Overview

overview

10

Static

static

1

SecuriteIn...67.exe

windows7-x64

10

SecuriteIn...67.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    266s
  • max time network
    352s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    09-12-2022 01:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Variant.Jaik.77520.20069.28067.exe

  • Size

    332KB

  • MD5

    a3bd608d019d827e4eee68f67f39a444

  • SHA1

    6e9874bac7b065a42110cef5c1b060de94123b2d

  • SHA256

    2af0bbe87c28664ad5b453eae02d512f770962319673b9c494d85b717a6f9edf

  • SHA512

    6b73f10a981a23c9ba0fee05d24b77b15220716172e8b48dc7d2e409e774e6fafbcdced2d5832a21f5863c38f51d553a51e1ad5ae15f7aae5d824366f2a289d8

  • SSDEEP

    6144:9kwmZ6RfPyO6qBUnqk5yx+9JjOGNE1STKB7xUbGpn9C+xv0/159Xmj2pO6GInyw:qZ6RfPyO6ZqN7GNsTVxBp9PdK5XmK5p

Score
10/10
formbookxloaderk6n9loaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

k6n9

Decoy

NzUYPBPnE+UWNJX0b/5zZQ==

ZcsDmdfNeiREr4loZ9k=

p4Pecr+pmTFp+Az4AGoSpvqp

4jwUP0ApYThdpDmZcNp+xuej

0tmQjRQKSQbR0N86

MgfR+qwWljDdagbsn8Ukr8bc8A==

shQ3YCpOQPp/9g==

Q4mmwEidJLBJug25c6Vxcg==

OM1kEJDdGNpv7nMy

7FmP1iykTQZ7q0Hq5g==

9lVGWV44H63+A5oGc6Vxcg==

Bs97fiCGUye5Osm9xsOYZnb8SEC+YszE

xJMBmQj3MRDV7MBXzEep

mJpebAH7RkkGGbsZwZ/weg==

u6FXU+JCphyVyCsUBP0Spvqp

B/mwulPBDRm5q0Hq5g==

E+JiHcUb7gR+8A==

BgGOL5SLfQ9BzuPDxzeVKEIuOKDL

wZdfmzTbOcnEF3Mi1QnVpPCo

J63Z+Jv5L+JOhd+zc6Vxcg==

Extracted

Family

xloader

Version

3.Æ…

Campaign

k6n9

Decoy

NzUYPBPnE+UWNJX0b/5zZQ==

ZcsDmdfNeiREr4loZ9k=

p4Pecr+pmTFp+Az4AGoSpvqp

4jwUP0ApYThdpDmZcNp+xuej

0tmQjRQKSQbR0N86

MgfR+qwWljDdagbsn8Ukr8bc8A==

shQ3YCpOQPp/9g==

Q4mmwEidJLBJug25c6Vxcg==

OM1kEJDdGNpv7nMy

7FmP1iykTQZ7q0Hq5g==

9lVGWV44H63+A5oGc6Vxcg==

Bs97fiCGUye5Osm9xsOYZnb8SEC+YszE

xJMBmQj3MRDV7MBXzEep

mJpebAH7RkkGGbsZwZ/weg==

u6FXU+JCphyVyCsUBP0Spvqp

B/mwulPBDRm5q0Hq5g==

E+JiHcUb7gR+8A==

BgGOL5SLfQ9BzuPDxzeVKEIuOKDL

wZdfmzTbOcnEF3Mi1QnVpPCo

J63Z+Jv5L+JOhd+zc6Vxcg==

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 4 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1236
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Jaik.77520.20069.28067.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Jaik.77520.20069.28067.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1740
      • C:\Users\Admin\AppData\Local\Temp\igyfrxru.exe
        "C:\Users\Admin\AppData\Local\Temp\igyfrxru.exe" C:\Users\Admin\AppData\Local\Temp\dkqqrn.zb
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:436
        • C:\Users\Admin\AppData\Local\Temp\igyfrxru.exe
          "C:\Users\Admin\AppData\Local\Temp\igyfrxru.exe"
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1952
          • C:\Windows\SysWOW64\chkdsk.exe
            "C:\Windows\SysWOW64\chkdsk.exe"
            5⤵
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Enumerates system info in registry
            • Modifies Internet Explorer settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1020
            • C:\Program Files\Mozilla Firefox\Firefox.exe
              "C:\Program Files\Mozilla Firefox\Firefox.exe"
              6⤵
                PID:1960
      • C:\Windows\SysWOW64\autofmt.exe
        "C:\Windows\SysWOW64\autofmt.exe"
        2⤵
          PID:396

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\caawwo.tq
        Filesize

        185KB

        MD5

        7e87de0d663de312611bb198817c039d

        SHA1

        5245d45abd227463d7e0734baa4b5e4a72f23117

        SHA256

        cf29186d98d627090bd497c3f53903bc30df30e58c2fbbd5e20c83f593a155ca

        SHA512

        c6b609aecf7b2d5d5c375fc638a139efe6203b6b8bc581629363aae6ee8b418dc70315bf8ce87737b0a1675a349568b837dbfeaba615d4d1f3ae1f4d65ec4f20

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\dkqqrn.zb
        Filesize

        5KB

        MD5

        e2c1f72715c1ba8a81a593353fa4ebeb

        SHA1

        0ef5aabb489a82704dea4ca6e33f8d65116848dd

        SHA256

        580a0fd8ac1f558a0421ab266eebb2ed92710f418e6dc769e3b48504970810ec

        SHA512

        f4082ea5c874165b59ceaa9b67a5daaec73f41e62ab312683aff119f90e1f61570e0e658fae945a1b3e7cdf28536e679e6a1263602a2bc58ec7659b7dabd4d37

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\igyfrxru.exe
        Filesize

