Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 21:00
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.MSIL11.BQEP.16523.30026.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SecuriteInfo.com.MSIL11.BQEP.16523.30026.exe
Resource
win10v20201028
General
-
Target
SecuriteInfo.com.MSIL11.BQEP.16523.30026.exe
-
Size
523KB
-
MD5
d335904e0fc1209cced63553bebb5203
-
SHA1
118580c111cd1d5da92c281647cb773d060dfb4b
-
SHA256
55b8c931d255cef1b2541db94a1eea700b9849c253ca5b24f31aeaf272a276c9
-
SHA512
59b89a9148f16fc9e0e9098dcb2f3fc12e146377fc097fc2012ee45800c1c7b7d4c1ef1125b387ffd1be47e46d2eac6f5504b91d2dbd13d28eecc372539a3506
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
tmp.exepid process 4040 tmp.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\tmp.exe upx C:\Users\Admin\AppData\Local\Temp\tmp.exe upx -
Drops startup file 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart_office.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart_office.exe cmd.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
SecuriteInfo.com.MSIL11.BQEP.16523.30026.exetmp.exedescription pid process Token: SeDebugPrivilege 3980 SecuriteInfo.com.MSIL11.BQEP.16523.30026.exe Token: 33 3980 SecuriteInfo.com.MSIL11.BQEP.16523.30026.exe Token: SeIncBasePriorityPrivilege 3980 SecuriteInfo.com.MSIL11.BQEP.16523.30026.exe Token: SeDebugPrivilege 4040 tmp.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
tmp.exepid process 4040 tmp.exe 4040 tmp.exe 4040 tmp.exe 4040 tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
SecuriteInfo.com.MSIL11.BQEP.16523.30026.execmd.exewscript.exedescription pid process target process PID 3980 wrote to memory of 756 3980 SecuriteInfo.com.MSIL11.BQEP.16523.30026.exe cmd.exe PID 3980 wrote to memory of 756 3980 SecuriteInfo.com.MSIL11.BQEP.16523.30026.exe cmd.exe PID 3980 wrote to memory of 756 3980 SecuriteInfo.com.MSIL11.BQEP.16523.30026.exe cmd.exe PID 756 wrote to memory of 1176 756 cmd.exe wscript.exe PID 756 wrote to memory of 1176 756 cmd.exe wscript.exe PID 756 wrote to memory of 1176 756 cmd.exe wscript.exe PID 3980 wrote to memory of 4040 3980 SecuriteInfo.com.MSIL11.BQEP.16523.30026.exe tmp.exe PID 3980 wrote to memory of 4040 3980 SecuriteInfo.com.MSIL11.BQEP.16523.30026.exe tmp.exe PID 3980 wrote to memory of 4040 3980 SecuriteInfo.com.MSIL11.BQEP.16523.30026.exe tmp.exe PID 1176 wrote to memory of 1520 1176 wscript.exe cmd.exe PID 1176 wrote to memory of 1520 1176 wscript.exe cmd.exe PID 1176 wrote to memory of 1520 1176 wscript.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL11.BQEP.16523.30026.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL11.BQEP.16523.30026.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ru3211.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\thenewinvs.vbs" "C:\Users\Admin\AppData\Local\Temp\anothenwtshit.bat3⤵
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anothenwtshit.bat" "4⤵
- Drops startup file
PID:1520 -
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4040
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e9535cf2201a2839c23f486175d14710
SHA1fd5001ac8695c525976c1182d31730576c8a0347
SHA256e77650dfae30770e336cb673f103781e51313bcca0e4ca741f325062a02e0071
SHA512a2ab37ae49f78eba44c34d4e84bc7cdeb44a82efa2b10d1d920251f23ad3957f202284da6cb445118c31444118c2cd0e3435cc33f9243393fe0d3cd1da64de94
-
MD5
d335904e0fc1209cced63553bebb5203
SHA1118580c111cd1d5da92c281647cb773d060dfb4b
SHA25655b8c931d255cef1b2541db94a1eea700b9849c253ca5b24f31aeaf272a276c9
SHA51259b89a9148f16fc9e0e9098dcb2f3fc12e146377fc097fc2012ee45800c1c7b7d4c1ef1125b387ffd1be47e46d2eac6f5504b91d2dbd13d28eecc372539a3506
-
MD5
d9f0a295ebedd93767d8153367753b57
SHA1ee1bdf6de779d156dd5f9fc2b1d85ec33bf6ea9d
SHA2568ce14cc19b08efd2964935c93a949aaf34cb94fc6d770686eb64d2e705c786ba
SHA512064666269f7fa201046314c85bcbab1d66009d29387f93e033274c6aeb2d198bca2f3470e06e443a9fbd5f1e1f29dc759bdcb90316f368f77dd6381a4ac24962
-
MD5
c578d9653b22800c3eb6b6a51219bbb8
SHA1a97aa251901bbe179a48dbc7a0c1872e163b1f2d
SHA25620a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2
SHA5123ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d
-
MD5
6e6a4cee2c9bf752d86844c3c09f2f3d
SHA14dbc076a5c80b8f2c65e26fd52d3faad18cc8ec9
SHA256ada4a712712fd1831628d042f2f5fa0fc20f9faa0491c470e2e1da288b658a49
SHA5121bc14f44c18a44916032bc59fff9529448ad14a7c939dc162edf2359f73274a63e5acc5379e557f82ab58d506ca6a6de23144ed0f25e8948782445e8a89d7fc8
-
MD5
6e6a4cee2c9bf752d86844c3c09f2f3d
SHA14dbc076a5c80b8f2c65e26fd52d3faad18cc8ec9
SHA256ada4a712712fd1831628d042f2f5fa0fc20f9faa0491c470e2e1da288b658a49
SHA5121bc14f44c18a44916032bc59fff9529448ad14a7c939dc162edf2359f73274a63e5acc5379e557f82ab58d506ca6a6de23144ed0f25e8948782445e8a89d7fc8