Analysis
-
max time kernel
120s -
max time network
172s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
28-07-2021 12:35
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.PackedNET.953.13414.21329.exe
Resource
win7v20210410
General
-
Target
SecuriteInfo.com.Trojan.PackedNET.953.13414.21329.exe
-
Size
658KB
-
MD5
7fe8c41bb1d7824a3d85eccb9dd59a14
-
SHA1
c91f48bf0b3a56b4b8a8179a7d24aaeaa73d5765
-
SHA256
eac598331e98c72219bd9f7fbc5754288aaa0236cd27d09bce81a182503ac7ea
-
SHA512
fcb66c54fc6b9c2bba0d20f11f22d1ee9b0b3894801e67607b2cc781637c348e06ef83d2a9752727d9df58312eef70e2dedcded4eea006573d332620f3862de9
Malware Config
Extracted
formbook
4.1
http://www.santanabeautycares.com/gmtr/
kocnetelgroup.com
william-and-alexandra.com
overseasdata.com
the-wild-wild-east.com
analistaweb.net
hybridkarts.com
secure-apple-ld.com
semjasessprx.com
ahaa.store
9maskgame.online
bellydancer-cicycai.com
qy35tc.com
immopix.net
catarinayamamoto.com
binvestcrm.com
mycsource.com
cookedonpropane.net
melmorg.com
mattkalita.com
animalkitchen.net
flixnite.com
talitadeoliveira.com
eola-nutrizione.com
hb3trk.com
onesave.club
mottinoymca.com
luanaevinicius.com
donalddruck.com
setupreports.com
uluminista-cp.com
labor-utilize.info
blacdomaine.com
decentvulturedesign.com
dancingwhenitrains.com
herbycat.com
jama3.com
nieght.com
miamiluxurioushomes4sale.com
saludalinstante.website
certifiedyogi.com
coreyandtanya2020.vegas
imustconfessimagoddess.com
fashiontoshop.com
tuiwang.net
outlier.house
portmacquariedistillery.com
novlaidya.com
morning-glorypharms.com
forummacau.com
bishisei-mitte.com
covidus19.com
wokbuyersguide.com
luxurytimemart.com
nibrasalkhaleej.com
cevplay.com
unlimitedfuturesmastermind.com
uptownsouthpadre.com
savingz.info
connectingpeopletoland.com
die-zukunftsgestalter.com
azautobrokers.net
theqblegacy.com
applicationcall.com
june-eve.com
Signatures
-
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
Processes:
resource yara_rule behavioral1/memory/1032-63-0x00000000003D0000-0x00000000003DB000-memory.dmp CustAttr -
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1036-67-0x000000000041EBE0-mapping.dmp formbook behavioral1/memory/1036-66-0x0000000000400000-0x000000000042E000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Trojan.PackedNET.953.13414.21329.exedescription pid process target process PID 1032 set thread context of 1036 1032 SecuriteInfo.com.Trojan.PackedNET.953.13414.21329.exe SecuriteInfo.com.Trojan.PackedNET.953.13414.21329.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
SecuriteInfo.com.Trojan.PackedNET.953.13414.21329.exepid process 1036 SecuriteInfo.com.Trojan.PackedNET.953.13414.21329.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
SecuriteInfo.com.Trojan.PackedNET.953.13414.21329.exedescription pid process target process PID 1032 wrote to memory of 1036 1032 SecuriteInfo.com.Trojan.PackedNET.953.13414.21329.exe SecuriteInfo.com.Trojan.PackedNET.953.13414.21329.exe PID 1032 wrote to memory of 1036 1032 SecuriteInfo.com.Trojan.PackedNET.953.13414.21329.exe SecuriteInfo.com.Trojan.PackedNET.953.13414.21329.exe PID 1032 wrote to memory of 1036 1032 SecuriteInfo.com.Trojan.PackedNET.953.13414.21329.exe SecuriteInfo.com.Trojan.PackedNET.953.13414.21329.exe PID 1032 wrote to memory of 1036 1032 SecuriteInfo.com.Trojan.PackedNET.953.13414.21329.exe SecuriteInfo.com.Trojan.PackedNET.953.13414.21329.exe PID 1032 wrote to memory of 1036 1032 SecuriteInfo.com.Trojan.PackedNET.953.13414.21329.exe SecuriteInfo.com.Trojan.PackedNET.953.13414.21329.exe PID 1032 wrote to memory of 1036 1032 SecuriteInfo.com.Trojan.PackedNET.953.13414.21329.exe SecuriteInfo.com.Trojan.PackedNET.953.13414.21329.exe PID 1032 wrote to memory of 1036 1032 SecuriteInfo.com.Trojan.PackedNET.953.13414.21329.exe SecuriteInfo.com.Trojan.PackedNET.953.13414.21329.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.953.13414.21329.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.953.13414.21329.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.953.13414.21329.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.953.13414.21329.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1036
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1032-60-0x0000000000DB0000-0x0000000000DB1000-memory.dmpFilesize
4KB
-
memory/1032-62-0x0000000000BC0000-0x0000000000BC1000-memory.dmpFilesize
4KB
-
memory/1032-63-0x00000000003D0000-0x00000000003DB000-memory.dmpFilesize
44KB
-
memory/1032-64-0x0000000005050000-0x00000000050C5000-memory.dmpFilesize
468KB
-
memory/1032-65-0x0000000000B80000-0x0000000000BB0000-memory.dmpFilesize
192KB
-
memory/1036-67-0x000000000041EBE0-mapping.dmp
-
memory/1036-66-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1036-68-0x0000000000970000-0x0000000000C73000-memory.dmpFilesize
3.0MB