Analysis
-
max time kernel
150s -
max time network
117s -
platform
windows10_x64 -
resource
win10 -
submitted
01-08-2020 19:30
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Variant.Ursu.93722.24785.25936.exe
Resource
win7v200722
windows7_x64
0 signatures
0 seconds
General
-
Target
SecuriteInfo.com.Variant.Ursu.93722.24785.25936.exe
-
Size
52KB
-
MD5
69ad69047088324a6a754b904abb0c55
-
SHA1
e91627fd943b1de0c7cd92a9e3b9217765f20baf
-
SHA256
69cef8fa1209f02ef528ee93959c7c5e20a10e603b8a4251ba673d4cfd9e4b5e
-
SHA512
c6b81bd1645976744e7251c673bafce4f0154bca915334c3e2c62673194505e55ffc3477f32926c60251e49f04a2b569c078d5111a445db289de4a73585236ef
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
SecuriteInfo.com.Variant.Ursu.93722.24785.25936.exeserver.exedescription pid process target process PID 2008 wrote to memory of 3916 2008 SecuriteInfo.com.Variant.Ursu.93722.24785.25936.exe server.exe PID 2008 wrote to memory of 3916 2008 SecuriteInfo.com.Variant.Ursu.93722.24785.25936.exe server.exe PID 2008 wrote to memory of 3916 2008 SecuriteInfo.com.Variant.Ursu.93722.24785.25936.exe server.exe PID 3916 wrote to memory of 2568 3916 server.exe netsh.exe PID 3916 wrote to memory of 2568 3916 server.exe netsh.exe PID 3916 wrote to memory of 2568 3916 server.exe netsh.exe -
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 3916 server.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 3916 server.exe Token: 33 3916 server.exe Token: SeIncBasePriorityPrivilege 3916 server.exe Token: 33 3916 server.exe Token: SeIncBasePriorityPrivilege 3916 server.exe Token: 33 3916 server.exe Token: SeIncBasePriorityPrivilege 3916 server.exe Token: 33 3916 server.exe Token: SeIncBasePriorityPrivilege 3916 server.exe Token: 33 3916 server.exe Token: SeIncBasePriorityPrivilege 3916 server.exe Token: 33 3916 server.exe Token: SeIncBasePriorityPrivilege 3916 server.exe Token: 33 3916 server.exe Token: SeIncBasePriorityPrivilege 3916 server.exe Token: 33 3916 server.exe Token: SeIncBasePriorityPrivilege 3916 server.exe Token: 33 3916 server.exe Token: SeIncBasePriorityPrivilege 3916 server.exe Token: 33 3916 server.exe Token: SeIncBasePriorityPrivilege 3916 server.exe Token: 33 3916 server.exe Token: SeIncBasePriorityPrivilege 3916 server.exe Token: 33 3916 server.exe Token: SeIncBasePriorityPrivilege 3916 server.exe Token: 33 3916 server.exe Token: SeIncBasePriorityPrivilege 3916 server.exe Token: 33 3916 server.exe Token: SeIncBasePriorityPrivilege 3916 server.exe Token: 33 3916 server.exe Token: SeIncBasePriorityPrivilege 3916 server.exe Token: 33 3916 server.exe Token: SeIncBasePriorityPrivilege 3916 server.exe Token: 33 3916 server.exe Token: SeIncBasePriorityPrivilege 3916 server.exe -
Modifies Windows Firewall 1 TTPs
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Ursu.93722.24785.25936.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Ursu.93722.24785.25936.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