Analysis
-
max time kernel
152s -
max time network
40s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
01-08-2020 19:30
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Variant.Ursu.93722.24785.25936.exe
Resource
win7v200722
windows7_x64
0 signatures
0 seconds
General
-
Target
SecuriteInfo.com.Variant.Ursu.93722.24785.25936.exe
-
Size
52KB
-
MD5
69ad69047088324a6a754b904abb0c55
-
SHA1
e91627fd943b1de0c7cd92a9e3b9217765f20baf
-
SHA256
69cef8fa1209f02ef528ee93959c7c5e20a10e603b8a4251ba673d4cfd9e4b5e
-
SHA512
c6b81bd1645976744e7251c673bafce4f0154bca915334c3e2c62673194505e55ffc3477f32926c60251e49f04a2b569c078d5111a445db289de4a73585236ef
Score
10/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1048 server.exe Token: 33 1048 server.exe Token: SeIncBasePriorityPrivilege 1048 server.exe Token: 33 1048 server.exe Token: SeIncBasePriorityPrivilege 1048 server.exe Token: 33 1048 server.exe Token: SeIncBasePriorityPrivilege 1048 server.exe Token: 33 1048 server.exe Token: SeIncBasePriorityPrivilege 1048 server.exe Token: 33 1048 server.exe Token: SeIncBasePriorityPrivilege 1048 server.exe Token: 33 1048 server.exe Token: SeIncBasePriorityPrivilege 1048 server.exe Token: 33 1048 server.exe Token: SeIncBasePriorityPrivilege 1048 server.exe Token: 33 1048 server.exe Token: SeIncBasePriorityPrivilege 1048 server.exe Token: 33 1048 server.exe Token: SeIncBasePriorityPrivilege 1048 server.exe Token: 33 1048 server.exe Token: SeIncBasePriorityPrivilege 1048 server.exe Token: 33 1048 server.exe Token: SeIncBasePriorityPrivilege 1048 server.exe Token: 33 1048 server.exe Token: SeIncBasePriorityPrivilege 1048 server.exe Token: 33 1048 server.exe Token: SeIncBasePriorityPrivilege 1048 server.exe Token: 33 1048 server.exe Token: SeIncBasePriorityPrivilege 1048 server.exe Token: 33 1048 server.exe Token: SeIncBasePriorityPrivilege 1048 server.exe -
Modifies Windows Firewall 1 TTPs
-
Modifies service 2 TTPs 5 IoCs
Processes:
netsh.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI netsh.exe -
Loads dropped DLL 1 IoCs
Processes:
SecuriteInfo.com.Variant.Ursu.93722.24785.25936.exepid process 336 SecuriteInfo.com.Variant.Ursu.93722.24785.25936.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
SecuriteInfo.com.Variant.Ursu.93722.24785.25936.exeserver.exedescription pid process target process PID 336 wrote to memory of 1048 336 SecuriteInfo.com.Variant.Ursu.93722.24785.25936.exe server.exe PID 336 wrote to memory of 1048 336 SecuriteInfo.com.Variant.Ursu.93722.24785.25936.exe server.exe PID 336 wrote to memory of 1048 336 SecuriteInfo.com.Variant.Ursu.93722.24785.25936.exe server.exe PID 336 wrote to memory of 1048 336 SecuriteInfo.com.Variant.Ursu.93722.24785.25936.exe server.exe PID 1048 wrote to memory of 1684 1048 server.exe netsh.exe PID 1048 wrote to memory of 1684 1048 server.exe netsh.exe PID 1048 wrote to memory of 1684 1048 server.exe netsh.exe PID 1048 wrote to memory of 1684 1048 server.exe netsh.exe -
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1048 server.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Ursu.93722.24785.25936.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Ursu.93722.24785.25936.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies service