Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
13-07-2020 19:14
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Atros7.OHE.31928.12310.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Atros7.OHE.31928.12310.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
SecuriteInfo.com.Atros7.OHE.31928.12310.exe
-
Size
35KB
-
MD5
d9099b15a586053c53069c8a636a3ad6
-
SHA1
965aed8ed2f5345c89f79f54fcb2e9d82ff929ee
-
SHA256
e7ab97cc5f69b125dabf881992f61e38a0d27585067d95c25d9a6a52f5c84539
-
SHA512
c7e47d860a859097f6d762caecbfed75f49ecbef18f93abdbdab7a1c513c64481bd0a935352536d969fa9cc064bcc43502facdf367d282fd01e75049494ee072
Score
10/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Adds Run entry to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\e60f726edb174535a38d9d3e327c358c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sa.exe\" .." sa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\e60f726edb174535a38d9d3e327c358c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sa.exe\" .." sa.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e60f726edb174535a38d9d3e327c358c.exe sa.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e60f726edb174535a38d9d3e327c358c.exe sa.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2536 wrote to memory of 2220 2536 SecuriteInfo.com.Atros7.OHE.31928.12310.exe 73 PID 2536 wrote to memory of 2220 2536 SecuriteInfo.com.Atros7.OHE.31928.12310.exe 73 PID 2536 wrote to memory of 2220 2536 SecuriteInfo.com.Atros7.OHE.31928.12310.exe 73 PID 2220 wrote to memory of 2900 2220 sa.exe 75 PID 2220 wrote to memory of 2900 2220 sa.exe 75 PID 2220 wrote to memory of 2900 2220 sa.exe 75 -
Executes dropped EXE 1 IoCs
pid Process 2220 sa.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: SeDebugPrivilege 2220 sa.exe Token: 33 2220 sa.exe Token: SeIncBasePriorityPrivilege 2220 sa.exe Token: 33 2220 sa.exe Token: SeIncBasePriorityPrivilege 2220 sa.exe Token: 33 2220 sa.exe Token: SeIncBasePriorityPrivilege 2220 sa.exe Token: 33 2220 sa.exe Token: SeIncBasePriorityPrivilege 2220 sa.exe Token: 33 2220 sa.exe Token: SeIncBasePriorityPrivilege 2220 sa.exe Token: 33 2220 sa.exe Token: SeIncBasePriorityPrivilege 2220 sa.exe Token: 33 2220 sa.exe Token: SeIncBasePriorityPrivilege 2220 sa.exe Token: 33 2220 sa.exe Token: SeIncBasePriorityPrivilege 2220 sa.exe Token: 33 2220 sa.exe Token: SeIncBasePriorityPrivilege 2220 sa.exe Token: 33 2220 sa.exe Token: SeIncBasePriorityPrivilege 2220 sa.exe Token: 33 2220 sa.exe Token: SeIncBasePriorityPrivilege 2220 sa.exe Token: 33 2220 sa.exe Token: SeIncBasePriorityPrivilege 2220 sa.exe Token: 33 2220 sa.exe Token: SeIncBasePriorityPrivilege 2220 sa.exe Token: 33 2220 sa.exe Token: SeIncBasePriorityPrivilege 2220 sa.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Atros7.OHE.31928.12310.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Atros7.OHE.31928.12310.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Users\Admin\AppData\Local\Temp\sa.exe"C:\Users\Admin\AppData\Local\Temp\sa.exe"2⤵
- Adds Run entry to start application
- Drops startup file
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2220 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\sa.exe" "sa.exe" ENABLE3⤵PID:2900
-
-