Analysis

  • max time kernel
    151s
  • max time network
    8s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    09-11-2020 21:00

General

  • Target

    SecuriteInfo.com.MSIL11.BQEP.16523.30026.exe

  • Size

    523KB

  • MD5

    d335904e0fc1209cced63553bebb5203

  • SHA1

    118580c111cd1d5da92c281647cb773d060dfb4b

  • SHA256

    55b8c931d255cef1b2541db94a1eea700b9849c253ca5b24f31aeaf272a276c9

  • SHA512

    59b89a9148f16fc9e0e9098dcb2f3fc12e146377fc097fc2012ee45800c1c7b7d4c1ef1125b387ffd1be47e46d2eac6f5504b91d2dbd13d28eecc372539a3506

Score
8/10
upx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops startup file 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL11.BQEP.16523.30026.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL11.BQEP.16523.30026.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\ru3211.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1028
      • C:\Windows\SysWOW64\wscript.exe
        wscript.exe "C:\Users\Admin\AppData\Local\Temp\thenewinvs.vbs" "C:\Users\Admin\AppData\Local\Temp\anothenwtshit.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1284
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\anothenwtshit.bat" "
          4⤵
          • Drops startup file
          PID:1448
    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1336

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\anothenwtshit.bat

    MD5

    e9535cf2201a2839c23f486175d14710

    SHA1

    fd5001ac8695c525976c1182d31730576c8a0347

    SHA256

    e77650dfae30770e336cb673f103781e51313bcca0e4ca741f325062a02e0071

    SHA512

    a2ab37ae49f78eba44c34d4e84bc7cdeb44a82efa2b10d1d920251f23ad3957f202284da6cb445118c31444118c2cd0e3435cc33f9243393fe0d3cd1da64de94

  • C:\Users\Admin\AppData\Local\Temp\newrunn-.txt

    MD5

    d335904e0fc1209cced63553bebb5203

    SHA1

    118580c111cd1d5da92c281647cb773d060dfb4b

    SHA256

    55b8c931d255cef1b2541db94a1eea700b9849c253ca5b24f31aeaf272a276c9

    SHA512

    59b89a9148f16fc9e0e9098dcb2f3fc12e146377fc097fc2012ee45800c1c7b7d4c1ef1125b387ffd1be47e46d2eac6f5504b91d2dbd13d28eecc372539a3506

  • C:\Users\Admin\AppData\Local\Temp\ru3211.bat

    MD5

    d9f0a295ebedd93767d8153367753b57

    SHA1

    ee1bdf6de779d156dd5f9fc2b1d85ec33bf6ea9d

    SHA256

    8ce14cc19b08efd2964935c93a949aaf34cb94fc6d770686eb64d2e705c786ba

    SHA512

    064666269f7fa201046314c85bcbab1d66009d29387f93e033274c6aeb2d198bca2f3470e06e443a9fbd5f1e1f29dc759bdcb90316f368f77dd6381a4ac24962

  • C:\Users\Admin\AppData\Local\Temp\thenewinvs.vbs

    MD5

    c578d9653b22800c3eb6b6a51219bbb8

    SHA1

    a97aa251901bbe179a48dbc7a0c1872e163b1f2d

    SHA256

    20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

    SHA512

    3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe

    MD5

    6e6a4cee2c9bf752d86844c3c09f2f3d

    SHA1

    4dbc076a5c80b8f2c65e26fd52d3faad18cc8ec9

    SHA256

    ada4a712712fd1831628d042f2f5fa0fc20f9faa0491c470e2e1da288b658a49

    SHA512

    1bc14f44c18a44916032bc59fff9529448ad14a7c939dc162edf2359f73274a63e5acc5379e557f82ab58d506ca6a6de23144ed0f25e8948782445e8a89d7fc8

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe

    MD5

    6e6a4cee2c9bf752d86844c3c09f2f3d

    SHA1

    4dbc076a5c80b8f2c65e26fd52d3faad18cc8ec9

    SHA256

    ada4a712712fd1831628d042f2f5fa0fc20f9faa0491c470e2e1da288b658a49

    SHA512

    1bc14f44c18a44916032bc59fff9529448ad14a7c939dc162edf2359f73274a63e5acc5379e557f82ab58d506ca6a6de23144ed0f25e8948782445e8a89d7fc8

  • \Users\Admin\AppData\Local\Temp\tmp.exe

    MD5

    6e6a4cee2c9bf752d86844c3c09f2f3d

    SHA1

    4dbc076a5c80b8f2c65e26fd52d3faad18cc8ec9

    SHA256

    ada4a712712fd1831628d042f2f5fa0fc20f9faa0491c470e2e1da288b658a49

    SHA512

    1bc14f44c18a44916032bc59fff9529448ad14a7c939dc162edf2359f73274a63e5acc5379e557f82ab58d506ca6a6de23144ed0f25e8948782445e8a89d7fc8

  • \Users\Admin\AppData\Local\Temp\tmp.exe

    MD5

    6e6a4cee2c9bf752d86844c3c09f2f3d

    SHA1

    4dbc076a5c80b8f2c65e26fd52d3faad18cc8ec9

    SHA256

    ada4a712712fd1831628d042f2f5fa0fc20f9faa0491c470e2e1da288b658a49

    SHA512

    1bc14f44c18a44916032bc59fff9529448ad14a7c939dc162edf2359f73274a63e5acc5379e557f82ab58d506ca6a6de23144ed0f25e8948782445e8a89d7fc8

  • memory/1028-0-0x0000000000000000-mapping.dmp

  • memory/1284-13-0x0000000002880000-0x0000000002884000-memory.dmp

    Filesize

    16KB

  • memory/1284-2-0x0000000000000000-mapping.dmp

  • memory/1336-5-0x0000000000000000-mapping.dmp

  • memory/1448-12-0x0000000000000000-mapping.dmp