fc1a7b1279891ed5c696166ab90e95ee562a2a0

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\ocnbvdevo.as
      Filesize

      7KB

      MD5

      b17e5c62bca52304eb649d424d1989c2

      SHA1

      889c91ce68438793bdb6c78936c8cd6851599886

      SHA256

      7b980f8e90494442b292fd15541bd3d21aa0aa3625161c653fa06845c6c07dc1

      SHA512

      dd061cc63b51c88c9b0036cee9b4834475f7d9a235f238ae3fc381c2cfa647a66c113676b1bc878bc7c6f153604525c01a131fa7dc2bd0bed89583878371c5ac

      Download Submit
    • memory/760-149-0x0000000002410000-0x0000000002510000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/760-151-0x0000000002410000-0x0000000002510000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/760-143-0x0000000007E40000-0x0000000007F9F000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/888-150-0x0000000000410000-0x000000000043D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/888-148-0x00000000021A0000-0x000000000222F000-memory.dmp
      Filesize

      572KB

      Download
    • memory/888-147-0x0000000002500000-0x000000000284A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/888-146-0x0000000000410000-0x000000000043D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/888-144-0x0000000000000000-mapping.dmp
      Download
    • memory/888-145-0x0000000000BE0000-0x0000000000BF6000-memory.dmp
      Filesize

      88KB

      Download
    • memory/4492-137-0x0000000000000000-mapping.dmp
      Download
    • memory/4492-142-0x0000000000670000-0x0000000000680000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4492-140-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/4492-141-0x0000000000AE0000-0x0000000000E2A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4492-139-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/4804-132-0x0000000000000000-mapping.dmp
      Download