Analysis
-
max time kernel
133s -
max time network
137s -
platform
windows7_x64 -
resource
win7 -
submitted
16/07/2020, 22:47
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.CAP_HookExKeylogger.26449.31845.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
SecuriteInfo.com.CAP_HookExKeylogger.26449.31845.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
SecuriteInfo.com.CAP_HookExKeylogger.26449.31845.exe
-
Size
288KB
-
MD5
4373f1b989912d0121641f23a05b2f62
-
SHA1
a11deb05354e51c737b263435dcab3fd2e26e90b
-
SHA256
4601b57fb9acf7117686773d8616efcac498591a6b650acc9a4f96871e9694b5
-
SHA512
f82d8645c622c8e9c903b757c31d15de92362625113ea78f4c46f1857df166ef6e28bddece4fc157ace8306466c5906b128e215b527a2f49d92daefcf5fe4de4
Score
5/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 1032 wrote to memory of 1432 1032 SecuriteInfo.com.CAP_HookExKeylogger.26449.31845.exe 24 PID 1032 wrote to memory of 1432 1032 SecuriteInfo.com.CAP_HookExKeylogger.26449.31845.exe 24 PID 1032 wrote to memory of 1432 1032 SecuriteInfo.com.CAP_HookExKeylogger.26449.31845.exe 24 PID 1032 wrote to memory of 1432 1032 SecuriteInfo.com.CAP_HookExKeylogger.26449.31845.exe 24 PID 1032 wrote to memory of 1616 1032 SecuriteInfo.com.CAP_HookExKeylogger.26449.31845.exe 26 PID 1032 wrote to memory of 1616 1032 SecuriteInfo.com.CAP_HookExKeylogger.26449.31845.exe 26 PID 1032 wrote to memory of 1616 1032 SecuriteInfo.com.CAP_HookExKeylogger.26449.31845.exe 26 PID 1032 wrote to memory of 1616 1032 SecuriteInfo.com.CAP_HookExKeylogger.26449.31845.exe 26 PID 1032 wrote to memory of 1616 1032 SecuriteInfo.com.CAP_HookExKeylogger.26449.31845.exe 26 PID 1032 wrote to memory of 1616 1032 SecuriteInfo.com.CAP_HookExKeylogger.26449.31845.exe 26 PID 1032 wrote to memory of 1616 1032 SecuriteInfo.com.CAP_HookExKeylogger.26449.31845.exe 26 PID 1032 wrote to memory of 108 1032 SecuriteInfo.com.CAP_HookExKeylogger.26449.31845.exe 27 PID 1032 wrote to memory of 108 1032 SecuriteInfo.com.CAP_HookExKeylogger.26449.31845.exe 27 PID 1032 wrote to memory of 108 1032 SecuriteInfo.com.CAP_HookExKeylogger.26449.31845.exe 27 PID 1032 wrote to memory of 108 1032 SecuriteInfo.com.CAP_HookExKeylogger.26449.31845.exe 27 PID 1032 wrote to memory of 108 1032 SecuriteInfo.com.CAP_HookExKeylogger.26449.31845.exe 27 PID 1032 wrote to memory of 108 1032 SecuriteInfo.com.CAP_HookExKeylogger.26449.31845.exe 27 PID 1032 wrote to memory of 108 1032 SecuriteInfo.com.CAP_HookExKeylogger.26449.31845.exe 27 PID 1032 wrote to memory of 1632 1032 SecuriteInfo.com.CAP_HookExKeylogger.26449.31845.exe 28 PID 1032 wrote to memory of 1632 1032 SecuriteInfo.com.CAP_HookExKeylogger.26449.31845.exe 28 PID 1032 wrote to memory of 1632 1032 SecuriteInfo.com.CAP_HookExKeylogger.26449.31845.exe 28 PID 1032 wrote to memory of 1632 1032 SecuriteInfo.com.CAP_HookExKeylogger.26449.31845.exe 28 PID 1032 wrote to memory of 1632 1032 SecuriteInfo.com.CAP_HookExKeylogger.26449.31845.exe 28 PID 1032 wrote to memory of 1632 1032 SecuriteInfo.com.CAP_HookExKeylogger.26449.31845.exe 28 PID 1032 wrote to memory of 1632 1032 SecuriteInfo.com.CAP_HookExKeylogger.26449.31845.exe 28 PID 1032 wrote to memory of 1632 1032 SecuriteInfo.com.CAP_HookExKeylogger.26449.31845.exe 28 PID 1032 wrote to memory of 1632 1032 SecuriteInfo.com.CAP_HookExKeylogger.26449.31845.exe 28 PID 1032 wrote to memory of 1632 1032 SecuriteInfo.com.CAP_HookExKeylogger.26449.31845.exe 28 PID 1032 wrote to memory of 1632 1032 SecuriteInfo.com.CAP_HookExKeylogger.26449.31845.exe 28 PID 1032 wrote to memory of 1632 1032 SecuriteInfo.com.CAP_HookExKeylogger.26449.31845.exe 28 PID 1032 wrote to memory of 1632 1032 SecuriteInfo.com.CAP_HookExKeylogger.26449.31845.exe 28 PID 1032 wrote to memory of 1632 1032 SecuriteInfo.com.CAP_HookExKeylogger.26449.31845.exe 28 PID 1032 wrote to memory of 1632 1032 SecuriteInfo.com.CAP_HookExKeylogger.26449.31845.exe 28 PID 1632 wrote to memory of 764 1632 RegSvcs.exe 29 PID 1632 wrote to memory of 764 1632 RegSvcs.exe 29 PID 1632 wrote to memory of 764 1632 RegSvcs.exe 29 PID 1632 wrote to memory of 764 1632 RegSvcs.exe 29 PID 1632 wrote to memory of 764 1632 RegSvcs.exe 29 PID 1632 wrote to memory of 764 1632 RegSvcs.exe 29 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1032 SecuriteInfo.com.CAP_HookExKeylogger.26449.31845.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1032 SecuriteInfo.com.CAP_HookExKeylogger.26449.31845.exe 1032 SecuriteInfo.com.CAP_HookExKeylogger.26449.31845.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1032 set thread context of 1632 1032 SecuriteInfo.com.CAP_HookExKeylogger.26449.31845.exe 28 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1432 schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.CAP_HookExKeylogger.26449.31845.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.CAP_HookExKeylogger.26449.31845.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
PID:1032 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DWUNWlQtxJa" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC8AB.tmp"2⤵
- Creates scheduled task(s)
PID:1432
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵PID:1616
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵PID:108
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:764
-
-