Analysis
-
max time kernel
134s -
max time network
34s -
platform
windows7_x64 -
resource
win7 -
submitted
30-07-2020 05:57
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
General
-
Target
SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
-
Size
1.1MB
-
MD5
9940b1d4284582df2342b9c394b34d20
-
SHA1
ffe310f517cc7e6e7dc6ca10007338b2c1d09f66
-
SHA256
087df168d78dcfd730fb669aad4b848c054f08cbab3c722c87a0be0aa5c598a7
-
SHA512
b578d6c3a27f56d85ddeadcc8f96a40c3aa4c64684d9d0451769233997c2d0c0521ec7497d63d2da2686b227a9e6714492f1f6dc5ea2b280d08bf27608f491dd
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" SecuriteInfo.com.Win32.Sector.30.16924.15564.exe -
Executes dropped EXE 1 IoCs
pid Process 1448 SecuriteInfo.com.Win32.Sector.30.16924.15564.tmp -
resource yara_rule behavioral1/memory/1204-0-0x0000000001EC0000-0x0000000002F4E000-memory.dmp upx -
Loads dropped DLL 1 IoCs
pid Process 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" SecuriteInfo.com.Win32.Sector.30.16924.15564.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SecuriteInfo.com.Win32.Sector.30.16924.15564.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened (read-only) \??\Z: SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened (read-only) \??\K: SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened (read-only) \??\M: SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened (read-only) \??\N: SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened (read-only) \??\P: SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened (read-only) \??\S: SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened (read-only) \??\T: SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened (read-only) \??\F: SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened (read-only) \??\L: SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened (read-only) \??\O: SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened (read-only) \??\I: SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened (read-only) \??\Q: SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened (read-only) \??\W: SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened (read-only) \??\X: SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened (read-only) \??\E: SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened (read-only) \??\G: SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened (read-only) \??\H: SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened (read-only) \??\V: SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened (read-only) \??\J: SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened (read-only) \??\R: SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened (read-only) \??\U: SecuriteInfo.com.Win32.Sector.30.16924.15564.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Program Files directory 7 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\DW\DW20.EXE SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\DW\DWTRIG20.EXE SecuriteInfo.com.Win32.Sector.30.16924.15564.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\EQUATION\EQNEDT32.EXE SecuriteInfo.com.Win32.Sector.30.16924.15564.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI SecuriteInfo.com.Win32.Sector.30.16924.15564.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1448 SecuriteInfo.com.Win32.Sector.30.16924.15564.tmp -
Suspicious use of AdjustPrivilegeToken 31 IoCs
description pid Process Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe Token: SeDebugPrivilege 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 1204 wrote to memory of 1112 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 18 PID 1204 wrote to memory of 1216 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 19 PID 1204 wrote to memory of 1276 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 20 PID 1204 wrote to memory of 1448 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 24 PID 1204 wrote to memory of 1448 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 24 PID 1204 wrote to memory of 1448 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 24 PID 1204 wrote to memory of 1448 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 24 PID 1204 wrote to memory of 1448 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 24 PID 1204 wrote to memory of 1448 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 24 PID 1204 wrote to memory of 1448 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 24 PID 1204 wrote to memory of 1112 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 18 PID 1204 wrote to memory of 1216 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 19 PID 1204 wrote to memory of 1276 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 20 PID 1204 wrote to memory of 1448 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 24 PID 1204 wrote to memory of 1448 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 24 PID 1204 wrote to memory of 1112 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 18 PID 1204 wrote to memory of 1216 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 19 PID 1204 wrote to memory of 1276 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 20 PID 1204 wrote to memory of 1112 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 18 PID 1204 wrote to memory of 1216 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 19 PID 1204 wrote to memory of 1276 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 20 PID 1204 wrote to memory of 1112 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 18 PID 1204 wrote to memory of 1216 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 19 PID 1204 wrote to memory of 1276 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 20 PID 1204 wrote to memory of 1112 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 18 PID 1204 wrote to memory of 1216 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 19 PID 1204 wrote to memory of 1276 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 20 PID 1204 wrote to memory of 1112 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 18 PID 1204 wrote to memory of 1216 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 19 PID 1204 wrote to memory of 1276 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 20 PID 1204 wrote to memory of 1112 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 18 PID 1204 wrote to memory of 1216 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 19 PID 1204 wrote to memory of 1276 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 20 PID 1204 wrote to memory of 1112 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 18 PID 1204 wrote to memory of 1216 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 19 PID 1204 wrote to memory of 1276 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 20 PID 1204 wrote to memory of 1112 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 18 PID 1204 wrote to memory of 1216 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 19 PID 1204 wrote to memory of 1276 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 20 PID 1204 wrote to memory of 1112 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 18 PID 1204 wrote to memory of 1216 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 19 PID 1204 wrote to memory of 1276 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 20 PID 1204 wrote to memory of 1112 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 18 PID 1204 wrote to memory of 1216 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 19 PID 1204 wrote to memory of 1276 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 20 PID 1204 wrote to memory of 1112 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 18 PID 1204 wrote to memory of 1216 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 19 PID 1204 wrote to memory of 1276 1204 SecuriteInfo.com.Win32.Sector.30.16924.15564.exe 20 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1112
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1216
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1276
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Sector.30.16924.15564.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Sector.30.16924.15564.exe"2⤵
- Modifies firewall policy service
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\is-CROUK.tmp\SecuriteInfo.com.Win32.Sector.30.16924.15564.tmp"C:\Users\Admin\AppData\Local\Temp\is-CROUK.tmp\SecuriteInfo.com.Win32.Sector.30.16924.15564.tmp" /SL5="$50132,805193,53248,C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Sector.30.16924.15564.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:1448
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
669KB
MD552950ac9e2b481453082f096120e355a
SHA1159c09db1abcee9114b4f792ffba255c78a6e6c3
SHA25625fbc88c7c967266f041ae4d47c2eae0b96086f9e440cca10729103aee7ef6cd
SHA5125b61c28bbcaedadb3b6cd3bb8a392d18016c354c4c16e01395930666addc95994333dfc45bea1a1844f6f1585e79c729136d3714ac118b5848becde0bdb182ba
-
Filesize
669KB
MD552950ac9e2b481453082f096120e355a
SHA1159c09db1abcee9114b4f792ffba255c78a6e6c3
SHA25625fbc88c7c967266f041ae4d47c2eae0b96086f9e440cca10729103aee7ef6cd
SHA5125b61c28bbcaedadb3b6cd3bb8a392d18016c354c4c16e01395930666addc95994333dfc45bea1a1844f6f1585e79c729136d3714ac118b5848becde0bdb182ba
-
Filesize
669KB
MD552950ac9e2b481453082f096120e355a
SHA1159c09db1abcee9114b4f792ffba255c78a6e6c3
SHA25625fbc88c7c967266f041ae4d47c2eae0b96086f9e440cca10729103aee7ef6cd
SHA5125b61c28bbcaedadb3b6cd3bb8a392d18016c354c4c16e01395930666addc95994333dfc45bea1a1844f6f1585e79c729136d3714ac118b5848becde0bdb182ba