Analysis
-
max time kernel
139s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2023, 15:28
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.PWSX-gen.21070.exe
Resource
win7-20230831-en
General
-
Target
SecuriteInfo.com.Win32.PWSX-gen.21070.exe
-
Size
852KB
-
MD5
9db2aef89a0872e99d266cfb6ed00999
-
SHA1
4ff386a6dc8f254c76215243d28ca3efbd934c1b
-
SHA256
ce345574366b94994a2aade4a96ade0eee23ad088211416b5695166cd251ec61
-
SHA512
07b568f24429c68ec06b87457ff969f7b70e12720d656d91e0680f3251ec6600f7ac559b8e858ebd71c09e067dd09c009bb791e7a3333ed9e95babf70f970c48
-
SSDEEP
12288:vP27U0WWObWpf57f6ESknqQrQJfI2CiPQfP12Xk/Nl1dSQ1Ulx3/z6OAq7hxfZuk:veD4+f5eEn1mxCiPQfP28NX0Qulxw
Malware Config
Extracted
formbook
4.1
v93r
labourcommunitymarket.com
nba82.com
datahabitsales.site
rosstony.link
baliorganic.farm
qefhyjngrxcbjfvgft.autos
bippttcg.click
tldrschool.com
vcdaawug.click
garage2mats.com
soulrin.store
themezodermacream.com
522fairwaylookout.com
jmhoa.cyou
sygcb.link
thanhpresident.com
biy-home.com
imtmlife.online
dijitalpasaj.app
105261.com
wyldnwestern.com
risefootwear.com
bbmusic906.com
unsold-laptops-seek.today
oixkphfm9oap.xyz
steelyholdings.com
ticket2future.site
vndlsvllns.com
rupashtgai.com
lexpy.xyz
drillingkingtool.com
lkpmekarjaya.com
luoyutao.love
notfrank.tech
calawadvice.com
wpc-rotterdam.com
pttroblox.com
coffeeforsoldiers.com
csshhinm.click
bmsexpert.com
coperworks.com
fengwowuye.com
dariobisogno.com
naturalresourcetrail.com
allupinyourbizness.com
cheapjerseysfreeshipping.store
upgoavvi.click
mynintdndonews.com
zorailabs.com
akonghoki.click
lgoicube.com
rapportus.com
lxdutzuc.click
kradbfkweqd888.com
fbjbk.com
lojaravystore.online
truthistanbul.xyz
ilda.vip
holytoastknox.com
owsspa.com
oyyltyzn.click
pesawat-tempur-3.site
wyxhoo.com
jiahao668.com
myacc.info
Signatures
-
Formbook payload 1 IoCs
resource yara_rule behavioral2/memory/2108-12-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4328 set thread context of 2108 4328 SecuriteInfo.com.Win32.PWSX-gen.21070.exe 98 -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4328 SecuriteInfo.com.Win32.PWSX-gen.21070.exe 4328 SecuriteInfo.com.Win32.PWSX-gen.21070.exe 4328 SecuriteInfo.com.Win32.PWSX-gen.21070.exe 4328 SecuriteInfo.com.Win32.PWSX-gen.21070.exe 4328 SecuriteInfo.com.Win32.PWSX-gen.21070.exe 4328 SecuriteInfo.com.Win32.PWSX-gen.21070.exe 2108 SecuriteInfo.com.Win32.PWSX-gen.21070.exe 2108 SecuriteInfo.com.Win32.PWSX-gen.21070.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4328 SecuriteInfo.com.Win32.PWSX-gen.21070.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4328 wrote to memory of 2820 4328 SecuriteInfo.com.Win32.PWSX-gen.21070.exe 97 PID 4328 wrote to memory of 2820 4328 SecuriteInfo.com.Win32.PWSX-gen.21070.exe 97 PID 4328 wrote to memory of 2820 4328 SecuriteInfo.com.Win32.PWSX-gen.21070.exe 97 PID 4328 wrote to memory of 3312 4328 SecuriteInfo.com.Win32.PWSX-gen.21070.exe 100 PID 4328 wrote to memory of 3312 4328 SecuriteInfo.com.Win32.PWSX-gen.21070.exe 100 PID 4328 wrote to memory of 3312 4328 SecuriteInfo.com.Win32.PWSX-gen.21070.exe 100 PID 4328 wrote to memory of 3328 4328 SecuriteInfo.com.Win32.PWSX-gen.21070.exe 99 PID 4328 wrote to memory of 3328 4328 SecuriteInfo.com.Win32.PWSX-gen.21070.exe 99 PID 4328 wrote to memory of 3328 4328 SecuriteInfo.com.Win32.PWSX-gen.21070.exe 99 PID 4328 wrote to memory of 2108 4328 SecuriteInfo.com.Win32.PWSX-gen.21070.exe 98 PID 4328 wrote to memory of 2108 4328 SecuriteInfo.com.Win32.PWSX-gen.21070.exe 98 PID 4328 wrote to memory of 2108 4328 SecuriteInfo.com.Win32.PWSX-gen.21070.exe 98 PID 4328 wrote to memory of 2108 4328 SecuriteInfo.com.Win32.PWSX-gen.21070.exe 98 PID 4328 wrote to memory of 2108 4328 SecuriteInfo.com.Win32.PWSX-gen.21070.exe 98 PID 4328 wrote to memory of 2108 4328 SecuriteInfo.com.Win32.PWSX-gen.21070.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.21070.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.21070.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.21070.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.21070.exe"2⤵PID:2820
-
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.21070.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.21070.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2108
-
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.21070.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.21070.exe"2⤵PID:3328
-
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.21070.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.21070.exe"2⤵PID:3312
-