Overview

overview

8

Static

static

SecuriteIn...07.exe

windows7_x64

8

SecuriteIn...07.exe

windows10_x64

8

Analysis

  • max time kernel
    128s
  • max time network
    114s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    31-07-2020 14:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Generic.mg.df55c9b32a24d8d8.14207.exe

  • Size

    143KB

  • MD5

    df55c9b32a24d8d847ca3580488cab96

  • SHA1

    44962f29fcb30d3efbb3477f144f065ab60e9b08

  • SHA256

    2c266a9a9c74705680c09276003465f35878052e5d0f6d9c79383a31aed6822e

  • SHA512

    349895726d6757df2431d6224e154d3ec660711cb30a131717d24a192c797ce3041c46de8880ceeed1452e4e5e5e43a8127e9966810ff535f37e0d94dc632fab

Score
8/10

Malware Config

Signatures

  • Drops file in Windows directory 5 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Program crash 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 134 IoCs
  • Executes dropped EXE 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.df55c9b32a24d8d8.14207.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.df55c9b32a24d8d8.14207.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    PID:3888
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 548
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious behavior: EnumeratesProcesses
      PID:508
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 864
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious behavior: EnumeratesProcesses
      PID:388
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 876
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious behavior: EnumeratesProcesses
      PID:3288
  • C:\ProgramData\otbbl\ovsk.exe
    C:\ProgramData\otbbl\ovsk.exe start
    1⤵
    • Drops file in Windows directory
    • Executes dropped EXE
    PID:812
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 540
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious behavior: EnumeratesProcesses
      PID:3904
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 800
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious behavior: EnumeratesProcesses
      PID:2536
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 880
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:2988
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 900
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:3800
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 548
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:576
  • C:\Windows\TEMP\msjgli.exe
    C:\Windows\TEMP\msjgli.exe
    1⤵
    • Drops file in Windows directory
    • Executes dropped EXE
    PID:3788
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 536
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:664
  • C:\ProgramData\gsiciw\tooft.exe
    C:\ProgramData\gsiciw\tooft.exe start
    1⤵
    • Executes dropped EXE
    PID:3896
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 540
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:4004

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\gsiciw\tooft.exe
    Download Submit
  • C:\ProgramData\gsiciw\tooft.exe
    Download Submit
  • C:\ProgramData\otbbl\ovsk.exe
    Download Submit
  • C:\ProgramData\otbbl\ovsk.exe
    Download Submit
  • C:\Windows\TEMP\msjgli.exe
    Download Submit
  • C:\Windows\Tasks\ovsk.job
    Download Submit
  • C:\Windows\Temp\msjgli.exe
    Download Submit
  • memory/388-18-0x0000000004E00000-0x0000000004E01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/388-21-0x0000000005610000-0x0000000005611000-memory.dmp
    Filesize

    4KB

    Download
  • memory/508-2-0x0000000004520000-0x0000000004521000-memory.dmp
    Filesize

    4KB

    Download
  • memory/508-3-0x0000000004520000-0x0000000004521000-memory.dmp
    Filesize

    4KB

    Download
  • memory/576-61-0x0000000004270000-0x0000000004271000-memory.dmp
    Filesize

    4KB

    Download
  • memory/576-60-0x0000000003C00000-0x0000000003C01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/576-55-0x0000000003800000-0x0000000003801000-memory.dmp
    Filesize

    4KB

    Download
  • memory/664-57-0x0000000003AC0000-0x0000000003AC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/664-62-0x00000000042F0000-0x00000000042F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/664-54-0x0000000003AC0000-0x0000000003AC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/812-8-0x000000000349C000-0x000000000349D000-memory.dmp
    Filesize

    4KB

    Download
  • memory/812-9-0x0000000003DD0000-0x0000000003DD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2536-14-0x0000000002DB0000-0x0000000002DB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2536-17-0x0000000003460000-0x0000000003461000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2988-29-0x00000000036F0000-0x00000000036F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2988-32-0x0000000003D20000-0x0000000003D21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3288-25-0x00000000055B0000-0x00000000055B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3288-22-0x0000000004EB0000-0x0000000004EB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3788-52-0x0000000003E80000-0x0000000003E81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3788-51-0x000000000359C000-0x000000000359D000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3800-33-0x0000000003020000-0x0000000003021000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3888-0-0x00000000033D2000-0x00000000033D3000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3888-1-0x00000000051E0000-0x00000000051E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3896-65-0x000000000359C000-0x000000000359D000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3896-66-0x0000000003DA0000-0x0000000003DA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3904-13-0x0000000003530000-0x0000000003531000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3904-10-0x0000000002E80000-0x0000000002E81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4004-67-0x0000000002CD0000-0x0000000002CD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4004-70-0x0000000003500000-0x0000000003501000-memory.dmp
    Filesize

    4KB

    Download