Analysis
-
max time kernel
130s -
max time network
18s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
20-11-2020 02:17
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.BehavesLike.Win32.Generic.rc.24109.exe
Resource
win7v20201028
General
-
Target
SecuriteInfo.com.BehavesLike.Win32.Generic.rc.24109.exe
-
Size
4.6MB
-
MD5
2b850328e045c89a396af20bb10efe99
-
SHA1
277ac714f14b916fc1c6e8f45b9e8201cbb6c3e5
-
SHA256
20d4f5c1aeb9db0c7be6a5c2c88216412225e8419d4374a0e50c92d81c5e67fc
-
SHA512
0820697c24d729d6bdc227a6fa2fd6993265fc736daba86427eb9acb635cc8aba6b3a517384fe42ede40da2b1a1474c1273da3306309bbd724b9f38683b01450
Malware Config
Signatures
-
Blacklisted process makes network request 1 IoCs
Processes:
RUNDLL32.EXEflow pid process 4 1532 RUNDLL32.EXE -
Deletes itself 1 IoCs
Processes:
rundll32.exepid process 1608 rundll32.exe -
Loads dropped DLL 8 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 1608 rundll32.exe 1608 rundll32.exe 1608 rundll32.exe 1608 rundll32.exe 1532 RUNDLL32.EXE 1532 RUNDLL32.EXE 1532 RUNDLL32.EXE 1532 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 7 IoCs
Processes:
RUNDLL32.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NXBH52U7\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\8DDKLDOL\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AT22T7OH\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\F6O5NPVK\desktop.ini RUNDLL32.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exeRUNDLL32.EXEpowershell.exepid process 1624 powershell.exe 1624 powershell.exe 1532 RUNDLL32.EXE 1532 RUNDLL32.EXE 1480 powershell.exe 1480 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1608 rundll32.exe Token: SeDebugPrivilege 1532 RUNDLL32.EXE Token: SeDebugPrivilege 1624 powershell.exe Token: SeDebugPrivilege 1480 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
RUNDLL32.EXEpid process 1532 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.rc.24109.exerundll32.exeRUNDLL32.EXEdescription pid process target process PID 1032 wrote to memory of 1608 1032 SecuriteInfo.com.BehavesLike.Win32.Generic.rc.24109.exe rundll32.exe PID 1032 wrote to memory of 1608 1032 SecuriteInfo.com.BehavesLike.Win32.Generic.rc.24109.exe rundll32.exe PID 1032 wrote to memory of 1608 1032 SecuriteInfo.com.BehavesLike.Win32.Generic.rc.24109.exe rundll32.exe PID 1032 wrote to memory of 1608 1032 SecuriteInfo.com.BehavesLike.Win32.Generic.rc.24109.exe rundll32.exe PID 1032 wrote to memory of 1608 1032 SecuriteInfo.com.BehavesLike.Win32.Generic.rc.24109.exe rundll32.exe PID 1032 wrote to memory of 1608 1032 SecuriteInfo.com.BehavesLike.Win32.Generic.rc.24109.exe rundll32.exe PID 1032 wrote to memory of 1608 1032 SecuriteInfo.com.BehavesLike.Win32.Generic.rc.24109.exe rundll32.exe PID 1608 wrote to memory of 1532 1608 rundll32.exe RUNDLL32.EXE PID 1608 wrote to memory of 1532 1608 rundll32.exe RUNDLL32.EXE PID 1608 wrote to memory of 1532 1608 rundll32.exe RUNDLL32.EXE PID 1608 wrote to memory of 1532 1608 rundll32.exe RUNDLL32.EXE PID 1608 wrote to memory of 1532 1608 rundll32.exe RUNDLL32.EXE PID 1608 wrote to memory of 1532 1608 rundll32.exe RUNDLL32.EXE PID 1608 wrote to memory of 1532 1608 rundll32.exe RUNDLL32.EXE PID 1532 wrote to memory of 1624 1532 RUNDLL32.EXE powershell.exe PID 1532 wrote to memory of 1624 1532 RUNDLL32.EXE powershell.exe PID 1532 wrote to memory of 1624 1532 RUNDLL32.EXE powershell.exe PID 1532 wrote to memory of 1624 1532 RUNDLL32.EXE powershell.exe PID 1532 wrote to memory of 1480 1532 RUNDLL32.EXE powershell.exe PID 1532 wrote to memory of 1480 1532 RUNDLL32.EXE powershell.exe PID 1532 wrote to memory of 1480 1532 RUNDLL32.EXE powershell.exe PID 1532 wrote to memory of 1480 1532 RUNDLL32.EXE powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.rc.24109.