Analysis
-
max time kernel
262s -
max time network
366s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
07-12-2022 04:29
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.InjectorX-gen.11327.14248.exe
Resource
win7-20221111-en
General
-
Target
SecuriteInfo.com.Win32.InjectorX-gen.11327.14248.exe
-
Size
259KB
-
MD5
197ab666b7242cd57be0af99c33c150e
-
SHA1
c67a8a7f437716bb324e2697412464fd165c6c90
-
SHA256
f88caffeed956cd5b1671dde49bfc61dac4fd2007b46287debf7dab6c179bf46
-
SHA512
a5babd41cc7dcc73710d4ca6d03121b3395601a398158f8375dacc391e7d0b5c6255f7faff0ede21db4351662f4c2d418f6fae2db17610c017272e3aa355863a
-
SSDEEP
6144:QBn1m1geH7jWuQ0IQWCPt2uKQ+Hm4PMuo:gmycnWuQ0hHoQ0Q
Malware Config
Extracted
formbook
4.1
pr28
huaxinimg.com
baorungas.com
comercializadoramultimus.com
blr-batipro.com
wantagedfas.uk
1thingplan.one
cweilin.com
lorienconsultingllc.com
jdzsjwx.com
casafacil.site
hkacgt.com
hasid.africa
92dgr97k4hr9.com
cvbiop.xyz
1wbskm.top
fantasticmobility.com
goodchoice2022.com
hafizpower.com
familiajoya.com
fundscrahelp.info
654-jp.com
locksmithexpressny.com
daniellelaurenhealth.com
65062.site
globallogisticsairline.com
livingdisabilitybenfits.com
cyprusposte.com
gladyshelps.click
letv.one
59963y.com
cre8tstudio.com
expandintofreedom.com
czechpeniche.com
windkind.net
cash4.cash
h9qblfpaog.one
growhthair.com
dmukpropertysolutions.co.uk
esd-protection.com
eqweqwewqewqewq.com
jovehome.com
dibujoart.com
fuy3.com
hthg172.com
crovv-creek.com
cannyok.online
inlook24.com
minionenterprises.net
doralfoundationssale.com
higgyspianobar.com
abundantproduction.com
agriseats.tech
diwolei.com
enwaav.tech
combienes.com
josiil.com
zweniprojects.africa
criplogistic.online
nerroir.com
blurockindustry.com
imaginaitonlibrary.com
ahavahfn.com
dougrushinglistings.com
leadsintolistings.com
alpheusmangale.com
Signatures
-
Formbook payload 3 IoCs
resource yara_rule behavioral1/memory/760-65-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/824-71-0x0000000000080000-0x00000000000AF000-memory.dmp formbook behavioral1/memory/824-77-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
pid Process 556 zcvza.exe 760 zcvza.exe -
Loads dropped DLL 2 IoCs
pid Process 756 SecuriteInfo.com.Win32.InjectorX-gen.11327.14248.exe 556 zcvza.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 556 set thread context of 760 556 zcvza.exe 30 PID 760 set thread context of 1276 760 zcvza.exe 15 PID 824 set thread context of 1276 824 NETSTAT.EXE 15 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 824 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 760 zcvza.exe 760 zcvza.exe 824 NETSTAT.EXE 824 NETSTAT.EXE 824 NETSTAT.EXE 824 NETSTAT.EXE 824 NETSTAT.EXE 824 NETSTAT.EXE 824 NETSTAT.EXE 824 NETSTAT.EXE 824 NETSTAT.EXE 824 NETSTAT.EXE 824 NETSTAT.EXE 824 NETSTAT.EXE 824 NETSTAT.EXE 824 NETSTAT.EXE 824 NETSTAT.EXE 824 NETSTAT.EXE 824 NETSTAT.EXE 824 NETSTAT.EXE 824 NETSTAT.EXE 824 NETSTAT.EXE 824 NETSTAT.EXE 824 NETSTAT.EXE 824 NETSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1276 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 556 zcvza.exe 760 zcvza.exe 760 zcvza.exe 760 zcvza.exe 824 NETSTAT.EXE 824 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 760 zcvza.exe Token: SeDebugPrivilege 824 NETSTAT.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1276 Explorer.EXE 1276 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1276 Explorer.EXE 1276 Explorer.