Analysis
-
max time kernel
144s -
max time network
152s -
platform
windows7_x64 -
resource
win7 -
submitted
13-07-2020 06:11
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.LuheFihaA.17467.13354.exe
Resource
win7
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
SecuriteInfo.com.LuheFihaA.17467.13354.exe
Resource
win10v200430
0 signatures
0 seconds
General
-
Target
SecuriteInfo.com.LuheFihaA.17467.13354.exe
-
Size
695KB
-
MD5
a022225186d5cb11c605e84fa778f489
-
SHA1
24e30c90a585fa409136539a13ee8334920904fa
-
SHA256
922be6acb1365bac828b5493a4ba1a5fd0d214a5273f39bfbaf932d80c9b5a75
-
SHA512
7b4b65b03dcf7ac8005d7319490c7b3ab88cd13e04755229844ebecfc6586a474f91add258ca09a66f4dbc134d1de633d7ce04555de02efc0745497a3cf546d2
Score
8/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 784 powershell.exe Token: SeDebugPrivilege 1776 powershell.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 784 powershell.exe 784 powershell.exe 1776 powershell.exe 1776 powershell.exe -
Drops startup file 2 IoCs
Processes:
SecuriteInfo.com.LuheFihaA.17467.13354.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat SecuriteInfo.com.LuheFihaA.17467.13354.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start SecuriteInfo.com.LuheFihaA.17467.13354.exe -
NTFS ADS 1 IoCs
Processes:
SecuriteInfo.com.LuheFihaA.17467.13354.exedescription ioc process File created C:\ProgramData:ApplicationData SecuriteInfo.com.LuheFihaA.17467.13354.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
SecuriteInfo.com.LuheFihaA.17467.13354.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" SecuriteInfo.com.LuheFihaA.17467.13354.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
SecuriteInfo.com.LuheFihaA.17467.13354.exeimages.exedescription pid process target process PID 1496 wrote to memory of 784 1496 SecuriteInfo.com.LuheFihaA.17467.13354.exe powershell.exe PID 1496 wrote to memory of 784 1496 SecuriteInfo.com.LuheFihaA.17467.13354.exe powershell.exe PID 1496 wrote to memory of 784 1496 SecuriteInfo.com.LuheFihaA.17467.13354.exe powershell.exe PID 1496 wrote to memory of 784 1496 SecuriteInfo.com.LuheFihaA.17467.13354.exe powershell.exe PID 1496 wrote to memory of 532 1496 SecuriteInfo.com.LuheFihaA.17467.13354.exe images.exe PID 1496 wrote to memory of 532 1496 SecuriteInfo.com.LuheFihaA.17467.13354.exe images.exe PID 1496 wrote to memory of 532 1496 SecuriteInfo.com.LuheFihaA.17467.13354.exe images.exe PID 1496 wrote to memory of 532 1496 SecuriteInfo.com.LuheFihaA.17467.13354.exe images.exe PID 532 wrote to memory of 1776 532 images.exe powershell.exe PID 532 wrote to memory of 1776 532 images.exe powershell.exe PID 532 wrote to memory of 1776 532 images.exe powershell.exe PID 532 wrote to memory of 1776 532 images.exe powershell.exe PID 532 wrote to memory of 1384 532 images.exe cmd.exe PID 532 wrote to memory of 1384 532 images.exe cmd.exe PID 532 wrote to memory of 1384 532 images.exe cmd.exe PID 532 wrote to memory of 1384 532 images.exe cmd.exe PID 532 wrote to memory of 1384 532 images.exe cmd.exe PID 532 wrote to memory of 1384 532 images.exe cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
SecuriteInfo.com.LuheFihaA.17467.13354.exepid process 1496 SecuriteInfo.com.LuheFihaA.17467.13354.exe -
Executes dropped EXE 1 IoCs
Processes:
images.exepid process 532 images.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.LuheFihaA.17467.13354.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.LuheFihaA.17467.13354.exe"1⤵
- Drops startup file
- NTFS ADS
- Adds Run entry to start application
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData
-
C:\ProgramData\images.exe
-
C:\ProgramData\images.exe
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_231c2208-0720-4eec-b9f1-8bba11abd9fa
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_235184f8-dcca-4459-ace7-181c154dff79
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_57c6647c-75fc-47bb-8ce4-3b8f0921c533
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6d5fa298-996f-4fc9-9c01-b2226cbdaeba
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7d6878ec-2a8b-418c-8f2b-b6fcd4b50cf8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8edcb191-1791-4a3c-b74f-f4f5317aa7ab
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bf06b52f-fce9-4919-958a-d4365c9c52c0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c898d1b3-5d15-47ce-a614-30983187b1ec
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dd44d834-b0bd-4e35-81de-5dc12f402b4f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_de4eedb8-4762-4c56-b80c-203df3aa6fa8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e43ce3f6-b60d-4b70-bed1-86e53bf07360
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fabbb9cf-9b8c-4b2f-b33d-0de7a9a3a10e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
-
\ProgramData\images.exe
-
memory/532-8-0x0000000000960000-0x0000000000AB3000-memory.dmpFilesize
1.3MB
-
memory/532-3-0x0000000000000000-mapping.dmp
-
memory/784-1-0x0000000000000000-mapping.dmp
-
memory/1384-16-0x0000000000000000-mapping.dmp
-
memory/1384-15-0x0000000000130000-0x0000000000131000-memory.dmpFilesize
4KB
-
memory/1384-11-0x0000000000000000-mapping.dmp
-
memory/1496-0-0x0000000002000000-0x0000000002153000-memory.dmpFilesize
1.3MB
-
memory/1776-10-0x0000000000000000-mapping.dmp