Overview

overview

10

Static

static

SecuriteIn...23.exe

windows7-x64

10

SecuriteIn...23.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-12-2022 12:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe

  • Size

    660KB

  • MD5

    4456d023908ebca5034b01ae809d6e62

  • SHA1

    99272ab4f217276228ab68eaae72abfc4242a746

  • SHA256

    11990c08ba3e1eb0f464d9850bb76696a89f95c0368e3634488139f25b96bf42

  • SHA512

    ecde1fb31000b7ef0cf02e995106d236c3aa23e6821da106f69f9bd22744184a53fa1b5671770a5bfb1e2137d4bb0d7581ad664685dde0b8ead994c168dc40ad

  • SSDEEP

    12288:6PuYd+V6b1momPZefeKrsUTkx8S0VP+P1ATnVsgIu3fV6Tx0TBf+v0PuYd+V6b:6PuYd+V6bIomxieMwx8ZBT2/0cxWBf+y

Score
10/10
formbookf9r5ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

f9r5

Decoy

teknotimur.com

zuliboo.com

remmingtoncampbell.com

vehicletitleloansphoenix.com

sen-computer.com

98731.biz

shelikesblu.com

canis-totem.com

metaversemedianetwork.com

adsdu.com

vanishmediasystems.com

astewaykebede.com

wszhongxue.com

gacha-animator-free.com

papatyadekorasyon.com

mqc168.top

simplebrilliantsolutions.com

jubileehawkesprairie.com

ridflab.com

conboysfilm.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4656
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sWoaYFhAZd.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4336
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sWoaYFhAZd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4371.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2104
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe"
      2⤵
        PID:3948
      • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe
        "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4988

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp4371.tmp
      Filesize

      1KB

      MD5

      88ab120b64662e3e48449d4c8a7475a4

      SHA1

      e732cde2cf28056c371e98f313d4bdfdbe2be8a3

      SHA256

      d7572ff1e68a64dc490182d374728cb69be5e3ae45f9e4e8438aad5cb4133d83

      SHA512

      098780ea4380caca4f5af556bfb2fb5d352ba003ef9cc3df17b0a3e7a89d89e1914f1551e144cad8a1b005ea70636e10337fdcba1c9f6f61cef0eadc390eff23

      Download Submit
    • memory/2104-138-0x0000000000000000-mapping.dmp
      Download
    • memory/3948-142-0x0000000000000000-mapping.dmp
      Download
    • memory/4336-146-0x00000000059C0000-0x0000000005A26000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4336-155-0x0000000007270000-0x000000000727A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4336-137-0x0000000000000000-mapping.dmp
      Download
    • memory/4336-159-0x0000000007680000-0x0000000007688000-memory.dmp
      Filesize

      32KB

      Download
    • memory/4336-139-0x0000000002770000-0x00000000027A6000-memory.dmp
      Filesize

      216KB

      Download
    • memory/4336-158-0x0000000007730000-0x000000000774A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/4336-141-0x0000000005320000-0x0000000005948000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/4336-157-0x0000000007640000-0x000000000764E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/4336-156-0x0000000007690000-0x0000000007726000-memory.dmp
      Filesize

      600KB

      Download
    • memory/4336-152-0x00000000065B0000-0x00000000065CE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/4336-145-0x0000000005120000-0x0000000005142000-memory.dmp
      Filesize

      136KB

      Download
    • memory/4336-154-0x0000000007400000-0x000000000741A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/4336-147-0x0000000005A30000-0x0000000005A96000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4336-153-0x0000000007A50000-0x00000000080CA000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/4336-149-0x00000000059A0000-0x00000000059BE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/4336-150-0x00000000072A0000-0x00000000072D2000-memory.dmp
      Filesize

      200KB

      Download
    • memory/4336-151-0x0000000071250000-0x000000007129C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/4656-133-0x0000000005D80000-0x0000000006324000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4656-132-0x0000000000DE0000-0x0000000000E8A000-memory.dmp
      Filesize

      680KB

      Download
    • memory/4656-136-0x00000000067D0000-0x000000000686C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/4656-134-0x0000000005870000-0x0000000005902000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4656-135-0x0000000005820000-0x000000000582A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4988-148-0x0000000001700000-0x0000000001A4A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4988-144-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/4988-143-0x0000000000000000-mapping.dmp
      Download