55b8c931d255cef1b2541db94a1eea700b9849c253ca5b24f31aeaf272a276c9

General

Target

SecuriteInfo.com.MSIL11.BQEP.16523.30026.exe
Size

523KB
MD5

d335904e0fc1209cced63553bebb5203
SHA1

118580c111cd1d5da92c281647cb773d060dfb4b
SHA256

55b8c931d255cef1b2541db94a1eea700b9849c253ca5b24f31aeaf272a276c9
SHA512

59b89a9148f16fc9e0e9098dcb2f3fc12e146377fc097fc2012ee45800c1c7b7d4c1ef1125b387ffd1be47e46d2eac6f5504b91d2dbd13d28eecc372539a3506

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

tmp.exe

pid process

1336 tmp.exe

pid	process
1336	tmp.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\tmp.exe	upx
\Users\Admin\AppData\Local\Temp\tmp.exe	upx
C:\Users\Admin\AppData\Local\Temp\tmp.exe	upx
C:\Users\Admin\AppData\Local\Temp\tmp.exe	upx

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart_office.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart_office.exe	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

SecuriteInfo.com.MSIL11.BQEP.16523.30026.exe

pid process

1668 SecuriteInfo.com.MSIL11.BQEP.16523.30026.exe
1668 SecuriteInfo.com.MSIL11.BQEP.16523.30026.exe

pid	process
1668	SecuriteInfo.com.MSIL11.BQEP.16523.30026.exe
1668	SecuriteInfo.com.MSIL11.BQEP.16523.30026.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

SecuriteInfo.com.MSIL11.BQEP.16523.30026.exetmp.exe

description	pid	process
Token: SeDebugPrivilege	1668	SecuriteInfo.com.MSIL11.BQEP.16523.30026.exe
Token: 33	1668	SecuriteInfo.com.MSIL11.BQEP.16523.30026.exe
Token: SeIncBasePriorityPrivilege	1668	SecuriteInfo.com.MSIL11.BQEP.16523.30026.exe
Token: SeDebugPrivilege	1336	tmp.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

tmp.exe

pid process

1336 tmp.exe
1336 tmp.exe
1336 tmp.exe
1336 tmp.exe

pid	process
1336	tmp.exe
1336	tmp.exe
1336	tmp.exe
1336	tmp.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

SecuriteInfo.com.MSIL11.BQEP.16523.30026.execmd.exewscript.exe

description	pid	process	target process
PID 1668 wrote to memory of 1028	1668	SecuriteInfo.com.MSIL11.BQEP.16523.30026.exe	cmd.exe
PID 1668 wrote to memory of 1028	1668	SecuriteInfo.com.MSIL11.BQEP.16523.30026.exe	cmd.exe
PID 1668 wrote to memory of 1028	1668	SecuriteInfo.com.MSIL11.BQEP.16523.30026.exe	cmd.exe
PID 1668 wrote to memory of 1028	1668	SecuriteInfo.com.MSIL11.BQEP.16523.30026.exe	cmd.exe
PID 1028 wrote to memory of 1284	1028	cmd.exe	wscript.exe
PID 1028 wrote to memory of 1284	1028	cmd.exe	wscript.exe
PID 1028 wrote to memory of 1284	1028	cmd.exe	wscript.exe
PID 1028 wrote to memory of 1284	1028	cmd.exe	wscript.exe
PID 1668 wrote to memory of 1336	1668	SecuriteInfo.com.MSIL11.BQEP.16523.30026.exe	tmp.exe
PID 1668 wrote to memory of 1336	1668	SecuriteInfo.com.MSIL11.BQEP.16523.30026.exe	tmp.exe
PID 1668 wrote to memory of 1336	1668	SecuriteInfo.com.MSIL11.BQEP.16523.30026.exe	tmp.exe
PID 1668 wrote to memory of 1336	1668	SecuriteInfo.com.MSIL11.BQEP.16523.30026.exe	tmp.exe
PID 1284 wrote to memory of 1448	1284	wscript.exe	cmd.exe
PID 1284 wrote to memory of 1448	1284	wscript.exe	cmd.exe
PID 1284 wrote to memory of 1448	1284	wscript.exe	cmd.exe
PID 1284 wrote to memory of 1448	1284	wscript.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL11.BQEP.16523.30026.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL11.BQEP.16523.30026.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ru3211.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\thenewinvs.vbs" "C:\Users\Admin\AppData\Local\Temp\anothenwtshit.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\anothenwtshit.bat" "
4⤵
- Drops startup file
PID:1448

