Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-03-2024 04:22
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.PWSX-gen.21551.exe
Resource
win7-20240221-en
General
-
Target
SecuriteInfo.com.Win32.PWSX-gen.21551.exe
-
Size
629KB
-
MD5
eebb33a5375ffd40682c86deea752033
-
SHA1
8ed7b849ba2829a164ee569995f2d4d8a8d90924
-
SHA256
8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e
-
SHA512
77b5fb3046040512a93e4e7069a5e4ded1362c2913b928232d00be416f93619c21e5a3aef20516336eb81e7c4067f88ae67caeada31ddda7480b0a5e3fcf5fe5
-
SSDEEP
12288:DK0YOwqVT+BnEymdHekIrOuPhKPrbgAoOxCzSb0c6gb/wM4IKkR:DqO7VDVdDIrOusrbZoGWy0c9wM4IJ
Malware Config
Extracted
formbook
4.1
dz25
sdw123.com
theflower-jeju.com
bigbargins.shop
xn--grsdetetizao-dcb9c.site
visionprobiz.com
ebruunalsigorta.xyz
51tree.net
tommeynadier.com
spx21.com
researchupdatehub.com
rserveohio.com
schemaconsultant.com
ec-peleti.com
songkokgelhq.shop
sixfigureswithkarah.net
quickfinancebrokerage.com
alliance-couverture.com
heartlandinnovates.com
art-friday.online
curi-o-rama.com
tlfpros.xyz
pusatjudionline1a.com
exitmusic.xyz
jegrapo.com
paintk.com
hyperbaricredlight.net
residencialvilaflora.com
learnorama.in
xpjs194.cc
szjfly.com
ucelmobilya.net
idealsconsulting.com
baku.technology
wijaya88e.xyz
marketpaysolutions.com
kuristusjuntta.com
marchlightfilms.com
memento5.com
tigus.us
escarlatalabs.com
emsonsupport.com
t3ht6g3.pw
goldprocleaning.com
verifycerts.net
nltwfkdt.info
ohmioz.com
qticompanny.com
thirteencat.com
eliteedgeresources.com
alsalmisteel.com
dfxzwd.xyz
daigaku-debut.info
aquamunitions.com
68296dd.com
asas886.com
boutiquecelestiala.com
tsg-egypt.com
cgdm.shop
bizzyprofitness.com
sayhellotonails.com
umeboshisan.tech
elnuevonuevoleon.com
glenpa.net
tbj.one
venusbackend.live
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2532-12-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2532-13-0x0000000000401000-0x000000000042F000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.21551.exedescription pid process target process PID 2920 set thread context of 2532 2920 SecuriteInfo.com.Win32.PWSX-gen.21551.exe SecuriteInfo.com.Win32.PWSX-gen.21551.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.21551.exeSecuriteInfo.com.Win32.PWSX-gen.21551.exepowershell.exepid process 2920 SecuriteInfo.com.Win32.PWSX-gen.21551.exe 2920 SecuriteInfo.com.Win32.PWSX-gen.21551.exe 2920 SecuriteInfo.com.Win32.PWSX-gen.21551.exe 2920 SecuriteInfo.com.Win32.PWSX-gen.21551.exe 2920 SecuriteInfo.com.Win32.PWSX-gen.21551.exe 2920 SecuriteInfo.com.Win32.PWSX-gen.21551.exe 2920 SecuriteInfo.com.Win32.PWSX-gen.21551.exe 2532 SecuriteInfo.com.Win32.PWSX-gen.21551.exe 2040 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.21551.exepowershell.exedescription pid process Token: SeDebugPrivilege 2920 SecuriteInfo.com.Win32.PWSX-gen.21551.exe Token: SeDebugPrivilege 2040 powershell.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.21551.exedescription pid process target process PID 2920 wrote to memory of 2040 2920 SecuriteInfo.com.Win32.PWSX-gen.21551.exe powershell.exe PID 2920 wrote to memory of 2040 2920 SecuriteInfo.com.Win32.PWSX-gen.21551.exe powershell.exe PID 2920 wrote to memory of 2040 2920 SecuriteInfo.com.Win32.PWSX-gen.21551.exe powershell.exe PID 2920 wrote to memory of 2040 2920 SecuriteInfo.com.Win32.PWSX-gen.21551.exe powershell.exe PID 2920 wrote to memory of 2532 2920 SecuriteInfo.com.Win32.PWSX-gen.21551.exe SecuriteInfo.com.Win32.PWSX-gen.21551.exe PID 2920 wrote to memory of 2532 2920 SecuriteInfo.com.Win32.PWSX-gen.21551.exe SecuriteInfo.com.Win32.PWSX-gen.21551.exe PID 2920 wrote to memory of 2532 2920 SecuriteInfo.com.Win32.PWSX-gen.21551.exe SecuriteInfo.com.Win32.PWSX-gen.21551.exe PID 2920 wrote to memory of 2532 2920 SecuriteInfo.com.Win32.PWSX-gen.21551.exe SecuriteInfo.com.Win32.PWSX-gen.21551.exe PID 2920 wrote to memory of 2532 2920 SecuriteInfo.com.Win32.PWSX-gen.21551.exe SecuriteInfo.com.Win32.PWSX-gen.21551.exe PID 2920 wrote to memory of 2532 2920 SecuriteInfo.com.Win32.PWSX-gen.21551.exe SecuriteInfo.com.Win32.PWSX-gen.21551.exe PID 2920 wrote to memory of 2532 2920 SecuriteInfo.com.Win32.PWSX-gen.21551.exe SecuriteInfo.com.Win32.PWSX-gen.21551.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.21551.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.21551.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.21551.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.21551.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.21551.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2040-19-0x0000000074560000-0x0000000074B0B000-memory.dmpFilesize
5.7MB
-
memory/2040-24-0x0000000074560000-0x0000000074B0B000-memory.dmpFilesize
5.7MB
-
memory/2040-23-0x0000000002D90000-0x0000000002DD0000-memory.dmpFilesize
256KB
-
memory/2040-22-0x0000000002D90000-0x0000000002DD0000-memory.dmpFilesize
256KB
-
memory/2040-21-0x0000000002D90000-0x0000000002DD0000-memory.dmpFilesize
256KB
-
memory/2040-20-0x0000000074560000-0x0000000074B0B000-memory.dmpFilesize
5.7MB
-
memory/2532-13-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/2532-8-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2532-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2532-12-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2532-6-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2532-14-0x0000000000910000-0x0000000000C13000-memory.dmpFilesize
3.0MB
-
memory/2920-16-0x0000000074470000-0x0000000074B5E000-memory.dmpFilesize
6.9MB
-
memory/2920-15-0x0000000074470000-0x0000000074B5E000-memory.dmpFilesize
6.9MB
-
memory/2920-1-0x0000000074470000-0x0000000074B5E000-memory.dmpFilesize
6.9MB
-
memory/2920-5-0x00000000049C0000-0x0000000004A36000-memory.dmpFilesize
472KB
-
memory/2920-4-0x00000000003F0000-0x00000000003FC000-memory.dmpFilesize
48KB
-
memory/2920-3-0x00000000004C0000-0x00000000004DA000-memory.dmpFilesize
104KB
-
memory/2920-2-0x0000000004F00000-0x0000000004F40000-memory.dmpFilesize
256KB
-
memory/2920-0-0x0000000000870000-0x000000000090A000-memory.dmpFilesize
616KB