Analysis
-
max time kernel
139s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
09-07-2023 12:30
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Generic.30369079.30803.exe
Resource
win7-20230705-en
General
-
Target
SecuriteInfo.com.Trojan.Generic.30369079.30803.exe
-
Size
261KB
-
MD5
b3368c7d14c040c8734d69b5bbc0c635
-
SHA1
d34224b8b7e01e22292a7eac678d337f00834a2b
-
SHA256
a8f5392112f282b9d32749631c3d85fc6b568dd0b3fe91ffb8c5c7215e3f7114
-
SHA512
5b036fe1a1650b8fbf03b2d4a91692ad271ce3a7fd572d6256e7b8aa71d9a8849b610865e782d2ab8566b7c44ee61af8965ab922d9e7ea552cb04734aee39c34
-
SSDEEP
3072:FJ2S2L6KbqDCwcrMEEKsmO39oW1jSAI+ltOJ7y4UjjiJ0bUSgSBQ8QNn9lmDe5+W:F8LxBszXOyrSJm/bQN9laFexrODdtKRf
Malware Config
Extracted
formbook
4.1
dn7r
eventphotographerdfw.com
thehalalcoinstaking.com
philipfaziofineart.com
intercoh.com
gaiaseyephotography.com
chatbotforrealestate.com
lovelancemg.com
marlieskasberger.com
elcongoenespanol.info
lepirecredit.com
distribution-concept.com
e99game.com
exit11festival.com
twodollartoothbrushclub.com
cocktailsandlawn.com
performimprove.network
24horas-telefono-11840.com
cosmossify.com
kellenleote.com
perovskite.energy
crosschain.services
xiwanghe.com
mollycayton.com
bonipay.com
uuwyxc.com
viberiokno-online.com
mobceo.com
menzelna.com
tiffaniefoster.com
premiumautowesthartford.com
ownhome.house
bestmartinshop.com
splashstoreofficial.com
guidemining.com
ecshopdemo.com
bestprinting1.com
s-circle2020.com
ncagency.info
easydigitalzone.com
reikiforthecollective.com
theknottteam.com
evolvedpixel.com
japxo.online
ryansqualityrenovations.com
dentimagenquito.net
pantherprints.co.uk
apoporangi.com
thietkemietvuon.net
ifernshop.com
casaruralesgranada.com
camp-3saumons.com
eddsucks.com
blwcd.com
deldlab.com
susanperb.com
autosanitizingsolutions.com
femhouse.com
ironcageclash.com
thekinghealer.com
shaghayeghbovand.com
advertfaces.com
lonriley.com
mased-world.online
mythicspacex.com
yourherogarden.net
Signatures
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/5036-142-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Loads dropped DLL 1 IoCs
Processes:
SecuriteInfo.com.Trojan.Generic.30369079.30803.exepid process 4240 SecuriteInfo.com.Trojan.Generic.30369079.30803.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Trojan.Generic.30369079.30803.exedescription pid process target process PID 4240 set thread context of 5036 4240 SecuriteInfo.com.Trojan.Generic.30369079.30803.exe SecuriteInfo.com.Trojan.Generic.30369079.30803.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
SecuriteInfo.com.Trojan.Generic.30369079.30803.exepid process 5036 SecuriteInfo.com.Trojan.Generic.30369079.30803.exe 5036 SecuriteInfo.com.Trojan.Generic.30369079.30803.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
SecuriteInfo.com.Trojan.Generic.30369079.30803.exedescription pid process target process PID 4240 wrote to memory of 5036 4240 SecuriteInfo.com.Trojan.Generic.30369079.30803.exe SecuriteInfo.com.Trojan.Generic.30369079.30803.exe PID 4240 wrote to memory of 5036 4240 SecuriteInfo.com.Trojan.Generic.30369079.30803.exe SecuriteInfo.com.Trojan.Generic.30369079.30803.exe PID 4240 wrote to memory of 5036 4240 SecuriteInfo.com.Trojan.Generic.30369079.30803.exe SecuriteInfo.com.Trojan.Generic.30369079.30803.exe PID 4240 wrote to memory of 5036 4240 SecuriteInfo.com.Trojan.Generic.30369079.30803.exe SecuriteInfo.com.Trojan.Generic.30369079.30803.exe PID 4240 wrote to memory of 5036 4240 SecuriteInfo.com.Trojan.Generic.30369079.30803.exe SecuriteInfo.com.Trojan.Generic.30369079.30803.exe PID 4240 wrote to memory of 5036 4240 SecuriteInfo.com.Trojan.Generic.30369079.30803.exe SecuriteInfo.com.Trojan.Generic.30369079.30803.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Generic.30369079.30803.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Generic.30369079.30803.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Generic.30369079.30803.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Generic.30369079.30803.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nsiD3B.tmp\bvxzu.dllFilesize
47KB
MD5ea41f063d08a24c992a9db51ebd1fd7f
SHA1f28dda174cb32acfdc47cae0a101de53ab78d3a4
SHA2569b51a7156f242aaafb43c7ca8b5ff9547643a747e4a672d06669aec9a29b28ee
SHA512ca7875967878aae950a48b1e149154d6181813717317cb3cb2ab95bff729e115d88b838912021c73f67cdf09fa30aa6a469b153a43e63f348613eb341d8bab58
-
C:\Users\Admin\AppData\Local\Temp\nsiD3B.tmp\bvxzu.dllFilesize
47KB
MD5ea41f063d08a24c992a9db51ebd1fd7f
SHA1f28dda174cb32acfdc47cae0a101de53ab78d3a4
SHA2569b51a7156f242aaafb43c7ca8b5ff9547643a747e4a672d06669aec9a29b28ee
SHA512ca7875967878aae950a48b1e149154d6181813717317cb3cb2ab95bff729e115d88b838912021c73f67cdf09fa30aa6a469b153a43e63f348613eb341d8bab58
-
memory/4240-140-0x00000000749D0000-0x00000000749E0000-memory.dmpFilesize
64KB
-
memory/4240-143-0x00000000749D0000-0x00000000749E0000-memory.dmpFilesize
64KB
-
memory/5036-142-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/5036-146-0x0000000000A00000-0x0000000000D4A000-memory.dmpFilesize
3.3MB