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1336

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\anothenwtshit.bat
MD5
e9535cf2201a2839c23f486175d14710

SHA1
fd5001ac8695c525976c1182d31730576c8a0347

SHA256
e77650dfae30770e336cb673f103781e51313bcca0e4ca741f325062a02e0071

SHA512
a2ab37ae49f78eba44c34d4e84bc7cdeb44a82efa2b10d1d920251f23ad3957f202284da6cb445118c31444118c2cd0e3435cc33f9243393fe0d3cd1da64de94

Download Submit
C:\Users\Admin\AppData\Local\Temp\newrunn-.txt
MD5
d335904e0fc1209cced63553bebb5203

SHA1
118580c111cd1d5da92c281647cb773d060dfb4b

SHA256
55b8c931d255cef1b2541db94a1eea700b9849c253ca5b24f31aeaf272a276c9

SHA512
59b89a9148f16fc9e0e9098dcb2f3fc12e146377fc097fc2012ee45800c1c7b7d4c1ef1125b387ffd1be47e46d2eac6f5504b91d2dbd13d28eecc372539a3506

Download Submit
C:\Users\Admin\AppData\Local\Temp\ru3211.bat
MD5
d9f0a295ebedd93767d8153367753b57

SHA1
ee1bdf6de779d156dd5f9fc2b1d85ec33bf6ea9d

SHA256
8ce14cc19b08efd2964935c93a949aaf34cb94fc6d770686eb64d2e705c786ba

SHA512
064666269f7fa201046314c85bcbab1d66009d29387f93e033274c6aeb2d198bca2f3470e06e443a9fbd5f1e1f29dc759bdcb90316f368f77dd6381a4ac24962

Download Submit
C:\Users\Admin\AppData\Local\Temp\thenewinvs.vbs
MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe
MD5
6e6a4cee2c9bf752d86844c3c09f2f3d

SHA1
4dbc076a5c80b8f2c65e26fd52d3faad18cc8ec9

SHA256
ada4a712712fd1831628d042f2f5fa0fc20f9faa0491c470e2e1da288b658a49

SHA512
1bc14f44c18a44916032bc59fff9529448ad14a7c939dc162edf2359f73274a63e5acc5379e557f82ab58d506ca6a6de23144ed0f25e8948782445e8a89d7fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe
MD5
6e6a4cee2c9bf752d86844c3c09f2f3d

SHA1
4dbc076a5c80b8f2c65e26fd52d3faad18cc8ec9

SHA256
ada4a712712fd1831628d042f2f5fa0fc20f9faa0491c470e2e1da288b658a49

SHA512
1bc14f44c18a44916032bc59fff9529448ad14a7c939dc162edf2359f73274a63e5acc5379e557f82ab58d506ca6a6de23144ed0f25e8948782445e8a89d7fc8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe
MD5
6e6a4cee2c9bf752d86844c3c09f2f3d

SHA1
4dbc076a5c80b8f2c65e26fd52d3faad18cc8ec9

SHA256
ada4a712712fd1831628d042f2f5fa0fc20f9faa0491c470e2e1da288b658a49

SHA512
1bc14f44c18a44916032bc59fff9529448ad14a7c939dc162edf2359f73274a63e5acc5379e557f82ab58d506ca6a6de23144ed0f25e8948782445e8a89d7fc8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe
MD5
6e6a4cee2c9bf752d86844c3c09f2f3d

SHA1
4dbc076a5c80b8f2c65e26fd52d3faad18cc8ec9

SHA256
ada4a712712fd1831628d042f2f5fa0fc20f9faa0491c470e2e1da288b658a49

SHA512
1bc14f44c18a44916032bc59fff9529448ad14a7c939dc162edf2359f73274a63e5acc5379e557f82ab58d506ca6a6de23144ed0f25e8948782445e8a89d7fc8

Download Submit
memory/1028-0-0x0000000000000000-mapping.dmp

Download
memory/1284-13-0x0000000002880000-0x0000000002884000-memory.dmp

Filesize
16KB

Download
memory/1284-2-0x0000000000000000-mapping.dmp

Download
memory/1336-5-0x0000000000000000-mapping.dmp

Download
memory/1448-12-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads