Analysis
-
max time kernel
153s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2022 08:34
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win64.PWSX-gen.17395.4795.exe
Resource
win7-20220812-en
General
-
Target
SecuriteInfo.com.Win64.PWSX-gen.17395.4795.exe
-
Size
552KB
-
MD5
46333b6ff15c92a0338fb82a3ffda095
-
SHA1
e0c71790f415c5894a89c72f047fc2080e920ee4
-
SHA256
71562f1899bf12998b47d4f245d62c07e152a91ee9191dfaff9a963e3fcd3f7f
-
SHA512
92644ed70c4f28a72399c98ec8c5e72ec4c073e31069a6887dc2a265f6e58c70d7c5f6919a8c1e99f922a939c899e72a4711bc87e914ad053233012e623875a0
-
SSDEEP
12288:GbXKERz+4rqtEmCqfupYcjyf5ITpqRiixvx4bsFslx+haSw8:GtC4utExqf6YX5ITpRixvx4oFslx+hrw
Malware Config
Extracted
formbook
4.1
urde
belleriacortland.com
gxzyykx.com
blocksholding.net
zhangjiyuan.com
tyfinck.com
xn--v9s.club
xn--72c9at8ec1l.com
dorismart.online
nocodeuni.com
hmmprocesos.website
quartile.agency
iansdogname.com
karengillen.com
the-bitindexprime.info
nthanisolutions.com
nakamu.online
sahityanepal.com
sinwinindustry.com
shotblastwearingparts.com
nstsuccess.com
attilaentrepreneurs.com
poweranalytics.site
winfreeagency.com
gopima.com
suthworld.com
lastfrontiercontractingco.com
couches-sofas-32195.com
41829.site
tranbou.sbs
equus-creative.com
yamicog.com
streettreatsicecreamtruck.com
netflixconnexiontv.fr
unclerepair.com
rmchomeloan.center
nft-quantum.online
kungquer.com
casa-gomez.com
sensing.rest
midtowndistrictsantafe.info
kaity.site
farawayflessner.com
qye490kxb.online
pamediq.com
powerhandsbypowerfit.com
lifebeyondbeauty.net
meda-services.com
faylike.com
yivvitsandmrbubble.com
mosesgoldsmithbuilding.com
fisharinvastmnts.com
xeome.co
scentsibleliving.com
abbyfaith.com
drgrantmdretinalspecialist.com
riccardoolivier.com
torremtbox.com
virginiavoyager.com
premiumesa.com
oddsonor.com
zhekobaicai.com
nathansproperty.com
apetigo.com
zanzibarbeachclub.com
niveaguide.com
Signatures
-
Formbook payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/4248-134-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4248-135-0x000000000041F140-mapping.dmp formbook behavioral2/memory/4248-142-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/1748-145-0x0000000001100000-0x000000000112F000-memory.dmp formbook behavioral2/memory/1748-149-0x0000000001100000-0x000000000112F000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
SecuriteInfo.com.Win64.PWSX-gen.17395.4795.exeCasPol.execmd.exedescription pid process target process PID 2232 set thread context of 4248 2232 SecuriteInfo.com.Win64.PWSX-gen.17395.4795.exe CasPol.exe PID 4248 set thread context of 2940 4248 CasPol.exe Explorer.EXE PID 1748 set thread context of 2940 1748 cmd.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
CasPol.execmd.exepid process 4248 CasPol.exe 4248 CasPol.exe 4248 CasPol.exe 4248 CasPol.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe 1748 cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2940 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
CasPol.execmd.exepid process 4248 CasPol.exe 4248 CasPol.exe 4248 CasPol.exe 1748 cmd.exe 1748 cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
CasPol.execmd.exedescription pid process Token: SeDebugPrivilege 4248 CasPol.exe Token: SeDebugPrivilege 1748 cmd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
SecuriteInfo.com.Win64.PWSX-gen.17395.4795.exeExplorer.EXEcmd.exedescription pid process target process PID 2232 wrote to memory of 4248 2232 SecuriteInfo.com.Win64.PWSX-gen.17395.4795.exe CasPol.exe PID 2232 wrote to memory of 4248 2232 SecuriteInfo.com.Win64.PWSX-gen.17395.4795.exe CasPol.exe PID 2232 wrote to memory of 4248 2232 SecuriteInfo.com.Win64.PWSX-gen.17395.4795.exe CasPol.exe PID 2232 wrote to memory of 4248 2232 SecuriteInfo.com.Win64.PWSX-gen.17395.4795.exe CasPol.exe PID 2232 wrote to memory of 4248 2232 SecuriteInfo.com.Win64.PWSX-gen.17395.4795.exe CasPol.exe PID 2232 wrote to memory of 4248 2232 SecuriteInfo.com.Win64.PWSX-gen.17395.4795.exe CasPol.exe PID 2940 wrote to memory of 1748 2940 Explorer.EXE cmd.exe PID 2940 wrote to memory of 1748 2940 Explorer.EXE cmd.exe PID 2940 wrote to memory of 1748 2940 Explorer.EXE cmd.exe PID 1748 wrote to memory of 5060 1748 cmd.exe cmd.exe PID 1748 wrote to memory of 5060 1748 cmd.exe cmd.exe PID 1748 wrote to memory of 5060 1748 cmd.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.PWSX-gen.17395.4795.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.PWSX-gen.17395.4795.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1748-144-0x0000000000D80000-0x0000000000DDA000-memory.dmpFilesize
360KB
-
memory/1748-141-0x0000000000000000-mapping.dmp
-
memory/1748-149-0x0000000001100000-0x000000000112F000-memory.dmpFilesize
188KB
-
memory/1748-147-0x00000000017D0000-0x0000000001863000-memory.dmpFilesize
588KB
-
memory/1748-146-0x0000000001920000-0x0000000001C6A000-memory.dmpFilesize
3.3MB
-
memory/1748-145-0x0000000001100000-0x000000000112F000-memory.dmpFilesize
188KB
-
memory/2232-132-0x00000251B3510000-0x00000251B359E000-memory.dmpFilesize
568KB
-
memory/2232-136-0x00007FFBFEF90000-0x00007FFBFFA51000-memory.dmpFilesize
10.8MB
-
memory/2232-133-0x00007FFBFEF90000-0x00007FFBFFA51000-memory.dmpFilesize
10.8MB
-
memory/2940-148-0x0000000008AE0000-0x0000000008BE9000-memory.dmpFilesize
1.0MB
-
memory/2940-140-0x0000000008550000-0x0000000008658000-memory.dmpFilesize
1.0MB
-
memory/2940-150-0x0000000008AE0000-0x0000000008BE9000-memory.dmpFilesize
1.0MB
-
memory/4248-137-0x0000000001060000-0x00000000013AA000-memory.dmpFilesize
3.3MB
-
memory/4248-135-0x000000000041F140-mapping.dmp
-
memory/4248-134-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4248-139-0x0000000000F80000-0x0000000000F94000-memory.dmpFilesize
80KB
-
memory/4248-142-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/5060-143-0x0000000000000000-mapping.dmp