Overview

overview

10

Static

static

SecuriteIn...44.exe

windows7_x64

10

SecuriteIn...44.exe

windows10_x64

3

Analysis

  • max time kernel
    150s
  • max time network
    29s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    10/07/2020, 12:12

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Trojan.PackedNET.380.14044.9944.exe

  • Size

    158KB

  • MD5

    b11e1b59c55fe58bee59b66a38bc962c

  • SHA1

    44c5a2a6f456849f9280294300f5892a8cb53087

  • SHA256

    dd788c4aec3c45dd1a524971169ac0cccd3271b1a02544398494385a430edfe9

  • SHA512

    a55ed0bfbfb5777c0a379268fd0da95dfc56559887e3b67e516a6cd164f72b52037e880e6e82190946fdc6367c5ac33c11d4bdc56a97c102be3b9a6bfddeff14

Score
10/10
evasiontrojan

Malware Config

Signatures

  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Suspicious use of WriteProcessMemory 13 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Contains code to disable Windows Defender 3 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.380.14044.9944.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.380.14044.9944.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious use of SetThreadContext
    PID:1356
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.380.14044.9944.exe
      "{path}"
      2⤵
      • Windows security modification
      • Modifies Windows Defender Real-time Protection settings
      • Suspicious use of WriteProcessMemory
      PID:1796
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Get-MpPreference -verbose
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: EnumeratesProcesses
        PID:1740

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1796-2-0x0000000000400000-0x0000000000408000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1796-4-0x0000000000400000-0x0000000000408000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1796-5-0x0000000000400000-0x0000000000408000-memory.dmp

          Filesize

          32KB

          Download