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.rc.24109.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\A3D902~1.DLL,A C:\Users\Admin\AppData\Local\Temp\SECURI~1.EXE2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\A3D902~1.DLL,aQpfjBziAoD23⤵
- Blacklisted process makes network request
- Loads dropped DLL
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp4C1D.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp64DD.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\A3D902~1.DLLMD5
e808d8d7c58ba9976bef24c39d46d937
SHA1a9a0124804e066e5deac7eb01ad2766ab9421ff3
SHA2567a9c21fbb90a59cf1e3f441da1bb50747d3640848b4e81633d681c4dcd3f2820
SHA512a396b44f79189a6c1cdae213d24c2ce414248dd199dd5e82c44c6b3a09d8e6a15a1740ef32423b4a1aa79bd3a0abaa20c27a0b7e0acc45669c0771d56e06cf63
-
C:\Users\Admin\AppData\Local\Temp\tmp4C1D.tmp.ps1MD5
f2e5a6322d75cc8db20a13be20dddf7c
SHA180981da28483ef69a9517ace6ec1b4043add2b4b
SHA2565eef7d65c380e98829f3eccaba719c7da472c17542967015b3301d2cd903d98a
SHA512f6da640c78c3adfbe4ab148e009cedc9229f6cb6d125986ff258edcea6a8bfab029a9108f32beee6d1a4451c73ef213c01063472c8ac1120720a2323dec6559a
-
C:\Users\Admin\AppData\Local\Temp\tmp64DD.tmp.ps1MD5
b0586ac78b9619ed5069e2d97020d4ac
SHA18d2844a30154dd60d7f49594b82ffd139f1ce707
SHA256f4b6d2189fca169ca795559d45b1ce8bad210cd1436be5b2f4ba3f154efefb45
SHA512fada5bf7533ac2a7c4b2ab12ff87a47b0a6a3e311c34ace66b46e2ebc4e590376a9446aef6d44b94982bc4c5fb101e4ff33ed8fc90cc467e67f36102f2ab24a6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
24dcad5c541ab4e91ec479dde0800b18
SHA161db7bee8f6146ceba6f4a942632ab3dadc48372
SHA256e1604302a08394fedb0bd0c405b806ccfabd95c1f456126f134de1693ac6ae6a
SHA5125ae3de3354b1b3636dcec17677ce5958756f1e2440fb46d01b27950e19781631aa4265c3e5a7cf66f5b642c1f2c47b6af0ced52dd4f0b6e80fa0048ed538eeff
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\A3D902~1.DLLMD5
e808d8d7c58ba9976bef24c39d46d937
SHA1a9a0124804e066e5deac7eb01ad2766ab9421ff3
SHA2567a9c21fbb90a59cf1e3f441da1bb50747d3640848b4e81633d681c4dcd3f2820
SHA512a396b44f79189a6c1cdae213d24c2ce414248dd199dd5e82c44c6b3a09d8e6a15a1740ef32423b4a1aa79bd3a0abaa20c27a0b7e0acc45669c0771d56e06cf63
-
\Users\Admin\AppData\Local\Temp\A3D902~1.DLLMD5
e808d8d7c58ba9976bef24c39d46d937
SHA1a9a0124804e066e5deac7eb01ad2766ab9421ff3
SHA2567a9c21fbb90a59cf1e3f441da1bb50747d3640848b4e81633d681c4dcd3f2820
SHA512a396b44f79189a6c1cdae213d24c2ce414248dd199dd5e82c44c6b3a09d8e6a15a1740ef32423b4a1aa79bd3a0abaa20c27a0b7e0acc45669c0771d56e06cf63
-
\Users\Admin\AppData\Local\Temp\A3D902~1.DLLMD5
e808d8d7c58ba9976bef24c39d46d937
SHA1a9a0124804e066e5deac7eb01ad2766ab9421ff3
SHA2567a9c21fbb90a59cf1e3f441da1bb50747d3640848b4e81633d681c4dcd3f2820
SHA512a396b44f79189a6c1cdae213d24c2ce414248dd199dd5e82c44c6b3a09d8e6a15a1740ef32423b4a1aa79bd3a0abaa20c27a0b7e0acc45669c0771d56e06cf63
-
\Users\Admin\AppData\Local\Temp\A3D902~1.DLLMD5
e808d8d7c58ba9976bef24c39d46d937
SHA1a9a0124804e066e5deac7eb01ad2766ab9421ff3
