Analysis
-
max time kernel
75s -
max time network
113s -
platform
windows10_x64 -
resource
win10 -
submitted
27-08-2020 20:33
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Generic.mg.22c1b894002c6ffd.12583.dll
Resource
win7v200722
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Generic.mg.22c1b894002c6ffd.12583.dll
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
SecuriteInfo.com.Generic.mg.22c1b894002c6ffd.12583.dll
-
Size
723KB
-
MD5
22c1b894002c6ffd1fdc2a75b48ddcda
-
SHA1
5037543f108882d6a0d5b1907d125d40e4126e32
-
SHA256
c91229d90c423cd5b5bf870cec714e5c956058c62f4b2036607d44f1767c50d2
-
SHA512
67fe107a5bf13fa041eed46c4477ced5fd1af826cd6fc7e5b0661f3690d1a1eeeb69973ef9ccb50c13bc38740711ad0070daaa4b23ef49c9f28c164a881c4a67
Score
4/10
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3860 3840 WerFault.exe rundll32.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = 8f0027c5b17cd601 svchost.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3860 WerFault.exe 3860 WerFault.exe 3860 WerFault.exe 3860 WerFault.exe 3860 WerFault.exe 3860 WerFault.exe 3860 WerFault.exe 3860 WerFault.exe 3860 WerFault.exe 3860 WerFault.exe 3860 WerFault.exe 3860 WerFault.exe 3860 WerFault.exe 3860 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
svchost.exeWerFault.exedescription pid process Token: SeShutdownPrivilege 3584 svchost.exe Token: SeCreatePagefilePrivilege 3584 svchost.exe Token: SeRestorePrivilege 3860 WerFault.exe Token: SeBackupPrivilege 3860 WerFault.exe Token: SeDebugPrivilege 3860 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 720 wrote to memory of 3840 720 rundll32.exe rundll32.exe PID 720 wrote to memory of 3840 720 rundll32.exe rundll32.exe PID 720 wrote to memory of 3840 720 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.22c1b894002c6ffd.12583.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:720 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.22c1b894002c6ffd.12583.dll,#12⤵PID:3840
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 6043⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3860
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3584