Analysis
-
max time kernel
148s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
15-07-2024 06:24
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe
Resource
win7-20240704-en
General
-
Target
SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe
-
Size
691KB
-
MD5
c2ae4fdb661a151be4876289ed7f8261
-
SHA1
f8fbb8b8ddb55aacc20449ff2bd5d671e4cbb9fa
-
SHA256
d58780d1d574bfe77c6f9cfad1cf4b51522231b2699081befd5bbd15f7309aa0
-
SHA512
2642eac12e6a42fbd503621871802da278e0c68a4678675ddbe71f66d7a2b7d0ed8a22640c13d153ea63bcb33f7f13ae32eaa3e444fc451c64a1839d8cc91c89
-
SSDEEP
12288:luCDWx2PQfnESfZ0nl+xD4u1JW31MlxwXY5oMY3tQMmVHMe3+L4Ull0l8fkR:/awMnESR0nl+Z9OSXwXuoaVse3+sCie6
Malware Config
Extracted
formbook
4.1
45er
depotpulsa.com
k2bilbao.online
bb4uoficial.com
rwc666.club
us-pservice.cyou
tricegottreats.com
zsystems.pro
qudouyin6.com
sfumaturedamore.net
pcetyy.icu
notbokin.online
beqprod.tech
flipbuilding.com
errormitigationzoo.com
zj5u603.xyz
jezzatravel.com
zmdniavysyi.shop
quinnsteele.com
522334.com
outdoorshopping.net
7140k.vip
appmonster.live
rvrentalsusane.com
berry-hut.com
h-m-32.com
aklnk.xyz
project.fail
thelbacollection.com
ternkm.com
331022.xyz
qhr86.com
casvivip.com
f661dsa-dsf564a.biz
holisticfox.com
taobaoo03.com
kursy-parikmaher.store
reignscents.com
wot4x4.com
axoloterosa.com
instzn.site
nn477.xyz
jwsalestx.com
cualuoinuhoang.com
sagehrsuiteindercloud.solutions
2ecxab.vip
lottery99nft.xyz
budakbetingbet43.click
plaay.live
drmediapulsehub.com
bahismax.com
clareleeuwinclark.com
clarimix.com
ssongg11913.cfd
shapoorji-kingstown.com
detoxifysupplements.info
easy100ksidegig.com
abramovatata.online
barillonfo.net
keendeed.com
yunosave.online
pptv05.xyz
malianbeini.net
polariscicuit.com
sahibindencomparamguvend.link
used-cars-99583.bond
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2848-18-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2648-23-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exeRegSvcs.execmd.exedescription pid process target process PID 2900 set thread context of 2848 2900 SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe RegSvcs.exe PID 2848 set thread context of 1208 2848 RegSvcs.exe Explorer.EXE PID 2648 set thread context of 1208 2648 cmd.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exeRegSvcs.exepowershell.execmd.exepid process 2900 SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe 2900 SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe 2900 SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe 2900 SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe 2848 RegSvcs.exe 2848 RegSvcs.exe 2288 powershell.exe 2648 cmd.exe 2648 cmd.exe 2648 cmd.exe 2648 cmd.exe 2648 cmd.exe 2648 cmd.exe 2648 cmd.exe 2648 cmd.exe 2648 cmd.exe 2648 cmd.exe 2648 cmd.exe 2648 cmd.exe 2648 cmd.exe 2648 cmd.exe 2648 cmd.exe 2648 cmd.exe 2648 cmd.exe 2648 cmd.exe 2648 cmd.exe 2648 cmd.exe 2648 cmd.exe 2648 cmd.exe 2648 cmd.exe 2648 cmd.exe 2648 cmd.exe 2648 cmd.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
RegSvcs.execmd.exepid process 2848 RegSvcs.exe 2848 RegSvcs.exe 2848 RegSvcs.exe 2648 cmd.exe 2648 cmd.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exeRegSvcs.exepowershell.execmd.exedescription pid process Token: SeDebugPrivilege 2900 SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe Token: SeDebugPrivilege 2848 RegSvcs.exe Token: SeDebugPrivilege 2288 powershell.exe Token: SeDebugPrivilege 2648 cmd.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exeExplorer.EXEcmd.exedescription pid process target process PID 2900 wrote to memory of 2288 2900 SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe powershell.exe PID 2900 wrote to memory of 2288 2900 SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe powershell.exe PID 2900 wrote to memory of 2288 2900 SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe powershell.exe PID 2900 wrote to memory of 2288 2900 SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe powershell.exe PID 2900 wrote to memory of 2720 2900 SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe schtasks.exe PID 2900 wrote to memory of 2720 2900 SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe schtasks.exe PID 2900 wrote to memory of 2720 2900 SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe schtasks.exe PID 2900 wrote to memory of 2720 2900 SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe schtasks.exe PID 2900 wrote to memory of 2848 2900 SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe RegSvcs.exe PID 2900 wrote to memory of 2848 2900 SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe RegSvcs.exe PID 2900 wrote to memory of 2848 2900 SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe RegSvcs.exe PID 2900 wrote to memory of 2848 2900 SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe RegSvcs.exe PID 2900 wrote to memory of 2848 2900 SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe RegSvcs.exe PID 2900 wrote to memory of 2848 2900 SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe RegSvcs.exe PID 2900 wrote to memory of 2848 2900 SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe RegSvcs.exe PID 2900 wrote to memory of 2848 2900 SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe RegSvcs.exe PID 2900 wrote to memory of 2848 2900 SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe RegSvcs.exe PID 2900 wrote to memory of 2848 2900 SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe RegSvcs.exe PID 1208 wrote to memory of 2648 1208 Explorer.EXE cmd.exe PID 1208 wrote to memory of 2648 1208 Explorer.EXE cmd.exe PID 1208 wrote to memory of 2648 1208 Explorer.EXE cmd.exe PID 1208 wrote to memory of 2648 1208 Explorer.EXE cmd.exe PID 2648 wrote to memory of 2632 2648 cmd.exe cmd.exe PID 2648 wrote to memory of 2632 2648 cmd.exe cmd.exe PID 2648 wrote to memory of 2632 2648 cmd.exe cmd.exe PID 2648 wrote to memory of 2632 2648 cmd.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sXqUfHySpG.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2288 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sXqUfHySpG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3A9.tmp"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2720 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2848 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:2632
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD596ab4f101670aa7e5f9c124fd28d44fa
SHA1378dd6ac61033da7ef7ae287fddabcf642252a9d
SHA256029a1c2122dccaf9b92f6568457a075e6b1f58cac5dbff699e1a85b12509e0ea
SHA512b61b8149a7dabd4c99632ea2b590adb3a15bff6fd74d3bb47057e88ea7e761a23a6da1b1d0d4aa62f5becfa8c3f68ea3948a5d7337ce368e60ae2c42bcc481b5