Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows10_x64 -
resource
win10 -
submitted
01-08-2020 19:33
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.DownLoader33.36721.26238.29912.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan.DownLoader33.36721.26238.29912.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
SecuriteInfo.com.Trojan.DownLoader33.36721.26238.29912.exe
-
Size
115KB
-
MD5
2d96d4b232edab88dd7bf3ab0e87f5f0
-
SHA1
7979259ca944d83302caa738fc01f460b31e8d85
-
SHA256
d85623e40ad2ce2710913d1033fc78e3c0c7151837f4af41bf592ceb5bf68cdf
-
SHA512
5caf735b63dba73089268a9887148cee5cd1584128298e049425ffbdf52138d75b93298ae388dbd935d3d7f39a1e9238757d9cab7ab150a72000e9a2a56009ac
Score
8/10
Malware Config
Signatures
-
Drops startup file 2 IoCs
Processes:
System.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\301b5fcf8ce2fab8868e80b6c1f912fe.exe System.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\301b5fcf8ce2fab8868e80b6c1f912fe.exe System.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
SecuriteInfo.com.Trojan.DownLoader33.36721.26238.29912.exeSystem.exedescription pid process target process PID 3856 wrote to memory of 2892 3856 SecuriteInfo.com.Trojan.DownLoader33.36721.26238.29912.exe System.exe PID 3856 wrote to memory of 2892 3856 SecuriteInfo.com.Trojan.DownLoader33.36721.26238.29912.exe System.exe PID 3856 wrote to memory of 2892 3856 SecuriteInfo.com.Trojan.DownLoader33.36721.26238.29912.exe System.exe PID 2892 wrote to memory of 3616 2892 System.exe netsh.exe PID 2892 wrote to memory of 3616 2892 System.exe netsh.exe PID 2892 wrote to memory of 3616 2892 System.exe netsh.exe -
Executes dropped EXE 1 IoCs
Processes:
System.exepid process 2892 System.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
System.exedescription pid process Token: SeDebugPrivilege 2892 System.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
System.exepid process 2892 System.exe 2892 System.exe 2892 System.exe 2892 System.exe 2892 System.exe 2892 System.exe 2892 System.exe 2892 System.exe 2892 System.exe 2892 System.exe 2892 System.exe 2892 System.exe 2892 System.exe -
Modifies Windows Firewall 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
System.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\301b5fcf8ce2fab8868e80b6c1f912fe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.exe\" .." System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\301b5fcf8ce2fab8868e80b6c1f912fe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.exe\" .." System.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader33.36721.26238.29912.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader33.36721.26238.29912.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\System.exe"C:\Users\Admin\AppData\Local\Temp\System.exe"2⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\System.exe" "System.exe" ENABLE3⤵