Overview

overview

10

Static

static

1

SecuriteIn...39.exe

windows7-x64

10

SecuriteIn...39.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    170s
  • max time network
    179s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-12-2022 01:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Variant.Jaik.107269.23782.2039.exe

  • Size

    270KB

  • MD5

    0ff8e474e408769e00d0a563fd112b6f

  • SHA1

    a2c84573b26a5c8f928a07c642b5bdf01c4c842f

  • SHA256

    91b5a61f0615710ef9ca5fd015e1cbe36b908516c5882463e4bdc694133c0829

  • SHA512

    efa2bd96ef3f480d05cec21e61c77376ab36d75a373d9f3ab2027f782c31c8b957fc1a350119c64a3fcd2d55c65ef6647de03abc5ad0d24cf71e1b4c57490bed

  • SSDEEP

    6144:QBn1o2vrhVpx41JVnhm643WTQWRlq3B3BQjD32nPcPj:gXhVpm1PCE6xQjSW

Score
10/10
formbooksdq4ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

sdq4

Decoy

M/NxSqNc5vEVvfXWWA==

X0Q2HDisLuzoYHfD/mIcqVDnOotmMQ==

rpEiJ3YmytzsKpdRm4BC7C+2Tw==

fm8cTFjP2FWL2pX5CMjb

5ZhWW5wmXtrmLgrzSjT6uhFBjJHnOQ==

x7J40079eC34LH47UXg5nQ==

ZP8X4tob2taHVprY6DY=

a1jaSE2/8CrzM/8SUXg5nQ==

f5NPHDH65GxGSnZkngvT

IgmQAMCztfqJvfXWWA==

g1+wuFVS/tReSfENUXg5nQ==

SivMIukaJaRo0q8C

LQ9gYduaQQzUE5rY6DY=

TwJTqpALLLkbSI8=

uGsh+xbSG/Cg0Eqd1i8=

p1gOxrnIf1QXDg==

6cuOoOaSRhDQEprY6DY=

nIVfX649g7xtvfXWWA==

RiWd3WQpq7DSGJrY6DY=

ESeuyPlUh40hEw==

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Jaik.107269.23782.2039.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Jaik.107269.23782.2039.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4972
    • C:\Users\Admin\AppData\Local\Temp\tbgjgjx.exe
      "C:\Users\Admin\AppData\Local\Temp\tbgjgjx.exe" C:\Users\Admin\AppData\Local\Temp\noaga.vw
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:5052
      • C:\Users\Admin\AppData\Local\Temp\tbgjgjx.exe
        "C:\Users\Admin\AppData\Local\Temp\tbgjgjx.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:628
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:780
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\SysWOW64\wscript.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:532
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:4132

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\kauuf.ovy
      Filesize

      185KB

      MD5

      794837681331a12cb6188b64fb03ff03

      SHA1

      be94a5c39c2446465d1a0714e095daeb719079d6

      SHA256

      aa382e2633316eed3eb1572adbf8273e0a1fb7c886bfa0881827ebfbb364cdaa

      SHA512

      dabbea168025d703921631963f1d07a8949f47df22f13361060fc4e078fa56518ac161d2ed7a6cf0f671589b2cb66ac3aa35d6756720db0f71657bec6f90b1b0

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\noaga.vw
      Filesize

      5KB

      MD5

      ee3993c3fc6c09188440d3e0d3a13137

      SHA1

      c6dd44c7e0b33800010aace538344365e35a1cfe

      SHA256

      a0fd7968c04db02dd7437a29c2dd1b9dd6c229e05e3ae0e893efdc8cd60ed01d

      SHA512

      95d69f6b404907a85fd40778325d78ad6d69cd290c2520f4098f3aa6c28e490c849fdd9237db30f8cbc65736e3573fcd9d6b9e1d1f38bb4e0499466ce8592110

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tbgjgjx.exe
      Filesize

      100KB

      MD5

      ca66448ddf3d8c99d956564665138180

      SHA1

      0c61cdb7acdd2cbf45abf138043cf45bb2ae3434

      SHA256

      97a2cccbc9e313d4907e747ad6e56b0303296d60199be583fe909d0a5ec015dd

      SHA512

      5049abce6753a1a017a65c65d7ce43c1b073d766c2057c6e230ff0840db098abcdac54c477f8a28eb0e009bc35e979f4f0136d1392e68e801bedf597bb340662

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tbgjgjx.exe
      Filesize

      100KB

      MD5

      ca66448ddf3d8c99d956564665138180

      SHA1

      0c61cdb7acdd2cbf45abf138043cf45bb2ae3434

      SHA256

      97a2cccbc9e313d4907e747ad6e56b0303296d60199be583fe909d0a5ec015dd

      SHA512

      5049abce6753a1a017a65c65d7ce43c1b073d766c2057c6e230ff0840db098abcdac54c477f8a28eb0e009bc35e979f4f0136d1392e68e801bedf597bb340662

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tbgjgjx.exe
      Filesize

      100KB

      MD5

      ca66448ddf3d8c99d956564665138180

      SHA1

      0c61cdb7acdd2cbf45abf138043cf45bb2ae3434

      SHA256

      97a2cccbc9e313d4907e747ad6e56b0303296d60199be583fe909d0a5ec015dd

      SHA512

      5049abce6753a1a017a65c65d7ce43c1b073d766c2057c6e230ff0840db098abcdac54c477f8a28eb0e009bc35e979f4f0136d1392e68e801bedf597bb340662

      Download Submit
    • memory/532-144-0x0000000000000000-mapping.dmp
      Download
    • memory/532-149-0x0000000003110000-0x000000000319F000-memory.dmp
      Filesize

      572KB

      Download
    • memory/532-148-0x0000000000F60000-0x0000000000F8D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/532-147-0x00000000032B0000-0x00000000035FA000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/532-146-0x0000000000F60000-0x0000000000F8D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/532-145-0x0000000000E70000-0x0000000000E97000-memory.dmp
      Filesize

      156KB

      Download
    • memory/628-137-0x0000000000000000-mapping.dmp
      Download
    • memory/628-142-0x0000000000DE0000-0x0000000000DF0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/628-141-0x0000000001640000-0x000000000198A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/628-140-0x0000000000401000-0x000000000042F000-memory.dmp
      Filesize

      184KB

      Download
    • memory/628-139-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/780-143-0x0000000007E70000-0x000000000800C000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/780-150-0x0000000008010000-0x000000000813D000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/780-151-0x0000000008010000-0x000000000813D000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/5052-132-0x0000000000000000-mapping.dmp
      Download