Analysis
-
max time kernel
148s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
26-07-2024 10:41
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe
Resource
win7-20240705-en
General
-
Target
SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe
-
Size
561KB
-
MD5
01fbcc6559c010e59be1dc7b66c12e4f
-
SHA1
657f058d4032447658f71265803f7a6d52a64532
-
SHA256
ee7dd9158f6175700aa6d58f346036f949889f8deebf8dbee83c40874bbc1f26
-
SHA512
8d83eea254360b6fcbb2a83ef6a6d26898a2370c151cdd36fc964509b27b4e5241ebff1d520d6bfb194ce14589c51d2387023ece6858c6a8e6a7634f7418fdcc
-
SSDEEP
12288:0MHalYsHfne1TDq/MrmqiqaXpSxDHjFB0LobIgySCq:Jaltve1TmUvir4zZuLobSSF
Malware Config
Extracted
formbook
4.1
gy15
yb40w.top
286live.com
poozonlife.com
availableweedsonline.com
22926839.com
petlovepet.fun
halbaexpress.com
newswingbd.com
discountdesh.com
jwoalhbn.xyz
dandevonald.com
incrediblyxb.christmas
ailia.pro
ga3ki3.com
99812.photos
richiecom.net
ummahskills.online
peakleyva.store
a1cbloodtest.com
insurancebygarry.com
onz-cg3.xyz
erektiepil.com
hs-steuerberater.info
20allhen.online
mariaslakedistrict.com
losterrrcossmpm.com
tmb6x.rest
bagelsliders.com
njoku.net
tatoways.com
jmwmanglobalsolutionscom.com
midnightemporium.shop
gunaihotels.com
midsouthhealthcare.com
rtptt80.site
carmen-asa.com
gypsyjudyscott.com
djkleel.com
sophhia.site
tqqft8l5.xyz
00050385.xyz
oiupa.xyz
purenutrixion.com
worldinfopedia.com
8886493.com
1e0bfijiz43k6c8.skin
bunkerlabsgolf.com
twinportslocal.com
ttyijlaw.com
poiulkj.top
yuejiazy888.com
betbox2347.com
gettingcraftywitro.com
mantap303game.icu
skillspartner.net
cbla.info
rs-alohafactorysaleuua.shop
bt365434.com
redrivercompany.store
abc8win5.com
46431.club
vivehogar.net
menloparkshop.com
1776biz.live
dunia188j.store
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2788-18-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2800-23-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
SecuriteInfo.com.Win32.RATX-gen.11894.20893.exeRegSvcs.exewininit.exedescription pid process target process PID 1368 set thread context of 2788 1368 SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe RegSvcs.exe PID 2788 set thread context of 1144 2788 RegSvcs.exe Explorer.EXE PID 2800 set thread context of 1144 2800 wininit.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exeSecuriteInfo.com.Win32.RATX-gen.11894.20893.exepowershell.exeschtasks.exewininit.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininit.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
SecuriteInfo.com.Win32.RATX-gen.11894.20893.exeRegSvcs.exepowershell.exewininit.exepid process 1368 SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe 1368 SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe 2788 RegSvcs.exe 2788 RegSvcs.exe 2720 powershell.exe 2800 wininit.exe 2800 wininit.exe 2800 wininit.exe 2800 wininit.exe 2800 wininit.exe 2800 wininit.exe 2800 wininit.exe 2800 wininit.exe 2800 wininit.exe 2800 wininit.exe 2800 wininit.exe 2800 wininit.exe 2800 wininit.exe 2800 wininit.exe 2800 wininit.exe 2800 wininit.exe 2800 wininit.exe 2800 wininit.exe 2800 wininit.exe 2800 wininit.exe 2800 wininit.exe 2800 wininit.exe 2800 wininit.exe 2800 wininit.exe 2800 wininit.exe 2800 wininit.exe 2800 wininit.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
RegSvcs.exewininit.exepid process 2788 RegSvcs.exe 2788 RegSvcs.exe 2788 RegSvcs.exe 2800 wininit.exe 2800 wininit.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
SecuriteInfo.com.Win32.RATX-gen.11894.20893.exeRegSvcs.exepowershell.exewininit.exedescription pid process Token: SeDebugPrivilege 1368 SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe Token: SeDebugPrivilege 2788 RegSvcs.exe Token: SeDebugPrivilege 2720 powershell.exe Token: SeDebugPrivilege 2800 wininit.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
SecuriteInfo.com.Win32.RATX-gen.11894.20893.exeExplorer.EXEwininit.exedescription pid process target process PID 1368 wrote to memory of 2720 1368 SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe powershell.exe PID 1368 wrote to memory of 2720 1368 SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe powershell.exe PID 1368 wrote to memory of 2720 1368 SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe powershell.exe PID 1368 wrote to memory of 2720 1368 SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe powershell.exe PID 1368 wrote to memory of 2968 1368 SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe schtasks.exe PID 1368 wrote to memory of 2968 1368 SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe schtasks.exe PID 1368 wrote to memory of 2968 1368 SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe schtasks.exe PID 1368 wrote to memory of 2968 1368 SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe schtasks.exe PID 1368 wrote to memory of 2788 1368 SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe RegSvcs.exe PID 1368 wrote to memory of 2788 1368 SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe RegSvcs.exe PID 1368 wrote to memory of 2788 1368 SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe RegSvcs.exe PID 1368 wrote to memory of 2788 1368 SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe RegSvcs.exe PID 1368 wrote to memory of 2788 1368 SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe RegSvcs.exe PID 1368 wrote to memory of 2788 1368 SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe RegSvcs.exe PID 1368 wrote to memory of 2788 1368 SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe RegSvcs.exe PID 1368 wrote to memory of 2788 1368 SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe RegSvcs.exe PID 1368 wrote to memory of 2788 1368 SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe RegSvcs.exe PID 1368 wrote to memory of 2788 1368 SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe RegSvcs.exe PID 1144 wrote to memory of 2800 1144 Explorer.EXE wininit.exe PID 1144 wrote to memory of 2800 1144 Explorer.EXE wininit.exe PID 1144 wrote to memory of 2800 1144 Explorer.EXE wininit.exe PID 1144 wrote to memory of 2800 1144 Explorer.EXE wininit.exe PID 2800 wrote to memory of 2664 2800 wininit.exe cmd.exe PID 2800 wrote to memory of 2664 2800 wininit.exe cmd.exe PID 2800 wrote to memory of 2664 2800 wininit.exe cmd.exe PID 2800 wrote to memory of 2664 2800 wininit.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KfYvtUBOq.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KfYvtUBOq" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFA37.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2968 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2788 -
C:\Windows\SysWOW64\wininit.exe"C:\Windows\SysWOW64\wininit.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2664
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5df47c193a342e61e931053bb25e1d062
SHA12849780d7f36d29c35a1ddae1a9c4732f78bd4ba
SHA2568192dfa4f5a0e27115085742d06208e1e48e642216d31a9809d9a4a087792dbd
SHA51258741723739e660eb1819266193725f2e409c8c524c1c80e5bdc9a648663b7af69f2f34e5429b165e511ae49e8e55b825aa7bd1459acf89341225ca1df295764