Analysis
-
max time kernel
151s -
max time network
173s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
05-12-2022 18:34
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win64.PWSX-gen.25018.24932.exe
Resource
win7-20220812-en
General
-
Target
SecuriteInfo.com.Win64.PWSX-gen.25018.24932.exe
-
Size
553KB
-
MD5
0a980f3bf229381c16b1a756fbf5f5c7
-
SHA1
94df4edd4f776b4fe2f32b198373b13641dcbec0
-
SHA256
6e6dab1a248e5205aca778a9e1e2135f7f888cbd5d1edf4debe0efb6cda89fa7
-
SHA512
2cb0d46940e40ac9451b252ec205786689e74c3dd549fd48883989ac9e1f8b292d8695c624ef5d86c848e0858c446f6fe86a47cffd9aee001fcd945855687666
-
SSDEEP
12288:JxKCYox8CiJoyRo3a5BUwnYZ/eZD2JZoxEkigK:PKpoK5Ro3wBXnM/eZcZoe
Malware Config
Extracted
formbook
4.1
urde
belleriacortland.com
gxzyykx.com
blocksholding.net
zhangjiyuan.com
tyfinck.com
xn--v9s.club
xn--72c9at8ec1l.com
dorismart.online
nocodeuni.com
hmmprocesos.website
quartile.agency
iansdogname.com
karengillen.com
the-bitindexprime.info
nthanisolutions.com
nakamu.online
sahityanepal.com
sinwinindustry.com
shotblastwearingparts.com
nstsuccess.com
attilaentrepreneurs.com
poweranalytics.site
winfreeagency.com
gopima.com
suthworld.com
lastfrontiercontractingco.com
couches-sofas-32195.com
41829.site
tranbou.sbs
equus-creative.com
yamicog.com
streettreatsicecreamtruck.com
netflixconnexiontv.fr
unclerepair.com
rmchomeloan.center
nft-quantum.online
kungquer.com
casa-gomez.com
sensing.rest
midtowndistrictsantafe.info
kaity.site
farawayflessner.com
qye490kxb.online
pamediq.com
powerhandsbypowerfit.com
lifebeyondbeauty.net
meda-services.com
faylike.com
yivvitsandmrbubble.com
mosesgoldsmithbuilding.com
fisharinvastmnts.com
xeome.co
scentsibleliving.com
abbyfaith.com
drgrantmdretinalspecialist.com
riccardoolivier.com
torremtbox.com
virginiavoyager.com
premiumesa.com
oddsonor.com
zhekobaicai.com
nathansproperty.com
apetigo.com
zanzibarbeachclub.com
niveaguide.com
Signatures
-
Formbook payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/856-57-0x000000000041F140-mapping.dmp formbook behavioral1/memory/856-56-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/856-59-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1708-65-0x00000000001C0000-0x00000000001EF000-memory.dmp formbook behavioral1/memory/1708-70-0x00000000001C0000-0x00000000001EF000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
SecuriteInfo.com.Win64.PWSX-gen.25018.24932.exeCasPol.exenetsh.exedescription pid process target process PID 912 set thread context of 856 912 SecuriteInfo.com.Win64.PWSX-gen.25018.24932.exe CasPol.exe PID 856 set thread context of 1216 856 CasPol.exe Explorer.EXE PID 1708 set thread context of 1216 1708 netsh.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
CasPol.exenetsh.exepid process 856 CasPol.exe 856 CasPol.exe 1708 netsh.exe 1708 netsh.exe 1708 netsh.exe 1708 netsh.exe 1708 netsh.exe 1708 netsh.exe 1708 netsh.exe 1708 netsh.exe 1708 netsh.exe 1708 netsh.exe 1708 netsh.exe 1708 netsh.exe 1708 netsh.exe 1708 netsh.exe 1708 netsh.exe 1708 netsh.exe 1708 netsh.exe 1708 netsh.exe 1708 netsh.exe 1708 netsh.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
