Analysis
-
max time kernel
102s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
06-12-2022 09:36
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.PWSX-gen.15269.16914.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Win32.PWSX-gen.15269.16914.exe
Resource
win10v2004-20221111-en
General
-
Target
SecuriteInfo.com.Win32.PWSX-gen.15269.16914.exe
-
Size
732KB
-
MD5
1489d7e40e1691026ff98c8bf1a83eee
-
SHA1
e08a1b6b74fe0d35bc2f19ed90ae90839958a45c
-
SHA256
53176c142b4a57f89c57ed969d3a578640841c09db2a58bc9f360a636c8d5947
-
SHA512
4ea9470172510717f0d84fc469bb3cb9eb3146da7e868030543c2d7a2ce532f264525ec0d3ff185bbce1bf4476719a4c175130734c672ab9c3a2acc4651ab8d0
-
SSDEEP
12288:awlTqmomPZefvYh9J5rArqIyJdY4fJmIQEBg3BCJCfIUc5Yytl1sPtqvyun/Y:9omxiv6b5rA7wdYicEnCwUcSytwQF/Y
Malware Config
Extracted
formbook
4.1
ndgi
vuicotvxrejp3il.xyz
w3fa6.net
sappuno02.com
konstruksirumah.xyz
usalifehealth.com
and1f.xyz
atenmentfstinfdow.beauty
primepipe.net
roundhouseny.com
alexandermcqueen.icu
transporteavalos.com
spankmetaverse.xyz
jhccowholesale.com
bielefeldgebaeudereinigung.com
saintraphaelschool.com
larifaa.online
dejabrew.info
izabelaeraphael.com
granniestoneet.com
greensourceseed.com
jawaahirulhikmah.com
2lipcolours.com
ginzou.com
vestradgivning.online
atlasdublinresidence.com
bfine.xyz
decision-art.com
nicebayloans.com
pendingissue.biz
troiancircular.com
raftingtennesssee.com
autistal.xyz
purposeinplans.com
socofm.com
dafuweng0471.com
transformcoach.info
vugz.info
isabellesroom.com
kasdawerf.xyz
angelicindia.com
jmakerpumploc.com
departmen.store
kalpataruplotsariaplots.net
mosqueenarbonne.com
tititinews.com
santeoglobal.com
cornharvestdirect.com
chickensoesco.com
softelbow30.com
fuxeonfire.com
soospeter.com
lastikfiyatlari.online
northlandproshop.com
youbelongstojoy.com
asfalt-podrezkovo.store
servequin.com
heti.ink
gulfingroupinvest.com
gastries.info
spunklane.com
acompanhanteslux.com
bbti.world
juiceofjoy.com
tlaaccounting.net
2635westkaylaneprescott.com
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/520-63-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/520-64-0x000000000041F180-mapping.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.15269.16914.exedescription pid process target process PID 1172 set thread context of 520 1172 SecuriteInfo.com.Win32.PWSX-gen.15269.16914.exe SecuriteInfo.com.Win32.PWSX-gen.15269.16914.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.15269.16914.exepid process 520 SecuriteInfo.com.Win32.PWSX-gen.15269.16914.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.15269.16914.exedescription pid process target process PID 1172 wrote to memory of 520 1172 SecuriteInfo.com.Win32.PWSX-gen.15269.16914.exe SecuriteInfo.com.Win32.PWSX-gen.15269.16914.exe PID 1172 wrote to memory of 520 1172 SecuriteInfo.com.Win32.PWSX-gen.15269.16914.exe SecuriteInfo.com.Win32.PWSX-gen.15269.16914.exe PID 1172 wrote to memory of 520 1172 SecuriteInfo.com.Win32.PWSX-gen.15269.16914.exe SecuriteInfo.com.Win32.PWSX-gen.15269.16914.exe PID 1172 wrote to memory of 520 1172 SecuriteInfo.com.Win32.PWSX-gen.15269.16914.exe SecuriteInfo.com.Win32.PWSX-gen.15269.16914.exe PID 1172 wrote to memory of 520 1172 SecuriteInfo.com.Win32.PWSX-gen.15269.16914.exe SecuriteInfo.com.Win32.PWSX-gen.15269.16914.exe PID 1172 wrote to memory of 520 1172 SecuriteInfo.com.Win32.PWSX-gen.15269.16914.exe SecuriteInfo.com.Win32.PWSX-gen.15269.16914.exe PID 1172 wrote to memory of 520 1172 SecuriteInfo.com.Win32.PWSX-gen.15269.16914.exe SecuriteInfo.com.Win32.PWSX-gen.15269.16914.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.15269.16914.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.15269.16914.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.15269.16914.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.15269.16914.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/520-60-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/520-61-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/520-63-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/520-64-0x000000000041F180-mapping.dmp
-
memory/520-65-0x0000000000850000-0x0000000000B53000-memory.dmpFilesize
3.0MB
-
memory/1172-54-0x0000000000DB0000-0x0000000000E6C000-memory.dmpFilesize
752KB
-
memory/1172-55-0x0000000075531000-0x0000000075533000-memory.dmpFilesize
8KB
-
memory/1172-56-0x00000000009E0000-0x00000000009FA000-memory.dmpFilesize
104KB
-
memory/1172-57-0x0000000000310000-0x000000000031E000-memory.dmpFilesize
56KB
-
memory/1172-58-0x0000000004E10000-0x0000000004E8A000-memory.dmpFilesize
488KB
-
memory/1172-59-0x0000000000BE0000-0x0000000000C20000-memory.dmpFilesize
256KB