SHA2567a9c21fbb90a59cf1e3f441da1bb50747d3640848b4e81633d681c4dcd3f2820
SHA512a396b44f79189a6c1cdae213d24c2ce414248dd199dd5e82c44c6b3a09d8e6a15a1740ef32423b4a1aa79bd3a0abaa20c27a0b7e0acc45669c0771d56e06cf63
-
\Users\Admin\AppData\Local\Temp\A3D902~1.DLLMD5
e808d8d7c58ba9976bef24c39d46d937
SHA1a9a0124804e066e5deac7eb01ad2766ab9421ff3
SHA2567a9c21fbb90a59cf1e3f441da1bb50747d3640848b4e81633d681c4dcd3f2820
SHA512a396b44f79189a6c1cdae213d24c2ce414248dd199dd5e82c44c6b3a09d8e6a15a1740ef32423b4a1aa79bd3a0abaa20c27a0b7e0acc45669c0771d56e06cf63
-
\Users\Admin\AppData\Local\Temp\A3D902~1.DLLMD5
e808d8d7c58ba9976bef24c39d46d937
SHA1a9a0124804e066e5deac7eb01ad2766ab9421ff3
SHA2567a9c21fbb90a59cf1e3f441da1bb50747d3640848b4e81633d681c4dcd3f2820
SHA512a396b44f79189a6c1cdae213d24c2ce414248dd199dd5e82c44c6b3a09d8e6a15a1740ef32423b4a1aa79bd3a0abaa20c27a0b7e0acc45669c0771d56e06cf63
-
\Users\Admin\AppData\Local\Temp\A3D902~1.DLLMD5
e808d8d7c58ba9976bef24c39d46d937
SHA1a9a0124804e066e5deac7eb01ad2766ab9421ff3
SHA2567a9c21fbb90a59cf1e3f441da1bb50747d3640848b4e81633d681c4dcd3f2820
SHA512a396b44f79189a6c1cdae213d24c2ce414248dd199dd5e82c44c6b3a09d8e6a15a1740ef32423b4a1aa79bd3a0abaa20c27a0b7e0acc45669c0771d56e06cf63
-
\Users\Admin\AppData\Local\Temp\A3D902~1.DLLMD5
e808d8d7c58ba9976bef24c39d46d937
SHA1a9a0124804e066e5deac7eb01ad2766ab9421ff3
SHA2567a9c21fbb90a59cf1e3f441da1bb50747d3640848b4e81633d681c4dcd3f2820
SHA512a396b44f79189a6c1cdae213d24c2ce414248dd199dd5e82c44c6b3a09d8e6a15a1740ef32423b4a1aa79bd3a0abaa20c27a0b7e0acc45669c0771d56e06cf63
-
memory/1012-25-0x000007FEF6380000-0x000007FEF65FA000-memory.dmpFilesize
2.5MB
-
memory/1032-0-0x0000000004E70000-0x00000000052F4000-memory.dmpFilesize
4.5MB
-
memory/1032-1-0x0000000005300000-0x0000000005311000-memory.dmpFilesize
68KB
-
memory/1480-39-0x00000000051B0000-0x00000000051B1000-memory.dmpFilesize
4KB
-
memory/1480-38-0x00000000047C0000-0x00000000047C1000-memory.dmpFilesize
4KB
-
memory/1480-37-0x0000000002470000-0x0000000002471000-memory.dmpFilesize
4KB
-
memory/1480-36-0x0000000072B50000-0x000000007323E000-memory.dmpFilesize
6.9MB
-
memory/1480-40-0x0000000005300000-0x0000000005301000-memory.dmpFilesize
4KB
-
memory/1480-33-0x0000000000000000-mapping.dmp
-
memory/1532-24-0x00000000035E0000-0x00000000035E1000-memory.dmpFilesize
4KB
-
memory/1532-21-0x00000000035E0000-0x00000000035E1000-memory.dmpFilesize
4KB
-
memory/1532-9-0x0000000000000000-mapping.dmp
-
memory/1532-14-0x0000000002A40000-0x0000000003098000-memory.dmpFilesize
6.3MB
-
memory/1532-22-0x00000000035E0000-0x00000000035E1000-memory.dmpFilesize
4KB
-
memory/1532-20-0x00000000035E0000-0x00000000035E1000-memory.dmpFilesize
4KB
-
memory/1532-23-0x00000000035E0000-0x00000000035E1000-memory.dmpFilesize
4KB
-
memory/1532-19-0x00000000035E0000-0x00000000035E1000-memory.dmpFilesize
4KB
-
memory/1608-8-0x00000000025E0000-0x0000000002C38000-memory.dmpFilesize
6.3MB
-
memory/1608-2-0x0000000000000000-mapping.dmp
-
memory/1624-26-0x0000000000000000-mapping.dmp
-
memory/1624-31-0x0000000005240000-0x0000000005241000-memory.dmpFilesize
4KB
-
memory/1624-27-0x0000000073030000-0x000000007371E000-memory.dmpFilesize
6.9MB
-
memory/1624-30-0x0000000005140000-0x0000000005141000-memory.dmpFilesize
4KB
-
memory/1624-29-0x0000000004870000-0x0000000004871000-memory.dmpFilesize
4KB
-
memory/1624-28-0x0000000001FD0000-0x0000000001FD1000-memory.dmpFilesize
4KB