Analysis
-
max time kernel
130s -
max time network
124s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 03:37
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.Kryptik.HENB.18157.dll
Resource
win7
windows7_x64
0 signatures
0 seconds
General
-
Target
SecuriteInfo.com.Win32.Kryptik.HENB.18157.dll
-
Size
579KB
-
MD5
a37a8840e9e8d07c73861a1353013ba2
-
SHA1
403c6a9e7159480ba75f4250f2d946226de92d4b
-
SHA256
e7f1b2d2601e9a6427a155a3599614c09c9edaae7eb8f10b81e1f3e117717157
-
SHA512
88e7eb3f6648c7baab747bae3afae839a9b13e12ff8ec861e4df262dbd2ab469de7274c02a716ba0e7fe6ecde4b9fe365f53cd4e9433a389080be92840e0c15c
Malware Config
Signatures
-
Blacklisted process makes network request 18 IoCs
Processes:
msiexec.exeflow pid process 6 1904 msiexec.exe 7 1904 msiexec.exe 8 1904 msiexec.exe 9 1904 msiexec.exe 10 1904 msiexec.exe 11 1904 msiexec.exe 13 1904 msiexec.exe 15 1904 msiexec.exe 17 1904 msiexec.exe 19 1904 msiexec.exe 21 1904 msiexec.exe 23 1904 msiexec.exe 24 1904 msiexec.exe 25 1904 msiexec.exe 26 1904 msiexec.exe 27 1904 msiexec.exe 28 1904 msiexec.exe 30 1904 msiexec.exe -
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 240 wrote to memory of 112 240 rundll32.exe rundll32.exe PID 240 wrote to memory of 112 240 rundll32.exe rundll32.exe PID 240 wrote to memory of 112 240 rundll32.exe rundll32.exe PID 240 wrote to memory of 112 240 rundll32.exe rundll32.exe PID 240 wrote to memory of 112 240 rundll32.exe rundll32.exe PID 240 wrote to memory of 112 240 rundll32.exe rundll32.exe PID 240 wrote to memory of 112 240 rundll32.exe rundll32.exe PID 112 wrote to memory of 1904 112 rundll32.exe msiexec.exe PID 112 wrote to memory of 1904 112 rundll32.exe msiexec.exe PID 112 wrote to memory of 1904 112 rundll32.exe msiexec.exe PID 112 wrote to memory of 1904 112 rundll32.exe msiexec.exe PID 112 wrote to memory of 1904 112 rundll32.exe msiexec.exe PID 112 wrote to memory of 1904 112 rundll32.exe msiexec.exe PID 112 wrote to memory of 1904 112 rundll32.exe msiexec.exe PID 112 wrote to memory of 1904 112 rundll32.exe msiexec.exe PID 112 wrote to memory of 1904 112 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
rundll32.exemsiexec.exedescription pid process Token: SeDebugPrivilege 112 rundll32.exe Token: SeSecurityPrivilege 1904 msiexec.exe Token: SeSecurityPrivilege 1904 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
rundll32.exepid process 112 rundll32.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 112 created 1208 112 rundll32.exe Explorer.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 112 set thread context of 1904 112 rundll32.exe msiexec.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Kryptik.HENB.18157.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Kryptik.HENB.18157.dll,#13⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe2⤵
- Blacklisted process makes network request
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/112-0-0x0000000000000000-mapping.dmp
-
memory/1904-1-0x00000000000D0000-0x00000000000FC000-memory.dmpFilesize
176KB
-
memory/1904-2-0x0000000000140000-0x0000000000141000-memory.dmpFilesize
4KB
-
memory/1904-3-0x00000000000D0000-0x00000000000FC000-memory.dmpFilesize
176KB
-
memory/1904-4-0x0000000000000000-mapping.dmp