Overview

overview

10

Static

static

SecuriteIn...17.exe

windows7_x64

10

SecuriteIn...17.exe

windows10_x64

3

Analysis

  • max time kernel
    61s
  • max time network
    77s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    01-08-2020 19:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Trojan.GenericKD.43569931.17547.14217.exe

  • Size

    531KB

  • MD5

    17e2541126192fb39fcfd63c4ea3308a

  • SHA1

    468cc15e755e368bc56c779ac801a95dffd6c4a9

  • SHA256

    a1bf9a7b8d6dd555ea81443658567d3d5cd91cdf57ccdbaf9557db1531349f64

  • SHA512

    8b9ad5da4ff25611e5d3cc1d7645a7ac9ea6b6c1e1f1dfb1953cd3c4fbd5cf3f5e86e1cf38a01aad787848eaa421ef7f1d242bc40a0567071143e53cb25df84c

Score
10/10
evasiontrojan

Malware Config

Signatures

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Contains code to disable Windows Defender 7 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.43569931.17547.14217.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.43569931.17547.14217.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • Suspicious use of SetThreadContext
    PID:1320
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.43569931.17547.14217.exe
      "{path}"
      2⤵
      • Suspicious use of WriteProcessMemory
      • Windows security modification
      PID:240
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Get-MpPreference -verbose
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: EnumeratesProcesses
        PID:1044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

2
T1089

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/240-3-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

    Download
  • memory/240-4-0x0000000000403BEE-mapping.dmp
    Download
  • memory/240-5-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

    Download
  • memory/240-6-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1044-7-0x0000000000000000-mapping.dmp
    Download
  • memory/1320-1-0x0000000000000000-0x0000000000000000-disk.dmp
    Download