Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2022 04:29
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.InjectorX-gen.11327.14248.exe
Resource
win7-20221111-en
General
-
Target
SecuriteInfo.com.Win32.InjectorX-gen.11327.14248.exe
-
Size
259KB
-
MD5
197ab666b7242cd57be0af99c33c150e
-
SHA1
c67a8a7f437716bb324e2697412464fd165c6c90
-
SHA256
f88caffeed956cd5b1671dde49bfc61dac4fd2007b46287debf7dab6c179bf46
-
SHA512
a5babd41cc7dcc73710d4ca6d03121b3395601a398158f8375dacc391e7d0b5c6255f7faff0ede21db4351662f4c2d418f6fae2db17610c017272e3aa355863a
-
SSDEEP
6144:QBn1m1geH7jWuQ0IQWCPt2uKQ+Hm4PMuo:gmycnWuQ0hHoQ0Q
Malware Config
Extracted
formbook
4.1
pr28
huaxinimg.com
baorungas.com
comercializadoramultimus.com
blr-batipro.com
wantagedfas.uk
1thingplan.one
cweilin.com
lorienconsultingllc.com
jdzsjwx.com
casafacil.site
hkacgt.com
hasid.africa
92dgr97k4hr9.com
cvbiop.xyz
1wbskm.top
fantasticmobility.com
goodchoice2022.com
hafizpower.com
familiajoya.com
fundscrahelp.info
654-jp.com
locksmithexpressny.com
daniellelaurenhealth.com
65062.site
globallogisticsairline.com
livingdisabilitybenfits.com
cyprusposte.com
gladyshelps.click
letv.one
59963y.com
cre8tstudio.com
expandintofreedom.com
czechpeniche.com
windkind.net
cash4.cash
h9qblfpaog.one
growhthair.com
dmukpropertysolutions.co.uk
esd-protection.com
eqweqwewqewqewq.com
jovehome.com
dibujoart.com
fuy3.com
hthg172.com
crovv-creek.com
cannyok.online
inlook24.com
minionenterprises.net
doralfoundationssale.com
higgyspianobar.com
abundantproduction.com
agriseats.tech
diwolei.com
enwaav.tech
combienes.com
josiil.com
zweniprojects.africa
criplogistic.online
nerroir.com
blurockindustry.com
imaginaitonlibrary.com
ahavahfn.com
dougrushinglistings.com
leadsintolistings.com
alpheusmangale.com
Signatures
-
Formbook payload 2 IoCs
resource yara_rule behavioral2/memory/4816-144-0x0000000001200000-0x000000000122F000-memory.dmp formbook behavioral2/memory/4816-148-0x0000000001200000-0x000000000122F000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
pid Process 1376 zcvza.exe 4216 zcvza.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1376 set thread context of 4216 1376 zcvza.exe 80 PID 4216 set thread context of 3044 4216 zcvza.exe 61 PID 4816 set thread context of 3044 4816 cmd.exe 61 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 58 IoCs
pid Process 4216 zcvza.exe 4216 zcvza.exe 4216 zcvza.exe 4216 zcvza.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe 4816 cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3044 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 1376 zcvza.exe 1376 zcvza.exe 4216 zcvza.exe 4216 zcvza.exe 4216 zcvza.exe 4816 cmd.exe 4816 cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4216 zcvza.exe Token: SeDebugPrivilege 4816 cmd.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 520 wrote to memory of 1376 520 SecuriteInfo.com.Win32.InjectorX-gen.11327.14248.exe 78 PID 520 wrote to memory of 1376 520 SecuriteInfo.com.Win32.InjectorX-gen.11327.14248.exe 78 PID 520 wrote to memory of 1376 520 SecuriteInfo.com.Win32.InjectorX-gen.11327.14248.exe 78 PID 1376 wrote to memory of 4216 1376 zcvza.exe 80 PID 1376 wrote to memory of 4216 1376 zcvza.exe 80 PID 1376 wrote to memory of 4216 1376 zcvza.exe 80 PID 1376 wrote to memory of 4216 1376 zcvza.exe 80 PID 3044 wrote to memory of 4816 3044 Explorer.EXE 81 PID 3044 wrote to memory of 4816 3044 Explorer.EXE 81 PID 3044 wrote to memory of 4816 3044 Explorer.EXE 81 PID 4816 wrote to memory of 644 4816 cmd.exe 82 PID 4816 wrote to memory of 644 4816 cmd.exe 82 PID 4816 wrote to memory of 644 4816 cmd.exe 82
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.InjectorX-gen.11327.14248.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.InjectorX-gen.11327.14248.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Users\Admin\AppData\Local\Temp\zcvza.exe"C:\Users\Admin\AppData\Local\Temp\zcvza.exe" C:\Users\Admin\AppData\Local\Temp\imcnxbnbbb.j3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Users\Admin\AppData\Local\Temp\zcvza.exe"C:\Users\Admin\AppData\Local\Temp\zcvza.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4216
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\zcvza.exe"3⤵PID:644
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
185KB
MD5ed232e70dae27a58281d330aa9591674
SHA1cb9ded97fa32bafde70c30fd3ddd8bff8279686f
SHA256ac394c29ac4dcb2c6dc5978ba284f033089b3c9389529a59030455dd2b40afdc
SHA512bb94cc112a6c2d79b9732b35a8b8660c5b310c787a9a6ba92d216adab3b3093328959e0f1a7c367d718997294840d6c0a40d38d522211e1655c86869fa17742a
-
Filesize
5KB
MD5e31b70467b0d7eeb29cae835ee993b5d
SHA1155713f1e8a959f69cbf0a1c409d392a3782bc77
SHA2561c671b3d5c74d675ed80d36b2e5d9429051e825bd11deecc9a69e13f5f31d00e
SHA512cb17417d1b3811d711b905b6eafb15dc03f88f75686bf8dc45f666168c862547fa64b28a6cdf3936800b82c2731bd4df70d73ef02b33b6194fbe7440692432fb
-
Filesize
100KB
MD5c457f7dc6091c5cd58fd181fcb116f0d
SHA143309913c0009fe78b17f0aba2409aa8043a759b
SHA2567ad292c3e81fc112732c566c056a85997a5b806815c7be77772a978ec6734ad3
SHA51212143b748e6e2369fe297837da9b62d54889fbacba58959bdc4a3d64868fc01a30cbbf6f2f1ea8cabd555ed08cd5b14f68d6893737de38af2e76335e39247c88
-
Filesize
100KB
MD5c457f7dc6091c5cd58fd181fcb116f0d
SHA143309913c0009fe78b17f0aba2409aa8043a759b
SHA2567ad292c3e81fc112732c566c056a85997a5b806815c7be77772a978ec6734ad3
SHA51212143b748e6e2369fe297837da9b62d54889fbacba58959bdc4a3d64868fc01a30cbbf6f2f1ea8cabd555ed08cd5b14f68d6893737de38af2e76335e39247c88
-
Filesize
100KB
MD5c457f7dc6091c5cd58fd181fcb116f0d
SHA143309913c0009fe78b17f0aba2409aa8043a759b
SHA2567ad292c3e81fc112732c566c056a85997a5b806815c7be77772a978ec6734ad3
SHA51212143b748e6e2369fe297837da9b62d54889fbacba58959bdc4a3d64868fc01a30cbbf6f2f1ea8cabd555ed08cd5b14f68d6893737de38af2e76335e39247c88