Analysis
-
max time kernel
117s -
max time network
124s -
platform
windows7_x64 -
resource
win7 -
submitted
31-07-2020 20:33
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Generic.mg.c273e75105e752ed.512.exe
Resource
win7
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Generic.mg.c273e75105e752ed.512.exe
Resource
win10v200722
General
-
Target
SecuriteInfo.com.Generic.mg.c273e75105e752ed.512.exe
-
Size
140KB
-
MD5
c273e75105e752ed59f14f4d97683001
-
SHA1
5f1e89ae2529fd52bcad9d79a9cd933d27f3d274
-
SHA256
22d381feb748820ad07b312c2d6c9d82330b380fbf1676c82146f228d493d944
-
SHA512
0f4d178ecde5d937163c0dfd7f100098baecc3c5cef5b19293d61a8e3ede12f149788e0b04ec503756bcb73c42c027711ea75ec20385923c8e348dfa26e7ada7
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
SecuriteInfo.com.Generic.mg.c273e75105e752ed.512.exepid process 1464 SecuriteInfo.com.Generic.mg.c273e75105e752ed.512.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1016 wrote to memory of 336 1016 taskeng.exe mghcwau.exe PID 1016 wrote to memory of 336 1016 taskeng.exe mghcwau.exe PID 1016 wrote to memory of 336 1016 taskeng.exe mghcwau.exe PID 1016 wrote to memory of 336 1016 taskeng.exe mghcwau.exe -
Executes dropped EXE 1 IoCs
Processes:
mghcwau.exepid process 336 mghcwau.exe -
Drops file in Windows directory 2 IoCs
Processes:
SecuriteInfo.com.Generic.mg.c273e75105e752ed.512.exedescription ioc process File created C:\Windows\Tasks\mghcwau.job SecuriteInfo.com.Generic.mg.c273e75105e752ed.512.exe File opened for modification C:\Windows\Tasks\mghcwau.job SecuriteInfo.com.Generic.mg.c273e75105e752ed.512.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 api.ipify.org 7 api.ipify.org 20 api.ipify.org
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.c273e75105e752ed.512.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.c273e75105e752ed.512.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Drops file in Windows directory
-
C:\Windows\system32\taskeng.exetaskeng.exe {E5C05134-87C1-441D-8CF3-B4645B789D1B} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\avxbp\mghcwau.exeC:\ProgramData\avxbp\mghcwau.exe start2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\avxbp\mghcwau.exe
-
C:\ProgramData\avxbp\mghcwau.exe
-
memory/336-3-0x0000000000000000-mapping.dmp
-
memory/336-5-0x00000000033A6000-0x00000000033A7000-memory.dmpFilesize
4KB
-
memory/336-6-0x0000000003910000-0x0000000003921000-memory.dmpFilesize
68KB
-
memory/1464-0-0x0000000003426000-0x0000000003427000-memory.dmpFilesize
4KB
-
memory/1464-1-0x0000000004C20000-0x0000000004C31000-memory.dmpFilesize
68KB