Analysis
-
max time kernel
137s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19-09-2022 12:53
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.PWSX-gen.10417.exe
Resource
win7-20220812-en
General
-
Target
SecuriteInfo.com.Win32.PWSX-gen.10417.exe
-
Size
843KB
-
MD5
0254eb57f3e60a44a34117a760d0044c
-
SHA1
87a774ca772463b5a8ad3f6e5387ff3f25a3d3bb
-
SHA256
d9330396040f8b8169fee91c05b6f6a4114c863e78971082faeb1a604adf589f
-
SHA512
8f4ac3fac65992cf01e7d2dc4a1c722a2f67a1bf3e45e9144a0e32bb7623e3fda7aaaa65ff69da0f9528446386c41b6e4cfcd44a688576918975451a22f4dca3
-
SSDEEP
12288:P/yxHTOPGs+Km2aUqLYLWfqbK7dfIgduHv32bF:PIzOP+KaUqL82qE5uPmbF
Malware Config
Extracted
formbook
4.1
p94a
wishgrove.com
parqueveiculos.com
spiderwebs.online
chulkanadham.com
cdtuan.net
zxazm.com
payment6528832.xyz
fengtaiol.com
bffsmovie.com
aliceseagerfitness.com
garisluruskonsulindo.website
analytical-gutter.net
ahcq8.com
fenyoga.com
ecleptic.cat
conjurecrafts.com
aquaway.date
apenpokkenschoonmaakbedrijf.com
zgramr.top
boweknives.site
wf825.com
tonysdiary.com
alttxt.space
digz.us
mailim.xyz
chromebarbangkok.com
toyookahana.com
jornalaquadra.net
cloudpackages.online
xfew.top
atherenergy.uk
allentownfilmcrew.com
gym323.com
ballbyball.online
youyiw.com
mehdifarzi.com
dinobro.com
bonanzapratamaabadi.com
trailer.vegas
retro241.space
ecole-universite.com
magentodesigndublin.com
ilovechutney.info
451338.com
vintagewriting.site
008420.com
sussexfoodie.co.uk
matrix-101.com
carolina3dproperties.com
clairecorrie.co.uk
asafosa.xyz
yashpestcontrol.com
keilewn.online
nirmalmirchandani.com
familyibis.sbs
anthropologybythewire.com
invidgekets.xyz
1stconstiution.com
byxre.com
andresraiter.com
1stpartynft.com
25thdayoffer.xyz
nicehaus.space
mhjys.com
muuritutkimus.info
Signatures
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1944-140-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.10417.exedescription pid process target process PID 2376 set thread context of 1944 2376 SecuriteInfo.com.Win32.PWSX-gen.10417.exe SecuriteInfo.com.Win32.PWSX-gen.10417.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.10417.exeSecuriteInfo.com.Win32.PWSX-gen.10417.exepid process 2376 SecuriteInfo.com.Win32.PWSX-gen.10417.exe 2376 SecuriteInfo.com.Win32.PWSX-gen.10417.exe 1944 SecuriteInfo.com.Win32.PWSX-gen.10417.exe 1944 SecuriteInfo.com.Win32.PWSX-gen.10417.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.10417.exedescription pid process Token: SeDebugPrivilege 2376 SecuriteInfo.com.Win32.PWSX-gen.10417.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.10417.exedescription pid process target process PID 2376 wrote to memory of 1568 2376 SecuriteInfo.com.Win32.PWSX-gen.10417.exe SecuriteInfo.com.Win32.PWSX-gen.10417.exe PID 2376 wrote to memory of 1568 2376 SecuriteInfo.com.Win32.PWSX-gen.10417.exe SecuriteInfo.com.Win32.PWSX-gen.10417.exe PID 2376 wrote to memory of 1568 2376 SecuriteInfo.com.Win32.PWSX-gen.10417.exe SecuriteInfo.com.Win32.PWSX-gen.10417.exe PID 2376 wrote to memory of 1944 2376 SecuriteInfo.com.Win32.PWSX-gen.10417.exe SecuriteInfo.com.Win32.PWSX-gen.10417.exe PID 2376 wrote to memory of 1944 2376 SecuriteInfo.com.Win32.PWSX-gen.10417.exe SecuriteInfo.com.Win32.PWSX-gen.10417.exe PID 2376 wrote to memory of 1944 2376 SecuriteInfo.com.Win32.PWSX-gen.10417.exe SecuriteInfo.com.Win32.PWSX-gen.10417.exe PID 2376 wrote to memory of 1944 2376 SecuriteInfo.com.Win32.PWSX-gen.10417.exe SecuriteInfo.com.Win32.PWSX-gen.10417.exe PID 2376 wrote to memory of 1944 2376 SecuriteInfo.com.Win32.PWSX-gen.10417.exe SecuriteInfo.com.Win32.PWSX-gen.10417.exe PID 2376 wrote to memory of 1944 2376 SecuriteInfo.com.Win32.PWSX-gen.10417.exe SecuriteInfo.com.Win32.PWSX-gen.10417.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.10417.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.10417.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.10417.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.10417.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.10417.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.10417.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1568-138-0x0000000000000000-mapping.dmp
-
memory/1944-139-0x0000000000000000-mapping.dmp
-
memory/1944-140-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1944-141-0x0000000001630000-0x000000000197A000-memory.dmpFilesize
3.3MB
-
memory/2376-132-0x0000000000AF0000-0x0000000000BC8000-memory.dmpFilesize
864KB
-
memory/2376-133-0x0000000005B50000-0x00000000060F4000-memory.dmpFilesize
5.6MB
-
memory/2376-134-0x00000000055A0000-0x0000000005632000-memory.dmpFilesize
584KB
-
memory/2376-135-0x0000000005560000-0x000000000556A000-memory.dmpFilesize
40KB
-
memory/2376-136-0x0000000009070000-0x000000000910C000-memory.dmpFilesize
624KB
-
memory/2376-137-0x0000000009130000-0x0000000009196000-memory.dmpFilesize
408KB