Overview

overview

10

Static

static

1

SecuriteIn...20.exe

windows7-x64

8

SecuriteIn...20.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    172s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2022 12:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.FileRepMalware.20755.26920.exe

  • Size

    224KB

  • MD5

    f1f6b87aa6a7bb1c6a2beda153fc607b

  • SHA1

    2964b06681eefb74a586b17756428d6c0cc08bdd

  • SHA256

    25d4c0553804fbcb055f1465780cfd4b920fb2d9e9eaaac87f7c1d0cd8e9f584

  • SHA512

    694c35b6c161358628c0f6ec0d3233fd7b2ade2cade6547f9cfd447e46c52dd0226d95f35da0a8c57f58bf5ace49d20c49cac36ad2d327f6c90cff755ea819cb

  • SSDEEP

    6144:QBn185+KUnqBjp5S+xXVkWo3zAc/Enof7PdS5EYEdB:gaAyjp5SCVvo3zgof7P8+YEdB

Score
10/10
formbookhenzratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

henz

Decoy

IxWMb+jVsoinShuZJzk=

TPfKgQZ//oGnKr/J

EsK0WxD5kY65XOW1Td/5CxSUpCUytR7M

KebSmiCP9p8yUw==

HAt/ljkEuqMLHOLCi53Pv8MKX9qk

CY4ogZTwJc4vSw==

WWDIx5UYUDyepntE0YIAPca3/rI=

+Pkr01Lfb2rME7bL

S5nyK0p8jS2xdwQ=

W/oqvlO57LfkLcLHnQ==

zrrwtqkTLwxulm4l8FGopw==

AqucYext8bzFbOKthIm8E6gfVkUHxKY=

OfnjeDs78+RTcz4OHRl+

XKf1wwpZR5hLLjHgmUGOpQ==

JMyhSLoJPTCwn5o9zX2d8i1+

Wk54MBsDhWSVbnIRkQ==

7aaYR/tOhh9piTw5/KHSRwuK2iqgafw7pQ==

hH/EYxN+jC2xdwQ=

S0F4ORqDjS2xdwQ=

0o/UwXnuJ+sJp0cOHRl+

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.20755.26920.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.20755.26920.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4776
      • C:\Users\Admin\AppData\Local\Temp\hfjdiwwb.exe
        "C:\Users\Admin\AppData\Local\Temp\hfjdiwwb.exe" C:\Users\Admin\AppData\Local\Temp\zeesmnkse.s
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:4744
        • C:\Users\Admin\AppData\Local\Temp\hfjdiwwb.exe
          "C:\Users\Admin\AppData\Local\Temp\hfjdiwwb.exe"
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:4936
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      2⤵
        PID:4708
      • C:\Windows\SysWOW64\cmstp.exe
        "C:\Windows\SysWOW64\cmstp.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3172
        • C:\Program Files\Mozilla Firefox\Firefox.exe
          "C:\Program Files\Mozilla Firefox\Firefox.exe"
          3⤵
            PID:1712

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\dvgmwmmyefz.bwe
        Filesize

        185KB

        MD5

        1c945c8ec5c2f5197948aea61cab057e

        SHA1

        79b9dbb2849f170c7b1de78a3c8e3818b5c8a11d

        SHA256

        27d5be39ba9e5aeba868a04ea4c251c3719242f656fbce09050c20b81f6ac751

        SHA512

        757d8028bb9397c11aebb3b7c8c8a4dc15aa9b7a03288a8c2e94e3369716c118605ba3ac42aca85901b7dd42f78454fa566a7b0f0c5570c524b4582a73f97794

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\hfjdiwwb.exe
        Filesize

        12KB

        MD5

        dee9967bfc964052c9343e69b90b7c31

        SHA1

        c12da34124e0f9b84685874d0970cbd55dd3ebe4

        SHA256

        2ae4094d6147d706ff4b626ca5c9129cf3121f334e8d4740097cb929ebfda6bc

        SHA512

        3787af0c4c9be0d47f282c8fe6d2d3fbffd014956695245225bff2951924630d2e9c5524f95fc7a4c972988cbb17f852c5d63b8969acac8d4f84318645bb5636

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\hfjdiwwb.exe
        Filesize

        12KB

        MD5

        dee9967bfc964052c9343e69b90b7c31

        SHA1

        c12da34124e0f9b84685874d0970cbd55dd3ebe4

        SHA256

        2ae4094d6147d706ff4b626ca5c9129cf3121f334e8d4740097cb929ebfda6bc

        SHA512

        3787af0c4c9be0d47f282c8fe6d2d3fbffd014956695245225bff2951924630d2e9c5524f95fc7a4c972988cbb17f852c5d63b8969acac8d4f84318645bb5636

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\hfjdiwwb.exe
        Filesize

        12KB

        MD5

        dee9967bfc964052c9343e69b90b7c31

        SHA1

        c12da34124e0f9b84685874d0970cbd55dd3ebe4

        SHA256

        2ae4094d6147d706ff4b626ca5c9129cf3121f334e8d4740097cb929ebfda6bc

        SHA512

        3787af0c4c9be0d47f282c8fe6d2d3fbffd014956695245225bff2951924630d2e9c5524f95fc7a4c972988cbb17f852c5d63b8969acac8d4f84318645bb5636

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\zeesmnkse.s
        Filesize

        5KB

        MD5

        4230431061fb7d5522a0bf04013fe531

        SHA1

        dbc2021a068247d14e65c19518fe28c42f8d9665

        SHA256

        26e048d856f00c449c2720f0aab7302af8212abbdfae6f7b6bfbf94469104269

        SHA512

        bb1dab8b2d706c780e1286dcb75ce43c0708449ef4f47c6af87001d9a39bd5deeef874ccd45115a4ab56f34bbbe56464c5a170bd43a63fa3c6a9188f0eb6d78a

        Download Submit
      • memory/2348-143-0x0000000002FD0000-0x00000000030CA000-memory.dmp
        Filesize

        1000KB

        Download
      • memory/2348-155-0x0000000008250000-0x00000000082EE000-memory.dmp
        Filesize

        632KB

        Download
      • memory/2348-154-0x0000000008250000-0x00000000082EE000-memory.dmp
        Filesize

        632KB

        Download
      • memory/2348-145-0x0000000008400000-0x0000000008569000-memory.dmp
        Filesize

        1.4MB

        Download
      • memory/3172-150-0x0000000000C90000-0x0000000000CBD000-memory.dmp
        Filesize

        180KB

        Download
      • memory/3172-149-0x0000000000360000-0x0000000000376000-memory.dmp
        Filesize

        88KB

        Download
      • memory/3172-153-0x00000000029D0000-0x0000000002A5F000-memory.dmp
        Filesize

        572KB

        Download
      • memory/3172-152-0x0000000000C90000-0x0000000000CBD000-memory.dmp
        Filesize

        180KB

        Download
      • memory/3172-151-0x0000000002BB0000-0x0000000002EFA000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/3172-146-0x0000000000000000-mapping.dmp
        Download
      • memory/4744-132-0x0000000000000000-mapping.dmp
        Download
      • memory/4936-140-0x0000000000401000-0x000000000042F000-memory.dmp
        Filesize

        184KB

        Download
      • memory/4936-148-0x0000000000401000-0x000000000042F000-memory.dmp
        Filesize

        184KB

        Download
      • memory/4936-147-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/4936-142-0x0000000000910000-0x0000000000920000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4936-144-0x0000000000E40000-0x0000000000E50000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4936-141-0x0000000000E60000-0x00000000011AA000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/4936-139-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/4936-137-0x0000000000000000-mapping.dmp
        Download