Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7 -
submitted
13-07-2020 19:14
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Atros7.OHE.31928.12310.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Atros7.OHE.31928.12310.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
SecuriteInfo.com.Atros7.OHE.31928.12310.exe
-
Size
35KB
-
MD5
d9099b15a586053c53069c8a636a3ad6
-
SHA1
965aed8ed2f5345c89f79f54fcb2e9d82ff929ee
-
SHA256
e7ab97cc5f69b125dabf881992f61e38a0d27585067d95c25d9a6a52f5c84539
-
SHA512
c7e47d860a859097f6d762caecbfed75f49ecbef18f93abdbdab7a1c513c64481bd0a935352536d969fa9cc064bcc43502facdf367d282fd01e75049494ee072
Score
10/10
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
SecuriteInfo.com.Atros7.OHE.31928.12310.exepid Process 1124 SecuriteInfo.com.Atros7.OHE.31928.12310.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
SecuriteInfo.com.Atros7.OHE.31928.12310.exesa.exedescription pid Process procid_target PID 1124 wrote to memory of 1308 1124 SecuriteInfo.com.Atros7.OHE.31928.12310.exe 25 PID 1124 wrote to memory of 1308 1124 SecuriteInfo.com.Atros7.OHE.31928.12310.exe 25 PID 1124 wrote to memory of 1308 1124 SecuriteInfo.com.Atros7.OHE.31928.12310.exe 25 PID 1124 wrote to memory of 1308 1124 SecuriteInfo.com.Atros7.OHE.31928.12310.exe 25 PID 1308 wrote to memory of 1616 1308 sa.exe 27 PID 1308 wrote to memory of 1616 1308 sa.exe 27 PID 1308 wrote to memory of 1616 1308 sa.exe 27 PID 1308 wrote to memory of 1616 1308 sa.exe 27 -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
sa.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e60f726edb174535a38d9d3e327c358c.exe sa.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e60f726edb174535a38d9d3e327c358c.exe sa.exe -
Executes dropped EXE 1 IoCs
Processes:
sa.exepid Process 1308 sa.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
sa.exedescription pid Process Token: SeDebugPrivilege 1308 sa.exe Token: 33 1308 sa.exe Token: SeIncBasePriorityPrivilege 1308 sa.exe Token: 33 1308 sa.exe Token: SeIncBasePriorityPrivilege 1308 sa.exe Token: 33 1308 sa.exe Token: SeIncBasePriorityPrivilege 1308 sa.exe Token: 33 1308 sa.exe Token: SeIncBasePriorityPrivilege 1308 sa.exe Token: 33 1308 sa.exe Token: SeIncBasePriorityPrivilege 1308 sa.exe Token: 33 1308 sa.exe Token: SeIncBasePriorityPrivilege 1308 sa.exe Token: 33 1308 sa.exe Token: SeIncBasePriorityPrivilege 1308 sa.exe Token: 33 1308 sa.exe Token: SeIncBasePriorityPrivilege 1308 sa.exe Token: 33 1308 sa.exe Token: SeIncBasePriorityPrivilege 1308 sa.exe Token: 33 1308 sa.exe Token: SeIncBasePriorityPrivilege 1308 sa.exe Token: 33 1308 sa.exe Token: SeIncBasePriorityPrivilege 1308 sa.exe Token: 33 1308 sa.exe Token: SeIncBasePriorityPrivilege 1308 sa.exe Token: 33 1308 sa.exe Token: SeIncBasePriorityPrivilege 1308 sa.exe Token: 33 1308 sa.exe Token: SeIncBasePriorityPrivilege 1308 sa.exe Token: 33 1308 sa.exe Token: SeIncBasePriorityPrivilege 1308 sa.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
netsh.exedescription ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI netsh.exe -
Adds Run entry to start application 2 TTPs 2 IoCs
Processes:
sa.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\e60f726edb174535a38d9d3e327c358c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sa.exe\" .." sa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\e60f726edb174535a38d9d3e327c358c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sa.exe\" .." sa.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Atros7.OHE.31928.12310.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Atros7.OHE.31928.12310.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Users\Admin\AppData\Local\Temp\sa.exe"C:\Users\Admin\AppData\Local\Temp\sa.exe"2⤵
- Suspicious use of WriteProcessMemory
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Adds Run entry to start application
PID:1308 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\sa.exe" "sa.exe" ENABLE3⤵
- Modifies service
PID:1616
-
-