Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows7_x64 -
resource
win7 -
submitted
01-08-2020 19:33
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.DownLoader33.36721.26238.29912.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan.DownLoader33.36721.26238.29912.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
SecuriteInfo.com.Trojan.DownLoader33.36721.26238.29912.exe
-
Size
115KB
-
MD5
2d96d4b232edab88dd7bf3ab0e87f5f0
-
SHA1
7979259ca944d83302caa738fc01f460b31e8d85
-
SHA256
d85623e40ad2ce2710913d1033fc78e3c0c7151837f4af41bf592ceb5bf68cdf
-
SHA512
5caf735b63dba73089268a9887148cee5cd1584128298e049425ffbdf52138d75b93298ae388dbd935d3d7f39a1e9238757d9cab7ab150a72000e9a2a56009ac
Score
8/10
Malware Config
Signatures
-
Modifies service 2 TTPs 5 IoCs
Processes:
netsh.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI netsh.exe -
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 1 IoCs
Processes:
SecuriteInfo.com.Trojan.DownLoader33.36721.26238.29912.exepid process 1080 SecuriteInfo.com.Trojan.DownLoader33.36721.26238.29912.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
System.exepid process 1076 System.exe 1076 System.exe 1076 System.exe -
Drops startup file 2 IoCs
Processes:
System.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\301b5fcf8ce2fab8868e80b6c1f912fe.exe System.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\301b5fcf8ce2fab8868e80b6c1f912fe.exe System.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
System.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\301b5fcf8ce2fab8868e80b6c1f912fe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.exe\" .." System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\301b5fcf8ce2fab8868e80b6c1f912fe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.exe\" .." System.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
SecuriteInfo.com.Trojan.DownLoader33.36721.26238.29912.exeSystem.exedescription pid process target process PID 1080 wrote to memory of 1076 1080 SecuriteInfo.com.Trojan.DownLoader33.36721.26238.29912.exe System.exe PID 1080 wrote to memory of 1076 1080 SecuriteInfo.com.Trojan.DownLoader33.36721.26238.29912.exe System.exe PID 1080 wrote to memory of 1076 1080 SecuriteInfo.com.Trojan.DownLoader33.36721.26238.29912.exe System.exe PID 1080 wrote to memory of 1076 1080 SecuriteInfo.com.Trojan.DownLoader33.36721.26238.29912.exe System.exe PID 1076 wrote to memory of 1452 1076 System.exe netsh.exe PID 1076 wrote to memory of 1452 1076 System.exe netsh.exe PID 1076 wrote to memory of 1452 1076 System.exe netsh.exe PID 1076 wrote to memory of 1452 1076 System.exe netsh.exe -
Executes dropped EXE 1 IoCs
Processes:
System.exepid process 1076 System.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
System.exedescription pid process Token: SeDebugPrivilege 1076 System.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader33.36721.26238.29912.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader33.36721.26238.29912.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\System.exe"C:\Users\Admin\AppData\Local\Temp\System.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\System.exe" "System.exe" ENABLE3⤵
- Modifies service