Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230703-en -
resource tags
arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system -
submitted
09-07-2023 19:17
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfocomTrojanGene.exe
Resource
win7-20230703-en
General
-
Target
SecuriteInfocomTrojanGene.exe
-
Size
261KB
-
MD5
b3368c7d14c040c8734d69b5bbc0c635
-
SHA1
d34224b8b7e01e22292a7eac678d337f00834a2b
-
SHA256
a8f5392112f282b9d32749631c3d85fc6b568dd0b3fe91ffb8c5c7215e3f7114
-
SHA512
5b036fe1a1650b8fbf03b2d4a91692ad271ce3a7fd572d6256e7b8aa71d9a8849b610865e782d2ab8566b7c44ee61af8965ab922d9e7ea552cb04734aee39c34
-
SSDEEP
3072:FJ2S2L6KbqDCwcrMEEKsmO39oW1jSAI+ltOJ7y4UjjiJ0bUSgSBQ8QNn9lmDe5+W:F8LxBszXOyrSJm/bQN9laFexrODdtKRf
Malware Config
Extracted
formbook
4.1
dn7r
eventphotographerdfw.com
thehalalcoinstaking.com
philipfaziofineart.com
intercoh.com
gaiaseyephotography.com
chatbotforrealestate.com
lovelancemg.com
marlieskasberger.com
elcongoenespanol.info
lepirecredit.com
distribution-concept.com
e99game.com
exit11festival.com
twodollartoothbrushclub.com
cocktailsandlawn.com
performimprove.network
24horas-telefono-11840.com
cosmossify.com
kellenleote.com
perovskite.energy
crosschain.services
xiwanghe.com
mollycayton.com
bonipay.com
uuwyxc.com
viberiokno-online.com
mobceo.com
menzelna.com
tiffaniefoster.com
premiumautowesthartford.com
ownhome.house
bestmartinshop.com
splashstoreofficial.com
guidemining.com
ecshopdemo.com
bestprinting1.com
s-circle2020.com
ncagency.info
easydigitalzone.com
reikiforthecollective.com
theknottteam.com
evolvedpixel.com
japxo.online
ryansqualityrenovations.com
dentimagenquito.net
pantherprints.co.uk
apoporangi.com
thietkemietvuon.net
ifernshop.com
casaruralesgranada.com
camp-3saumons.com
eddsucks.com
blwcd.com
deldlab.com
susanperb.com
autosanitizingsolutions.com
femhouse.com
ironcageclash.com
thekinghealer.com
shaghayeghbovand.com
advertfaces.com
lonriley.com
mased-world.online
mythicspacex.com
yourherogarden.net
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/3032-62-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/3032-66-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2972-73-0x0000000000080000-0x00000000000AF000-memory.dmp formbook behavioral1/memory/2972-75-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2872 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
SecuriteInfocomTrojanGene.exepid process 2308 SecuriteInfocomTrojanGene.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
SecuriteInfocomTrojanGene.exeSecuriteInfocomTrojanGene.execmmon32.exedescription pid process target process PID 2308 set thread context of 3032 2308 SecuriteInfocomTrojanGene.exe SecuriteInfocomTrojanGene.exe PID 3032 set thread context of 1232 3032 SecuriteInfocomTrojanGene.exe Explorer.EXE PID 2972 set thread context of 1232 2972 cmmon32.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
SecuriteInfocomTrojanGene.execmmon32.exepid process 3032 SecuriteInfocomTrojanGene.exe 3032 SecuriteInfocomTrojanGene.exe 2972 cmmon32.exe 2972 cmmon32.exe 2972 cmmon32.exe 2972 cmmon32.exe 2972 cmmon32.exe 2972 cmmon32.exe 2972 cmmon32.exe 2972 cmmon32.exe 2972 cmmon32.exe 2972 cmmon32.exe 2972 cmmon32.exe 2972 cmmon32.exe 2972 cmmon32.exe 2972 cmmon32.exe 2972 cmmon32.exe 2972 cmmon32.exe 2972 cmmon32.exe 2972 cmmon32.exe 2972 cmmon32.exe 2972 cmmon32.exe 2972 cmmon32.exe 2972 cmmon32.exe 2972 cmmon32.exe 2972 cmmon32.exe 2972 cmmon32.exe 2972 cmmon32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1232 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
SecuriteInfocomTrojanGene.execmmon32.exepid process 3032 SecuriteInfocomTrojanGene.exe 3032 SecuriteInfocomTrojanGene.exe 3032 SecuriteInfocomTrojanGene.exe 2972 cmmon32.exe 2972 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SecuriteInfocomTrojanGene.execmmon32.exedescription pid process Token: SeDebugPrivilege 3032 SecuriteInfocomTrojanGene.exe Token: SeDebugPrivilege 2972 cmmon32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1232 Explorer.EXE 1232 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1232 Explorer.EXE 1232 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
