Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
13-07-2020 06:11
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.LuheFihaA.17467.13354.exe
Resource
win7
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
SecuriteInfo.com.LuheFihaA.17467.13354.exe
Resource
win10v200430
0 signatures
0 seconds
General
-
Target
SecuriteInfo.com.LuheFihaA.17467.13354.exe
-
Size
695KB
-
MD5
a022225186d5cb11c605e84fa778f489
-
SHA1
24e30c90a585fa409136539a13ee8334920904fa
-
SHA256
922be6acb1365bac828b5493a4ba1a5fd0d214a5273f39bfbaf932d80c9b5a75
-
SHA512
7b4b65b03dcf7ac8005d7319490c7b3ab88cd13e04755229844ebecfc6586a474f91add258ca09a66f4dbc134d1de633d7ce04555de02efc0745497a3cf546d2
Score
8/10
Malware Config
Signatures
-
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
SecuriteInfo.com.LuheFihaA.17467.13354.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" SecuriteInfo.com.LuheFihaA.17467.13354.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
SecuriteInfo.com.LuheFihaA.17467.13354.exeimages.exedescription pid process target process PID 1508 wrote to memory of 2580 1508 SecuriteInfo.com.LuheFihaA.17467.13354.exe powershell.exe PID 1508 wrote to memory of 2580 1508 SecuriteInfo.com.LuheFihaA.17467.13354.exe powershell.exe PID 1508 wrote to memory of 2580 1508 SecuriteInfo.com.LuheFihaA.17467.13354.exe powershell.exe PID 1508 wrote to memory of 2868 1508 SecuriteInfo.com.LuheFihaA.17467.13354.exe images.exe PID 1508 wrote to memory of 2868 1508 SecuriteInfo.com.LuheFihaA.17467.13354.exe images.exe PID 1508 wrote to memory of 2868 1508 SecuriteInfo.com.LuheFihaA.17467.13354.exe images.exe PID 2868 wrote to memory of 1452 2868 images.exe powershell.exe PID 2868 wrote to memory of 1452 2868 images.exe powershell.exe PID 2868 wrote to memory of 1452 2868 images.exe powershell.exe PID 2868 wrote to memory of 1232 2868 images.exe cmd.exe PID 2868 wrote to memory of 1232 2868 images.exe cmd.exe PID 2868 wrote to memory of 1232 2868 images.exe cmd.exe PID 2868 wrote to memory of 1232 2868 images.exe cmd.exe PID 2868 wrote to memory of 1232 2868 images.exe cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
images.exepid process 2868 images.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3852 2580 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
WerFault.exepowershell.exedescription pid process Token: SeRestorePrivilege 3852 WerFault.exe Token: SeBackupPrivilege 3852 WerFault.exe Token: SeDebugPrivilege 3852 WerFault.exe Token: SeDebugPrivilege 1452 powershell.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
WerFault.exepowershell.exepid process 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 1452 powershell.exe 1452 powershell.exe 1452 powershell.exe -
Drops startup file 2 IoCs
Processes:
SecuriteInfo.com.LuheFihaA.17467.13354.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat SecuriteInfo.com.LuheFihaA.17467.13354.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start SecuriteInfo.com.LuheFihaA.17467.13354.exe -
NTFS ADS 1 IoCs
Processes:
SecuriteInfo.com.LuheFihaA.17467.13354.exedescription ioc process File created C:\ProgramData:ApplicationData SecuriteInfo.com.LuheFihaA.17467.13354.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.LuheFihaA.17467.13354.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.LuheFihaA.17467.13354.exe"1⤵
- Adds Run entry to start application
- Suspicious use of WriteProcessMemory
- Drops startup file
- NTFS ADS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 7083⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\images.exe
-
C:\ProgramData\images.exe
-
memory/1232-54-0x0000000000000000-mapping.dmp
-
memory/1232-53-0x0000000000000000-mapping.dmp
-
memory/1452-52-0x0000000000000000-mapping.dmp
-
memory/1508-0-0x0000000002FF0000-0x0000000003143000-memory.dmpFilesize
1.3MB
-
memory/2580-8-0x0000000000000000-mapping.dmp
-
memory/2580-7-0x0000000000000000-mapping.dmp
-
memory/2580-6-0x0000000000000000-mapping.dmp
-
memory/2580-9-0x0000000000000000-mapping.dmp
-
memory/2580-10-0x0000000000000000-mapping.dmp
-
memory/2580-11-0x0000000000000000-mapping.dmp
-
memory/2580-1-0x0000000000000000-mapping.dmp
-
memory/2868-51-0x0000000000C80000-0x0000000000DD3000-memory.dmpFilesize
1.3MB
-
memory/2868-2-0x0000000000000000-mapping.dmp
-
memory/3852-13-0x0000000005110000-0x0000000005111000-memory.dmpFilesize
4KB
-
memory/3852-50-0x0000000005510000-0x0000000005511000-memory.dmpFilesize
4KB
-
memory/3852-5-0x0000000004960000-0x0000000004961000-memory.dmpFilesize
4KB