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 756 wrote to memory of 556 756 SecuriteInfo.com.Win32.InjectorX-gen.11327.14248.exe 28 PID 756 wrote to memory of 556 756 SecuriteInfo.com.Win32.InjectorX-gen.11327.14248.exe 28 PID 756 wrote to memory of 556 756 SecuriteInfo.com.Win32.InjectorX-gen.11327.14248.exe 28 PID 756 wrote to memory of 556 756 SecuriteInfo.com.Win32.InjectorX-gen.11327.14248.exe 28 PID 556 wrote to memory of 760 556 zcvza.exe 30 PID 556 wrote to memory of 760 556 zcvza.exe 30 PID 556 wrote to memory of 760 556 zcvza.exe 30 PID 556 wrote to memory of 760 556 zcvza.exe 30 PID 556 wrote to memory of 760 556 zcvza.exe 30 PID 1276 wrote to memory of 824 1276 Explorer.EXE 31 PID 1276 wrote to memory of 824 1276 Explorer.EXE 31 PID 1276 wrote to memory of 824 1276 Explorer.EXE 31 PID 1276 wrote to memory of 824 1276 Explorer.EXE 31 PID 824 wrote to memory of 584 824 NETSTAT.EXE 32 PID 824 wrote to memory of 584 824 NETSTAT.EXE 32 PID 824 wrote to memory of 584 824 NETSTAT.EXE 32 PID 824 wrote to memory of 584 824 NETSTAT.EXE 32
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.InjectorX-gen.11327.14248.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.InjectorX-gen.11327.14248.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Users\Admin\AppData\Local\Temp\zcvza.exe"C:\Users\Admin\AppData\Local\Temp\zcvza.exe" C:\Users\Admin\AppData\Local\Temp\imcnxbnbbb.j3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Users\Admin\AppData\Local\Temp\zcvza.exe"C:\Users\Admin\AppData\Local\Temp\zcvza.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:760
-
-
-
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\zcvza.exe"3⤵PID:584
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
185KB
MD5ed232e70dae27a58281d330aa9591674
SHA1cb9ded97fa32bafde70c30fd3ddd8bff8279686f
SHA256ac394c29ac4dcb2c6dc5978ba284f033089b3c9389529a59030455dd2b40afdc
SHA512bb94cc112a6c2d79b9732b35a8b8660c5b310c787a9a6ba92d216adab3b3093328959e0f1a7c367d718997294840d6c0a40d38d522211e1655c86869fa17742a
-
Filesize
5KB
MD5e31b70467b0d7eeb29cae835ee993b5d
SHA1155713f1e8a959f69cbf0a1c409d392a3782bc77
SHA2561c671b3d5c74d675ed80d36b2e5d9429051e825bd11deecc9a69e13f5f31d00e
SHA512cb17417d1b3811d711b905b6eafb15dc03f88f75686bf8dc45f666168c862547fa64b28a6cdf3936800b82c2731bd4df70d73ef02b33b6194fbe7440692432fb
-
Filesize
100KB
MD5c457f7dc6091c5cd58fd181fcb116f0d
SHA143309913c0009fe78b17f0aba2409aa8043a759b
SHA2567ad292c3e81fc112732c566c056a85997a5b806815c7be77772a978ec6734ad3
SHA51212143b748e6e2369fe297837da9b62d54889fbacba58959bdc4a3d64868fc01a30cbbf6f2f1ea8cabd555ed08cd5b14f68d6893737de38af2e76335e39247c88
-
Filesize
100KB
MD5c457f7dc6091c5cd58fd181fcb116f0d
SHA143309913c0009fe78b17f0aba2409aa8043a759b
SHA2567ad292c3e81fc112732c566c056a85997a5b806815c7be77772a978ec6734ad3
SHA51212143b748e6e2369fe297837da9b62d54889fbacba58959bdc4a3d64868fc01a30cbbf6f2f1ea8cabd555ed08cd5b14f68d6893737de38af2e76335e39247c88
-
Filesize
100KB
MD5c457f7dc6091c5cd58fd181fcb116f0d
SHA143309913c0009fe78b17f0aba2409aa8043a759b
SHA2567ad292c3e81fc112732c566c056a85997a5b806815c7be77772a978ec6734ad3
SHA51212143b748e6e2369fe297837da9b62d54889fbacba58959bdc4a3d64868fc01a30cbbf6f2f1ea8cabd555ed08cd5b14f68d6893737de38af2e76335e39247c88
-
Filesize
100KB
MD5c457f7dc6091c5cd58fd181fcb116f0d
SHA143309913c0009fe78b17f0aba2409aa8043a759b
SHA2567ad292c3e81fc112732c566c056a85997a5b806815c7be77772a978ec6734ad3
SHA51212143b748e6e2369fe297837da9b62d54889fbacba58959bdc4a3d64868fc01a30cbbf6f2f1ea8cabd555ed08cd5b14f68d6893737de38af2e76335e39247c88
-
Filesize
100KB
MD5c457f7dc6091c5cd58fd181fcb116f0d
SHA143309913c0009fe78b17f0aba2409aa8043a759b
SHA2567ad292c3e81fc112732c566c056a85997a5b806815c7be77772a978ec6734ad3
SHA51212143b748e6e2369fe297837da9b62d54889fbacba58959bdc4a3d64868fc01a30cbbf6f2f1ea8cabd555ed08cd5b14f68d6893737de38af2e76335e39247c88