SecuriteInfocomTrojanGene.exeExplorer.EXEcmmon32.exedescription pid process target process PID 2308 wrote to memory of 3032 2308 SecuriteInfocomTrojanGene.exe SecuriteInfocomTrojanGene.exe PID 2308 wrote to memory of 3032 2308 SecuriteInfocomTrojanGene.exe SecuriteInfocomTrojanGene.exe PID 2308 wrote to memory of 3032 2308 SecuriteInfocomTrojanGene.exe SecuriteInfocomTrojanGene.exe PID 2308 wrote to memory of 3032 2308 SecuriteInfocomTrojanGene.exe SecuriteInfocomTrojanGene.exe PID 2308 wrote to memory of 3032 2308 SecuriteInfocomTrojanGene.exe SecuriteInfocomTrojanGene.exe PID 2308 wrote to memory of 3032 2308 SecuriteInfocomTrojanGene.exe SecuriteInfocomTrojanGene.exe PID 2308 wrote to memory of 3032 2308 SecuriteInfocomTrojanGene.exe SecuriteInfocomTrojanGene.exe PID 1232 wrote to memory of 2972 1232 Explorer.EXE cmmon32.exe PID 1232 wrote to memory of 2972 1232 Explorer.EXE cmmon32.exe PID 1232 wrote to memory of 2972 1232 Explorer.EXE cmmon32.exe PID 1232 wrote to memory of 2972 1232 Explorer.EXE cmmon32.exe PID 2972 wrote to memory of 2872 2972 cmmon32.exe cmd.exe PID 2972 wrote to memory of 2872 2972 cmmon32.exe cmd.exe PID 2972 wrote to memory of 2872 2972 cmmon32.exe cmd.exe PID 2972 wrote to memory of 2872 2972 cmmon32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomTrojanGene.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomTrojanGene.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomTrojanGene.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomTrojanGene.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomTrojanGene.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5705293292c28b3145cadf9136b755103
SHA15cf6044f84d25b0edd90e95dfb216086d08030bd
SHA25620a9f6aee42486e8beec69f272680e583ce830b8a48c2bcc7c6abae7f2b05117
SHA512d73b3b6d2f5eca1b63c3ad0b6534587b28ddb10d6cf2de928af42c6598debff7da31cb65bab6bf902a9b4175fe9b67efa6f947d23727e585d6e0cae3c5f097ca
-
C:\Users\Admin\AppData\Local\Temp\CabEA71.tmpFilesize
62KB
MD53ac860860707baaf32469fa7cc7c0192
SHA1c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c
-
C:\Users\Admin\AppData\Local\Temp\TarED42.tmpFilesize
164KB
MD54ff65ad929cd9a367680e0e5b1c08166
SHA1c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27
-
C:\Users\Admin\AppData\Local\Temp\nse2DB7.tmp\bvxzu.dllFilesize
47KB
MD5ea41f063d08a24c992a9db51ebd1fd7f
SHA1f28dda174cb32acfdc47cae0a101de53ab78d3a4
SHA2569b51a7156f242aaafb43c7ca8b5ff9547643a747e4a672d06669aec9a29b28ee
SHA512ca7875967878aae950a48b1e149154d6181813717317cb3cb2ab95bff729e115d88b838912021c73f67cdf09fa30aa6a469b153a43e63f348613eb341d8bab58
-
\Users\Admin\AppData\Local\Temp\nse2DB7.tmp\bvxzu.dllFilesize
47KB
MD5ea41f063d08a24c992a9db51ebd1fd7f
SHA1f28dda174cb32acfdc47cae0a101de53ab78d3a4
SHA2569b51a7156f242aaafb43c7ca8b5ff9547643a747e4a672d06669aec9a29b28ee
SHA512ca7875967878aae950a48b1e149154d6181813717317cb3cb2ab95bff729e115d88b838912021c73f67cdf09fa30aa6a469b153a43e63f348613eb341d8bab58
-
memory/1232-77-0x0000000000440000-0x0000000000540000-memory.dmpFilesize
1024KB
-
memory/1232-82-0x0000000006AC0000-0x0000000006C2C000-memory.dmpFilesize
1.4MB
-
memory/1232-68-0x0000000003F20000-0x0000000003FE1000-memory.dmpFilesize
772KB
-
memory/1232-80-0x0000000006AC0000-0x0000000006C2C000-memory.dmpFilesize
1.4MB
-
memory/1232-79-0x0000000006AC0000-0x0000000006C2C000-memory.dmpFilesize
1.4MB
-
memory/2308-63-0x0000000074A00000-0x0000000074A10000-memory.dmpFilesize
64KB
-
memory/2972-73-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/2972-75-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/2972-74-0x0000000001FC0000-0x00000000022C3000-memory.dmpFilesize
3.0MB
-
memory/2972-78-0x0000000001E30000-0x0000000001EC4000-memory.dmpFilesize
592KB
-
memory/2972-72-0x0000000000A20000-0x0000000000A2D000-memory.dmpFilesize
52KB
-
memory/2972-70-0x0000000000A20000-0x0000000000A2D000-memory.dmpFilesize
52KB
-
memory/3032-66-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3032-67-0x0000000000350000-0x0000000000365000-memory.dmpFilesize
84KB
-
memory/3032-65-0x0000000000740000-0x0000000000A43000-memory.dmpFilesize
3.0MB
-
memory/3032-62-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB