Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
15-07-2024 06:24
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe
Resource
win7-20240704-en
General
-
Target
SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe
-
Size
691KB
-
MD5
c2ae4fdb661a151be4876289ed7f8261
-
SHA1
f8fbb8b8ddb55aacc20449ff2bd5d671e4cbb9fa
-
SHA256
d58780d1d574bfe77c6f9cfad1cf4b51522231b2699081befd5bbd15f7309aa0
-
SHA512
2642eac12e6a42fbd503621871802da278e0c68a4678675ddbe71f66d7a2b7d0ed8a22640c13d153ea63bcb33f7f13ae32eaa3e444fc451c64a1839d8cc91c89
-
SSDEEP
12288:luCDWx2PQfnESfZ0nl+xD4u1JW31MlxwXY5oMY3tQMmVHMe3+L4Ull0l8fkR:/awMnESR0nl+Z9OSXwXuoaVse3+sCie6
Malware Config
Extracted
formbook
4.1
45er
depotpulsa.com
k2bilbao.online
bb4uoficial.com
rwc666.club
us-pservice.cyou
tricegottreats.com
zsystems.pro
qudouyin6.com
sfumaturedamore.net
pcetyy.icu
notbokin.online
beqprod.tech
flipbuilding.com
errormitigationzoo.com
zj5u603.xyz
jezzatravel.com
zmdniavysyi.shop
quinnsteele.com
522334.com
outdoorshopping.net
7140k.vip
appmonster.live
rvrentalsusane.com
berry-hut.com
h-m-32.com
aklnk.xyz
project.fail
thelbacollection.com
ternkm.com
331022.xyz
qhr86.com
casvivip.com
f661dsa-dsf564a.biz
holisticfox.com
taobaoo03.com
kursy-parikmaher.store
reignscents.com
wot4x4.com
axoloterosa.com
instzn.site
nn477.xyz
jwsalestx.com
cualuoinuhoang.com
sagehrsuiteindercloud.solutions
2ecxab.vip
lottery99nft.xyz
budakbetingbet43.click
plaay.live
drmediapulsehub.com
bahismax.com
clareleeuwinclark.com
clarimix.com
ssongg11913.cfd
shapoorji-kingstown.com
detoxifysupplements.info
easy100ksidegig.com
abramovatata.online
barillonfo.net
keendeed.com
yunosave.online
pptv05.xyz
malianbeini.net
polariscicuit.com
sahibindencomparamguvend.link
used-cars-99583.bond
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2928-24-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2928-41-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2928-75-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/1444-76-0x0000000000F40000-0x0000000000F6F000-memory.dmp formbook -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exeRegSvcs.exewscript.exedescription pid process target process PID 2324 set thread context of 2928 2324 SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe RegSvcs.exe PID 2928 set thread context of 3580 2928 RegSvcs.exe Explorer.EXE PID 2928 set thread context of 3580 2928 RegSvcs.exe Explorer.EXE PID 1444 set thread context of 3580 1444 wscript.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exepowershell.exeRegSvcs.exewscript.exepid process 2324 SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe 2324 SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe 2324 SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe 3736 powershell.exe 2324 SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe 2928 RegSvcs.exe 2928 RegSvcs.exe 2928 RegSvcs.exe 2928 RegSvcs.exe 3736 powershell.exe 2928 RegSvcs.exe 2928 RegSvcs.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe 1444 wscript.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
RegSvcs.exewscript.exepid process 2928 RegSvcs.exe 2928 RegSvcs.exe 2928 RegSvcs.exe 2928 RegSvcs.exe 1444 wscript.exe 1444 wscript.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exepowershell.exeRegSvcs.exeExplorer.EXEwscript.exedescription pid process Token: SeDebugPrivilege 2324 SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe Token: SeDebugPrivilege 3736 powershell.exe Token: SeDebugPrivilege 2928 RegSvcs.exe Token: SeShutdownPrivilege 3580 Explorer.EXE Token: SeCreatePagefilePrivilege 3580 Explorer.EXE Token: SeDebugPrivilege 1444 wscript.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3580 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exeExplorer.EXEwscript.exedescription pid process target process PID 2324 wrote to memory of 3736 2324 SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe powershell.exe PID 2324 wrote to memory of 3736 2324 SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe powershell.exe PID 2324 wrote to memory of 3736 2324 SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe powershell.exe PID 2324 wrote to memory of 4928 2324 SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe schtasks.exe PID 2324 wrote to memory of 4928 2324 SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe schtasks.exe PID 2324 wrote to memory of 4928 2324 SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe schtasks.exe PID 2324 wrote to memory of 2928 2324 SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe RegSvcs.exe PID 2324 wrote to memory of 2928 2324 SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe RegSvcs.exe PID 2324 wrote to memory of 2928 2324 SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe RegSvcs.exe PID 2324 wrote to memory of 2928 2324 SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe RegSvcs.exe PID 2324 wrote to memory of 2928 2324 SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe RegSvcs.exe PID 2324 wrote to memory of 2928 2324 SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe RegSvcs.exe PID 3580 wrote to memory of 1444 3580 Explorer.EXE wscript.exe PID 3580 wrote to memory of 1444 3580 Explorer.EXE wscript.exe PID 3580 wrote to memory of 1444 3580 Explorer.EXE wscript.exe PID 1444 wrote to memory of 2736 1444 wscript.exe cmd.exe PID 1444 wrote to memory of 2736 1444 wscript.exe cmd.exe PID 1444 wrote to memory of 2736 1444 wscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sXqUfHySpG.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3736 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sXqUfHySpG" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEFCE.tmp"3⤵
- Scheduled Task/Job: Scheduled Task
PID:4928 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2928 -
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:2736
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5eefd745ec5c7e436a1ff72bb47f57c2e
SHA17d55b1eb3e7d71739a42f32918caab02a03ba5f3
SHA25693fa759dbab96935d333be853627e71d3535d90b6ceca21527b6af4e55d50bbd
SHA5124948c6b1347e9b918043eb7c0e7e58685515ab93b58d20f3caaa0c59e2312ef8172147837992b4fed7ed164b5f0dd1d83538d5332f45c26000ffa824337ed5ae