Analysis
-
max time kernel
145s -
max time network
109s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
01-08-2020 19:34
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe
Resource
win7v200722
windows7_x64
0 signatures
0 seconds
General
-
Target
SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe
-
Size
455KB
-
MD5
8c5fad5ff5c2c0af9ce18b5130f3d43c
-
SHA1
0e2cb2a9fd256afdb2a877fa0b8fbe6c7d30c6b4
-
SHA256
f11bf0f5b97161b5d27b4cbbc02fae52957df15646513874df10bc06d1d4e5df
-
SHA512
c3ecee109de715fb49ca3e8fd35b598c01ff59ccaf377bfb3b2f5d8463bad6e469a89f8dd56cdae3781335a72e3eb695c7dd4f675f9f64712e97f9fea5fafed2
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exedescription pid process target process PID 3956 wrote to memory of 2432 3956 SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe PID 3956 wrote to memory of 2432 3956 SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe PID 3956 wrote to memory of 2432 3956 SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe PID 3956 wrote to memory of 2440 3956 SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe PID 3956 wrote to memory of 2440 3956 SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe PID 3956 wrote to memory of 2440 3956 SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe PID 3956 wrote to memory of 2440 3956 SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe PID 3956 wrote to memory of 2440 3956 SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe PID 3956 wrote to memory of 2440 3956 SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exedescription pid process Token: SeDebugPrivilege 3956 SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exeSecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exepid process 3956 SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe 3956 SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe 2440 SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe 2440 SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exedescription pid process target process PID 3956 set thread context of 2440 3956 SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe -
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2440-0-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral2/memory/2440-0-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral2/memory/2440-1-0x000000000041E200-mapping.dmp formbook
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses