Analysis
-
max time kernel
60s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
04-10-2022 09:14
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
Resource
win7-20220901-en
General
-
Target
SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
-
Size
1.2MB
-
MD5
6aa5f75d805cdd7f85f0d2557baad857
-
SHA1
6624b51ae972cbe99903c897c9664c72369782f3
-
SHA256
fe084e5fcd96061325aafd4528aedf59f3385a5c1bbf9daf3337ba1cabf4488f
-
SHA512
0862f8dcfd782f0ecf30b57c12c00b19b20a5f31665a9bfeaf1263048030e91fdb9fd01af8ef76c35f3121785724ff1151692636d3eb7fbacc22665d2aa116c8
-
SSDEEP
12288:FftjvJ4/XAISq1kmsoPIPDzRJp5urond09qRdQEQR150nZsLVvhoQtckql6AK4HQ:FSK5JoPIF5DndcSdVa15JRyQt
Malware Config
Extracted
formbook
fofg
FHyydxpFBs0S8b4ZlP7ZEtd/
EVaCEKb/cVV9xQ==
U9I5lke0IuU7vj5EXus=
rXD3AKPV3qUblOUsV41KMfU=
PwBSy5z56XNzIvnS3ygsKv0=
CQe1BLbSnGXX
HuhKjxhLhxqBy2FFz8WoFA==
QJymezEoLOFZ1T5EXus=
V8r5PAdwuGK2AUARohas
b1XV06ANH9s5uj5EXus=
3EiEhwo7Euw2tl8=
c2PjK8Izkydy5N8x
CXCkYf0m/qPrv8QajKyT6Oo=
pHjy+Mk0CqvWBXdCz8WoFA==
QjSwr3/j5rAyvz5EXus=
+edxANg/sU+k8YFQz8WoFA==
tWiQq3rqyl6cTAG9pA==
GeAyMQxBUOlDwD5EXus=
nQ5eoT2mEKkhDN2DwBek
JP5dIbHlrXXR8umDwBek
BMT8B9n1OyBvqL+WUSgsKv0=
RSeJYDyteizAdQbSCyHeYCCMZL1A
NOgCENlCLthl5TV9YsWpTzHAdjCmUw==
s2npDaPJBhAdm10=
TXr1YfxiKOkqcgfcHV092XmTHA==
aTXN1nHe/gVFvD5EXus=
TS+nK+9V4pW+9cko
GuBk6sExhxNLr7wYhPbZEtd/
oHWjdWHDv228J/jg0q6xYvzLcxRiMhI=
z6pB06UWdBZHuj5EXus=
nZ7gYT4zv3fY
gXHxw16/sjbOAABSuAnZEtd/
m2asNcPsiDe3I27NxByg2XmTHA==
leg4fQ1h3ZG+9cko
AmB4B64SvFJ6t1G2z8WoFA==
7agWYtMw0Wu2yptkrA==
yzl7iRI/QhdFiRV+eQXh2qsEinZosxo=
gcntJ8YrjSVy5N8x
hmi6U/JgAY/CyptkrA==
/2edLM81848QdjaiqyLu051h
57A/tEumUOZ3Nc6c3Q/aQx8Hiq38AvyPxw==
qI77ulvxShNayD5EXus=
IPA6VOUd6xAdm10=
6LAL4bkhuGHG5+WDwBek
06pAU/Af78kc13PYvx2l2XmTHA==
LhRuu47pEuACWUo=
98ue7uq/cVV9xQ==
Vxxkh13O3ZwXwlcqp5L/6OM=
XhYUTkQR6hAdm10=
RQE/ijRllTFI8umlUSgsKv0=
+2bIH8U2olR6PVYuAlnzaCaMZL1A
BMQ9MRDgCcoYGZlxF2gFHXp1
fmrbKPeT/LD1azf/CIEZLeKVCw==
ajSLMtRD25W+9cko
8LTyD9cHcVV9xQ==
mFi1hCWOhw5Huj5EXus=
FXSUHb8h45vFyptkrA==
lWmcMf1mwF2BLzwh/FncUzfPgHZosxo=
guwbCaTRfBKGAXWKUHUf+e90detZ
QhxpJrXlmzdKeRDrnCjfixcSwulI
Thag+Y/veDtRAOqDwBek
Z0Wp7pLMCBAdm10=
bT9HyWnOXhWYztVF4moy2XmTHA==
kXbZHKvU/Iq+9cko
richardcrebeck.com
Signatures
-
Xloader payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1660-68-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral1/memory/1660-69-0x000000000041F770-mapping.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exedescription pid process target process PID 1228 set thread context of 1660 1228 SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exepowershell.exeSecuriteInfo.com.Win32.PWSX-gen.15814.13814.exepid process 1228 SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe 1228 SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe 1228 SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe 1228 SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe 1228 SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe 1228 SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe 864 powershell.exe 1660 SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exepowershell.exedescription pid process Token: SeDebugPrivilege 1228 SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe Token: SeDebugPrivilege 864 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exepid process 1228 SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exepid process 1228 SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exedescription pid process target process PID 1228 wrote to memory of 864 1228 SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe powershell.exe PID 1228 wrote to memory of 864 1228 SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe powershell.exe PID 1228 wrote to memory of 864 1228 SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe powershell.exe PID 1228 wrote to memory of 864 1228 SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe powershell.exe PID 1228 wrote to memory of 1772 1228 SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe schtasks.exe PID 1228 wrote to memory of 1772 1228 SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe schtasks.exe PID 1228 wrote to memory of 1772 1228 SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe schtasks.exe PID 1228 wrote to memory of 1772 1228 SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe schtasks.exe PID 1228 wrote to memory of 1660 1228 SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe PID 1228 wrote to memory of 1660 1228 SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe PID 1228 wrote to memory of 1660 1228 SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe PID 1228 wrote to memory of 1660 1228 SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe PID 1228 wrote to memory of 1660 1228 SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe PID 1228 wrote to memory of 1660 1228 SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe PID 1228 wrote to memory of 1660 1228 SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QaGACHm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QaGACHm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1E5.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp1E5.tmpFilesize
1KB
MD5044e2a3fedba3de50340e0c2fe214c05
SHA1cdce896e7d76d37a6ee120889dd39e03b6fcb93e
SHA256a3ea0c49f27770094ec5db382e37fec59bcd6bead477ec348f96c59b6d8c710e
SHA5125be0ee0f4ba85359a1d89c6c1a0ef194ffc93c79103c6cf80f92c2d0fd6cfd47c619c5db6e1322d45d7c284361171cc6df5da7f08e6f3bc4efb5b60cf6b4013d
-
memory/864-60-0x0000000000000000-mapping.dmp
-
memory/864-73-0x000000006E2D0000-0x000000006E87B000-memory.dmpFilesize
5.7MB
-
memory/864-72-0x000000006E2D0000-0x000000006E87B000-memory.dmpFilesize
5.7MB
-
memory/1228-58-0x00000000007A0000-0x00000000007AC000-memory.dmpFilesize
48KB
-
memory/1228-71-0x0000000004FF5000-0x0000000005006000-memory.dmpFilesize
68KB
-
memory/1228-54-0x0000000001080000-0x00000000011C2000-memory.dmpFilesize
1.3MB
-
memory/1228-55-0x0000000075A11000-0x0000000075A13000-memory.dmpFilesize
8KB
-
memory/1228-57-0x0000000004FF5000-0x0000000005006000-memory.dmpFilesize
68KB
-
memory/1228-64-0x0000000008190000-0x0000000008206000-memory.dmpFilesize
472KB
-
memory/1228-56-0x00000000005D0000-0x00000000005EC000-memory.dmpFilesize
112KB
-
memory/1228-59-0x00000000080C0000-0x000000000818E000-memory.dmpFilesize
824KB
-
memory/1660-66-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1660-69-0x000000000041F770-mapping.dmp
-
memory/1660-70-0x0000000000880000-0x0000000000B83000-memory.dmpFilesize
3.0MB
-
memory/1660-68-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1660-65-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1772-61-0x0000000000000000-mapping.dmp