        276KB

        MD5

        08188993d15fa1d98dfc42e3f4f0d15f

        SHA1

        0e0d702f549baa70ede7d529177e44c0e24c3952

        SHA256

        068e8af75d257328fd5c8d87c48920d53ff62956502148615df8160f70e03d33

        SHA512

        ab5db72f362af2e1fefa97e93247addc37c0df7f075d15c4fa379963ddf78b22fbda100305f94e211e8536ef57797a7ebf99c0192249bf3dc0455f93b46356e9

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\igyfrxru.exe
        Filesize

        276KB

        MD5

        08188993d15fa1d98dfc42e3f4f0d15f

        SHA1

        0e0d702f549baa70ede7d529177e44c0e24c3952

        SHA256

        068e8af75d257328fd5c8d87c48920d53ff62956502148615df8160f70e03d33

        SHA512

        ab5db72f362af2e1fefa97e93247addc37c0df7f075d15c4fa379963ddf78b22fbda100305f94e211e8536ef57797a7ebf99c0192249bf3dc0455f93b46356e9

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\igyfrxru.exe
        Filesize

        276KB

        MD5

        08188993d15fa1d98dfc42e3f4f0d15f

        SHA1

        0e0d702f549baa70ede7d529177e44c0e24c3952

        SHA256

        068e8af75d257328fd5c8d87c48920d53ff62956502148615df8160f70e03d33

        SHA512

        ab5db72f362af2e1fefa97e93247addc37c0df7f075d15c4fa379963ddf78b22fbda100305f94e211e8536ef57797a7ebf99c0192249bf3dc0455f93b46356e9

        Download Submit
      • \Users\Admin\AppData\Local\Temp\igyfrxru.exe
        Filesize

        276KB

        MD5

        08188993d15fa1d98dfc42e3f4f0d15f

        SHA1

        0e0d702f549baa70ede7d529177e44c0e24c3952

        SHA256

        068e8af75d257328fd5c8d87c48920d53ff62956502148615df8160f70e03d33

        SHA512

        ab5db72f362af2e1fefa97e93247addc37c0df7f075d15c4fa379963ddf78b22fbda100305f94e211e8536ef57797a7ebf99c0192249bf3dc0455f93b46356e9

        Download Submit
      • \Users\Admin\AppData\Local\Temp\igyfrxru.exe
        Filesize

        276KB

        MD5

        08188993d15fa1d98dfc42e3f4f0d15f

        SHA1

        0e0d702f549baa70ede7d529177e44c0e24c3952

        SHA256

        068e8af75d257328fd5c8d87c48920d53ff62956502148615df8160f70e03d33

        SHA512

        ab5db72f362af2e1fefa97e93247addc37c0df7f075d15c4fa379963ddf78b22fbda100305f94e211e8536ef57797a7ebf99c0192249bf3dc0455f93b46356e9

        Download Submit
      • \Users\Admin\AppData\Local\Temp\igyfrxru.exe
        Filesize

        276KB

        MD5

        08188993d15fa1d98dfc42e3f4f0d15f

        SHA1

        0e0d702f549baa70ede7d529177e44c0e24c3952

        SHA256

        068e8af75d257328fd5c8d87c48920d53ff62956502148615df8160f70e03d33

        SHA512

        ab5db72f362af2e1fefa97e93247addc37c0df7f075d15c4fa379963ddf78b22fbda100305f94e211e8536ef57797a7ebf99c0192249bf3dc0455f93b46356e9

        Download Submit
      • \Users\Admin\AppData\Local\Temp\sqlite3.dll
        Filesize

        949KB

        MD5

        38a3e021eb32c9976adaf0b3372080fc

        SHA1

        68e02803c646be21007d90bec841c176b82211fd

        SHA256

        8cde0275d60da0d11954f73c7c8862cfc4b306f61bb8b1ce14abe4a193af2652

        SHA512

        b886cc112f2750e7300b66f7242850659fa49fdc97f75aed376cb9f5440875f303a143bf8b51068ec42674f1ebe1dfcc40534f3a7aed3cc4d20f9274b9a66d18

        Download Submit
      • memory/436-57-0x0000000000000000-mapping.dmp
        Download
      • memory/1020-75-0x0000000000000000-mapping.dmp
        Download
      • memory/1020-82-0x0000000000080000-0x00000000000AD000-memory.dmp
        Filesize

        180KB

        Download
      • memory/1020-80-0x0000000001E50000-0x0000000001EDF000-memory.dmp
        Filesize

        572KB

        Download
      • memory/1020-79-0x0000000001FE0000-0x00000000022E3000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1020-78-0x0000000000080000-0x00000000000AD000-memory.dmp
        Filesize

        180KB

        Download
      • memory/1020-77-0x0000000000770000-0x0000000000777000-memory.dmp
        Filesize

        28KB

        Download
      • memory/1236-76-0x00000000066F0000-0x0000000006800000-memory.dmp
        Filesize

        1.1MB

        Download
      • memory/1236-81-0x0000000007290000-0x000000000739E000-memory.dmp
        Filesize

        1.1MB

        Download
      • memory/1236-84-0x0000000007290000-0x000000000739E000-memory.dmp
        Filesize

        1.1MB

        Download
      • memory/1236-74-0x00000000066F0000-0x0000000006800000-memory.dmp
        Filesize

        1.1MB

        Download
      • memory/1236-71-0x0000000004C50000-0x0000000004DDF000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/1740-54-0x0000000075831000-0x0000000075833000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1952-69-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1952-73-0x00000000002D0000-0x00000000002E0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1952-68-0x0000000000810000-0x0000000000B13000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1952-70-0x0000000000290000-0x00000000002A0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1952-67-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1952-66-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1952-72-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1952-64-0x00000000004012B0-mapping.dmp
        Download