Analysis
-
max time kernel
92s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
05-12-2022 12:47
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe
Resource
win7-20220812-en
General
-
Target
SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe
-
Size
660KB
-
MD5
4456d023908ebca5034b01ae809d6e62
-
SHA1
99272ab4f217276228ab68eaae72abfc4242a746
-
SHA256
11990c08ba3e1eb0f464d9850bb76696a89f95c0368e3634488139f25b96bf42
-
SHA512
ecde1fb31000b7ef0cf02e995106d236c3aa23e6821da106f69f9bd22744184a53fa1b5671770a5bfb1e2137d4bb0d7581ad664685dde0b8ead994c168dc40ad
-
SSDEEP
12288:6PuYd+V6b1momPZefeKrsUTkx8S0VP+P1ATnVsgIu3fV6Tx0TBf+v0PuYd+V6b:6PuYd+V6bIomxieMwx8ZBT2/0cxWBf+y
Malware Config
Extracted
formbook
4.1
f9r5
teknotimur.com
zuliboo.com
remmingtoncampbell.com
vehicletitleloansphoenix.com
sen-computer.com
98731.biz
shelikesblu.com
canis-totem.com
metaversemedianetwork.com
adsdu.com
vanishmediasystems.com
astewaykebede.com
wszhongxue.com
gacha-animator-free.com
papatyadekorasyon.com
mqc168.top
simplebrilliantsolutions.com
jubileehawkesprairie.com
ridflab.com
conboysfilm.com
iseemerit.world
airhbb.com
haveyourshare.com
qcstcsz.com
attorneykarinaramirez.com
patriziabartelle.com
dcc.coop
hdzz.top
treesandstarsoracle.com
rebarunikont.com
achivego.site
baipiao100.com
menslibwrty.com
insulationtraining.online
horseflix.club
suxyqyu.xyz
sqoki.com
ffbsjhvbsjhbvsajv.xyz
beapest.cfd
4892166.com
dvdmediastar.com
hotwomensearching4u.site
cupompetlover.com
terrapretasales.com
joinsequene.com
powerkitap.com
jonjene.com
wqcwgl.com
utahexotics.com
ballerboutique.com
cftronline.com
gettidaladvance.site
anagladstonedesign.com
bunsi-figura.store
ttvip-13.net
cmjysx-uqps.website
ifealafia.com
carlospainter.com
elitetrio.xyz
inggridangelia.com
leporebaq.com
youpinhang.com
palm3d.net
wo567567.com
shinecleaningasheville.com
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/584-68-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/584-69-0x000000000041F150-mapping.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exedescription pid process target process PID 780 set thread context of 584 780 SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exeSecuriteInfo.com.Win32.PWSX-gen.7158.12123.exepid process 1648 powershell.exe 584 SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1648 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exedescription pid process target process PID 780 wrote to memory of 1648 780 SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe powershell.exe PID 780 wrote to memory of 1648 780 SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe powershell.exe PID 780 wrote to memory of 1648 780 SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe powershell.exe PID 780 wrote to memory of 1648 780 SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe powershell.exe PID 780 wrote to memory of 1544 780 SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe schtasks.exe PID 780 wrote to memory of 1544 780 SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe schtasks.exe PID 780 wrote to memory of 1544 780 SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe schtasks.exe PID 780 wrote to memory of 1544 780 SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe schtasks.exe PID 780 wrote to memory of 584 780 SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe PID 780 wrote to memory of 584 780 SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe PID 780 wrote to memory of 584 780 SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe PID 780 wrote to memory of 584 780 SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe PID 780 wrote to memory of 584 780 SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe PID 780 wrote to memory of 584 780 SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe PID 780 wrote to memory of 584 780 SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sWoaYFhAZd.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sWoaYFhAZd" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD144.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.7158.12123.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpD144.tmpFilesize
1KB
MD583e44613c5d1f3771158fb710595b68c
SHA175074ea322ee1c1022da6a0926149971cc0d64d0
SHA256284b4d78c29cc74743326ed1a873745d9f1ed882aa112a1ca5e951526ded9f3d
SHA512e1de3735155a688d9662c9919bf7eb75e671dbaf1fabc615234be93b20df95c3976d63edde67b993e9108832181ca131b1f566dfbc06a1e0a31e62820074bfba
-
memory/584-70-0x0000000000950000-0x0000000000C53000-memory.dmpFilesize
3.0MB
-
memory/584-69-0x000000000041F150-mapping.dmp
-
memory/584-68-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/584-66-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/584-65-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/780-58-0x0000000005100000-0x0000000005170000-memory.dmpFilesize
448KB
-
memory/780-64-0x0000000004360000-0x0000000004394000-memory.dmpFilesize
208KB
-
memory/780-54-0x0000000000D40000-0x0000000000DEA000-memory.dmpFilesize
680KB
-
memory/780-57-0x0000000000350000-0x000000000035E000-memory.dmpFilesize
56KB
-
memory/780-56-0x0000000000420000-0x000000000043A000-memory.dmpFilesize
104KB
-
memory/780-55-0x00000000758C1000-0x00000000758C3000-memory.dmpFilesize
8KB
-
memory/1544-60-0x0000000000000000-mapping.dmp
-
memory/1648-63-0x000000006EB90000-0x000000006F13B000-memory.dmpFilesize
5.7MB
-
memory/1648-59-0x0000000000000000-mapping.dmp
-
memory/1648-71-0x000000006EB90000-0x000000006F13B000-memory.dmpFilesize
5.7MB