CasPol.exenetsh.exepid process 856 CasPol.exe 856 CasPol.exe 856 CasPol.exe 1708 netsh.exe 1708 netsh.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
SecuriteInfo.com.Win64.PWSX-gen.25018.24932.exeCasPol.exenetsh.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 912 SecuriteInfo.com.Win64.PWSX-gen.25018.24932.exe Token: SeDebugPrivilege 856 CasPol.exe Token: SeDebugPrivilege 1708 netsh.exe Token: SeShutdownPrivilege 1216 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1216 Explorer.EXE 1216 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1216 Explorer.EXE 1216 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
SecuriteInfo.com.Win64.PWSX-gen.25018.24932.exeExplorer.EXEnetsh.exedescription pid process target process PID 912 wrote to memory of 856 912 SecuriteInfo.com.Win64.PWSX-gen.25018.24932.exe CasPol.exe PID 912 wrote to memory of 856 912 SecuriteInfo.com.Win64.PWSX-gen.25018.24932.exe CasPol.exe PID 912 wrote to memory of 856 912 SecuriteInfo.com.Win64.PWSX-gen.25018.24932.exe CasPol.exe PID 912 wrote to memory of 856 912 SecuriteInfo.com.Win64.PWSX-gen.25018.24932.exe CasPol.exe PID 912 wrote to memory of 856 912 SecuriteInfo.com.Win64.PWSX-gen.25018.24932.exe CasPol.exe PID 912 wrote to memory of 856 912 SecuriteInfo.com.Win64.PWSX-gen.25018.24932.exe CasPol.exe PID 912 wrote to memory of 856 912 SecuriteInfo.com.Win64.PWSX-gen.25018.24932.exe CasPol.exe PID 1216 wrote to memory of 1708 1216 Explorer.EXE netsh.exe PID 1216 wrote to memory of 1708 1216 Explorer.EXE netsh.exe PID 1216 wrote to memory of 1708 1216 Explorer.EXE netsh.exe PID 1216 wrote to memory of 1708 1216 Explorer.EXE netsh.exe PID 1708 wrote to memory of 1248 1708 netsh.exe cmd.exe PID 1708 wrote to memory of 1248 1708 netsh.exe cmd.exe PID 1708 wrote to memory of 1248 1708 netsh.exe cmd.exe PID 1708 wrote to memory of 1248 1708 netsh.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.PWSX-gen.25018.24932.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.PWSX-gen.25018.24932.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/856-57-0x000000000041F140-mapping.dmp
-
memory/856-56-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/856-59-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/856-60-0x00000000008D0000-0x0000000000BD3000-memory.dmpFilesize
3.0MB
-
memory/856-61-0x0000000000310000-0x0000000000324000-memory.dmpFilesize
80KB
-
memory/912-55-0x00000000004F0000-0x0000000000562000-memory.dmpFilesize
456KB
-
memory/912-54-0x0000000001000000-0x000000000108E000-memory.dmpFilesize
568KB
-
memory/1216-62-0x0000000004260000-0x0000000004314000-memory.dmpFilesize
720KB
-
memory/1216-71-0x0000000004C60000-0x0000000004DDF000-memory.dmpFilesize
1.5MB
-
memory/1216-69-0x0000000004C60000-0x0000000004DDF000-memory.dmpFilesize
1.5MB
-
memory/1248-66-0x0000000000000000-mapping.dmp
-
memory/1708-63-0x0000000000000000-mapping.dmp
-
memory/1708-67-0x0000000000A50000-0x0000000000D53000-memory.dmpFilesize
3.0MB
-
memory/1708-68-0x0000000000900000-0x0000000000993000-memory.dmpFilesize
588KB
-
memory/1708-64-0x0000000001630000-0x000000000164B000-memory.dmpFilesize
108KB
-
memory/1708-70-0x00000000001C0000-0x00000000001EF000-memory.dmpFilesize
188KB
-
memory/1708-65-0x00000000001C0000-0x00000000001EF000-memory.dmpFilesize
188KB