Analysis
-
max time kernel
47s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
31-08-2022 12:15
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.BackDoor.SpyBotNET.25.12085.30753.exe
Resource
win7-20220812-en
General
-
Target
SecuriteInfo.com.BackDoor.SpyBotNET.25.12085.30753.exe
-
Size
221KB
-
MD5
b97f2d95c4b21597d3f16064028b3536
-
SHA1
037ceb6971a7501dc92dd709de15543a4bb0f8ae
-
SHA256
69a0c9f8165bcb6db8b2f8b3dc4f7cb8535c92db368a95deba521ce9d0cc1008
-
SHA512
e98b96b027cd89a1e025ae2875fe72197bd0a659583e787bd62c6a0957650b3c52254e8855782078d4c4fc87e9726995fc15e026f6710fa1ba50b88288160790
-
SSDEEP
3072:qie6Njrjc/Ddpmj9WH6/PgXRBJjWs7EMJfldMW/3eQ3P17jJ4pWV:qQDuA9Wa/PuRBJj6gP74p
Malware Config
Extracted
formbook
4.1
mh76
healthgovcalottery.net
wenxinliao.com
rooterphd.com
bbobbo.one
american-mes-de-dezembro.xyz
mintager.com
thespecialtstore.com
wemakegreenhomes.com
occurandmental.xyz
fidelityrealtytitle.com
numerisat.asia
wearestallions.com
supxl.com
rajacumi.com
renaziv.online
blixtindustries.com
fjljq.com
exploretrivenicamping.com
authenticusspa.com
uucloud.press
conclaveraleighapts.com
moqaq.com
graphicressie.com
homebest.online
yisaco.com
thedrybonesareawakening.com
browardhomeappraisal.com
xn--agroisleos-09a.com
clinchrecovery.com
rekoladev.com
mlbl1.xyz
tunecaring.com
avconstant.com
chelseavictorioustravels.com
esrfy.xyz
frijolitoswey.com
zsfsidltd.com
natashasadler.com
kice1.xyz
drivemytrains.xyz
shopalthosa.xyz
merendri.com
yetkiliveznem7.xyz
milestonesconstruction.com
apparodeoexpos.com
momotou.xyz
chatkhoneh.com
cacconsults.com
kigif-indonesia.com
segurambiental.com
verynicegirls.com
curearrow.com
fdupcoffee.com
theclevergolfers.com
moushimonster.com
qdchuangyedaikuan.com
hopefortodayrecovery.com
wk6agoboyxg6.xyz
giybetfm.com
completedn.xyz
eluawastudio.com
legacysportsusatexas.com
comgmaik.com
intelsearchtech.com
northpierangling.info
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2040-61-0x000000000041F1A0-mapping.dmp formbook behavioral1/memory/2040-60-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Downloads MZ/PE file
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.BackDoor.SpyBotNET.25.12085.30753.exedescription pid process target process PID 1632 set thread context of 2040 1632 SecuriteInfo.com.BackDoor.SpyBotNET.25.12085.30753.exe SecuriteInfo.com.BackDoor.SpyBotNET.25.12085.30753.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
SecuriteInfo.com.BackDoor.SpyBotNET.25.12085.30753.exepid process 2040 SecuriteInfo.com.BackDoor.SpyBotNET.25.12085.30753.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SecuriteInfo.com.BackDoor.SpyBotNET.25.12085.30753.exedescription pid process Token: SeDebugPrivilege 1632 SecuriteInfo.com.BackDoor.SpyBotNET.25.12085.30753.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
SecuriteInfo.com.BackDoor.SpyBotNET.25.12085.30753.exedescription pid process target process PID 1632 wrote to memory of 2040 1632 SecuriteInfo.com.BackDoor.SpyBotNET.25.12085.30753.exe SecuriteInfo.com.BackDoor.SpyBotNET.25.12085.30753.exe PID 1632 wrote to memory of 2040 1632 SecuriteInfo.com.BackDoor.SpyBotNET.25.12085.30753.exe SecuriteInfo.com.BackDoor.SpyBotNET.25.12085.30753.exe PID 1632 wrote to memory of 2040 1632 SecuriteInfo.com.BackDoor.SpyBotNET.25.12085.30753.exe SecuriteInfo.com.BackDoor.SpyBotNET.25.12085.30753.exe PID 1632 wrote to memory of 2040 1632 SecuriteInfo.com.BackDoor.SpyBotNET.25.12085.30753.exe SecuriteInfo.com.BackDoor.SpyBotNET.25.12085.30753.exe PID 1632 wrote to memory of 2040 1632 SecuriteInfo.com.BackDoor.SpyBotNET.25.12085.30753.exe SecuriteInfo.com.BackDoor.SpyBotNET.25.12085.30753.exe PID 1632 wrote to memory of 2040 1632 SecuriteInfo.com.BackDoor.SpyBotNET.25.12085.30753.exe SecuriteInfo.com.BackDoor.SpyBotNET.25.12085.30753.exe PID 1632 wrote to memory of 2040 1632 SecuriteInfo.com.BackDoor.SpyBotNET.25.12085.30753.exe SecuriteInfo.com.BackDoor.SpyBotNET.25.12085.30753.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.SpyBotNET.25.12085.30753.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.SpyBotNET.25.12085.30753.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.SpyBotNET.25.12085.30753.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.SpyBotNET.25.12085.30753.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1632-54-0x0000000000E70000-0x0000000000EAE000-memory.dmpFilesize
248KB
-
memory/1632-55-0x0000000075631000-0x0000000075633000-memory.dmpFilesize
8KB
-
memory/1632-56-0x00000000003F0000-0x0000000000400000-memory.dmpFilesize
64KB
-
memory/2040-57-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2040-58-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2040-61-0x000000000041F1A0-mapping.dmp
-
memory/2040-60-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2040-62-0x00000000008E0000-0x0000000000BE3000-memory.dmpFilesize
3.0MB