4af607b8f0a25a2125d39656c45466ce256e10d053c7e4b1b230ea839648b076

General

Target

SecuriteInfo.com.Trojan.DownLoader19.14585.15763.1162.exe
Size

322KB
MD5

75363c46c34315176a3037ae4cf38269
SHA1

7887760491424f8ca1bdb120877424e694b49c8a
SHA256

4af607b8f0a25a2125d39656c45466ce256e10d053c7e4b1b230ea839648b076
SHA512

f7fca634abe83973b4e66a20c4e753cd8f69cd287dab84accf06519f3d145b23da421015e7ae70bb37603c9399dcebfaacff2b61154190d39fbb9b3d8ae47eec

Score

8^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SecuriteInfo.com.Trojan.DownLoader19.14585.15763.1162.exe

description pid process

Token: SeDebugPrivilege 3952 SecuriteInfo.com.Trojan.DownLoader19.14585.15763.1162.exe

description	pid	process
Token: SeDebugPrivilege	3952	SecuriteInfo.com.Trojan.DownLoader19.14585.15763.1162.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

SecuriteInfo.com.Trojan.DownLoader19.14585.15763.1162.exe

pid	process
3952	SecuriteInfo.com.Trojan.DownLoader19.14585.15763.1162.exe
3952	SecuriteInfo.com.Trojan.DownLoader19.14585.15763.1162.exe
3952	SecuriteInfo.com.Trojan.DownLoader19.14585.15763.1162.exe
3952	SecuriteInfo.com.Trojan.DownLoader19.14585.15763.1162.exe
3952	SecuriteInfo.com.Trojan.DownLoader19.14585.15763.1162.exe
3952	SecuriteInfo.com.Trojan.DownLoader19.14585.15763.1162.exe
3952	SecuriteInfo.com.Trojan.DownLoader19.14585.15763.1162.exe
3952	SecuriteInfo.com.Trojan.DownLoader19.14585.15763.1162.exe
3952	SecuriteInfo.com.Trojan.DownLoader19.14585.15763.1162.exe
3952	SecuriteInfo.com.Trojan.DownLoader19.14585.15763.1162.exe
3952	SecuriteInfo.com.Trojan.DownLoader19.14585.15763.1162.exe
3952	SecuriteInfo.com.Trojan.DownLoader19.14585.15763.1162.exe
3952	SecuriteInfo.com.Trojan.DownLoader19.14585.15763.1162.exe
3952	SecuriteInfo.com.Trojan.DownLoader19.14585.15763.1162.exe
3952	SecuriteInfo.com.Trojan.DownLoader19.14585.15763.1162.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

SecuriteInfo.com.Trojan.DownLoader19.14585.15763.1162.execmd.exe

description	pid	process	target process
PID 3952 wrote to memory of 1000	3952	SecuriteInfo.com.Trojan.DownLoader19.14585.15763.1162.exe	securiteinfo.com.trojan.downloader19.14585.15763.1162.exe
PID 3952 wrote to memory of 1000	3952	SecuriteInfo.com.Trojan.DownLoader19.14585.15763.1162.exe	securiteinfo.com.trojan.downloader19.14585.15763.1162.exe
PID 3952 wrote to memory of 1000	3952	SecuriteInfo.com.Trojan.DownLoader19.14585.15763.1162.exe	securiteinfo.com.trojan.downloader19.14585.15763.1162.exe
PID 3952 wrote to memory of 1012	3952	SecuriteInfo.com.Trojan.DownLoader19.14585.15763.1162.exe	cmd.exe
PID 3952 wrote to memory of 1012	3952	SecuriteInfo.com.Trojan.DownLoader19.14585.15763.1162.exe	cmd.exe
PID 3952 wrote to memory of 1012	3952	SecuriteInfo.com.Trojan.DownLoader19.14585.15763.1162.exe	cmd.exe
PID 1012 wrote to memory of 1412	1012	cmd.exe	PING.EXE
PID 1012 wrote to memory of 1412	1012	cmd.exe	PING.EXE
PID 1012 wrote to memory of 1412	1012	cmd.exe	PING.EXE

Executes dropped EXE 1 IoCs

Processes:

securiteinfo.com.trojan.downloader19.14585.15763.1162.exe

pid process

1000 securiteinfo.com.trojan.downloader19.14585.15763.1162.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1412 PING.EXE

pid	process
1000	securiteinfo.com.trojan.downloader19.14585.15763.1162.exe

pid	process
1412	PING.EXE

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader19.14585.15763.1162.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader19.14585.15763.1162.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3952

C:\Users\Admin\AppData\Local\Temp\securiteinfo.com.trojan.downloader19.14585.15763.1162\securiteinfo.com.trojan.downloader19.14585.15763.1162.exe
"C:\Users\Admin\AppData\Local\Temp\securiteinfo.com.trojan.downloader19.14585.15763.1162\securiteinfo.com.trojan.downloader19.14585.15763.1162.exe"
2⤵
- Executes dropped EXE
PID:1000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader19.14585.15763.1162.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 1000
3⤵
- Runs ping.exe
PID:1412

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\securiteinfo.com.trojan.downloader19.14585.15763.1162.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Temp\securiteinfo.com.trojan.downloader19.14585.15763.1162\securiteinfo.com.trojan.downloader19.14585.15763.1162.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\securiteinfo.com.trojan.downloader19.14585.15763.1162\securiteinfo.com.trojan.downloader19.14585.15763.1162.exe

Download Submit
memory/1000-0-0x0000000000000000-mapping.dmp

Download
memory/1012-3-0x0000000000000000-mapping.dmp

Download
memory/1412-5-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing