Analysis
-
max time kernel
137s -
max time network
129s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
08-07-2020 16:57
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.A.16433.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
SecuriteInfo.com.A.16433.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
SecuriteInfo.com.A.16433.exe
-
Size
253KB
-
MD5
f58843af873716aeee6e9e74ff8918ca
-
SHA1
8fb3aba6f5610c465e6fa4f87638fc706b2bcf63
-
SHA256
54c3e01a3dee75c7137c63a25915b7bec1876a8fc65047eff99b97d9ca6cd5c6
-
SHA512
3dc3413064112266ac303a2691c024c40fb914593e0622cb970ea367b5f03d60a7355f0a37064e5da4369dc4c7e545c7df7272943ffc6007f0cbede2cfafbd19
Score
10/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
cmd.exedescription pid process target process PID 3932 wrote to memory of 3428 3932 cmd.exe pfehamig.exe PID 3932 wrote to memory of 3428 3932 cmd.exe pfehamig.exe -
Executes dropped EXE 1 IoCs
Processes:
pfehamig.exepid process 3428 pfehamig.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
SecuriteInfo.com.A.16433.exepid process 992 SecuriteInfo.com.A.16433.exe -
BazarBackdoor
Stealthy backdoor targetting corporate networks, believed to be developed by Trickbot's authors.
-
Drops startup file 1 IoCs
Processes:
SecuriteInfo.com.A.16433.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.lnk SecuriteInfo.com.A.16433.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.A.16433.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.A.16433.exe"1⤵
- Suspicious behavior: RenamesItself
- Drops startup file
PID:992
-
C:\Windows\system32\cmd.execmd.exe / c "start "" /b "cmd.exe" /c "copy /y "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.A.16433.exe" "C:\Users\Admin\AppData\Local\Temp\pfehamig.exe"&&start "" /b "C:\Users\Admin\AppData\Local\Temp\pfehamig.exe" -z {66A8ED9E-41EF-4620-9B69-81FFB215B4D7}&&exit 0""1⤵
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Users\Admin\AppData\Local\Temp\pfehamig.exe"C:\Users\Admin\AppData\Local\Temp\pfehamig.exe" -z {66A8ED9E-41EF-4620-9B69-81FFB215B4D7}2⤵
- Executes dropped EXE
PID:3428