Analysis
-
max time kernel
129s -
max time network
93s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
20-11-2020 02:17
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.BehavesLike.Win32.Generic.rc.24109.exe
Resource
win7v20201028
General
-
Target
SecuriteInfo.com.BehavesLike.Win32.Generic.rc.24109.exe
-
Size
4.6MB
-
MD5
2b850328e045c89a396af20bb10efe99
-
SHA1
277ac714f14b916fc1c6e8f45b9e8201cbb6c3e5
-
SHA256
20d4f5c1aeb9db0c7be6a5c2c88216412225e8419d4374a0e50c92d81c5e67fc
-
SHA512
0820697c24d729d6bdc227a6fa2fd6993265fc736daba86427eb9acb635cc8aba6b3a517384fe42ede40da2b1a1474c1273da3306309bbd724b9f38683b01450
Malware Config
Signatures
-
Blacklisted process makes network request 1 IoCs
Processes:
RUNDLL32.EXEflow pid process 8 2904 RUNDLL32.EXE -
Deletes itself 1 IoCs
Processes:
rundll32.exepid process 836 rundll32.exe -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 836 rundll32.exe 836 rundll32.exe 2904 RUNDLL32.EXE 2904 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exeRUNDLL32.EXEpowershell.exepid process 4068 powershell.exe 4068 powershell.exe 4068 powershell.exe 2904 RUNDLL32.EXE 2904 RUNDLL32.EXE 1800 powershell.exe 1800 powershell.exe 1800 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 836 rundll32.exe Token: SeDebugPrivilege 2904 RUNDLL32.EXE Token: SeDebugPrivilege 4068 powershell.exe Token: SeDebugPrivilege 1800 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
RUNDLL32.EXEpid process 2904 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.rc.24109.exerundll32.exeRUNDLL32.EXEdescription pid process target process PID 884 wrote to memory of 836 884 SecuriteInfo.com.BehavesLike.Win32.Generic.rc.24109.exe rundll32.exe PID 884 wrote to memory of 836 884 SecuriteInfo.com.BehavesLike.Win32.Generic.rc.24109.exe rundll32.exe PID 884 wrote to memory of 836 884 SecuriteInfo.com.BehavesLike.Win32.Generic.rc.24109.exe rundll32.exe PID 836 wrote to memory of 2904 836 rundll32.exe RUNDLL32.EXE PID 836 wrote to memory of 2904 836 rundll32.exe RUNDLL32.EXE PID 836 wrote to memory of 2904 836 rundll32.exe RUNDLL32.EXE PID 2904 wrote to memory of 4068 2904 RUNDLL32.EXE powershell.exe PID 2904 wrote to memory of 4068 2904 RUNDLL32.EXE powershell.exe PID 2904 wrote to memory of 4068 2904 RUNDLL32.EXE powershell.exe PID 2904 wrote to memory of 1800 2904 RUNDLL32.EXE powershell.exe PID 2904 wrote to memory of 1800 2904 RUNDLL32.EXE powershell.exe PID 2904 wrote to memory of 1800 2904 RUNDLL32.EXE powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.rc.24109.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.rc.24109.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\076B28~1.DLL,A C:\Users\Admin\AppData\Local\Temp\SECURI~1.EXE2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\076B28~1.DLL,Y14FfI0=3⤵
- Blacklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp8524.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp9CA5.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
0f5cbdca905beb13bebdcf43fb0716bd
SHA19e136131389fde83297267faf6c651d420671b3f
SHA256a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060
SHA512a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
148306963e5f31698c5b1fca414c4bb6
SHA1680fece2edb6a160bbf238b9c79c1048fff19452
SHA256a33a709be227822aebbd0d38c4ff923c2cd260407d4a205ce13a3eecebc1512d
SHA51247b9e6050a92f9ed9f3e83e02686d75eb07a1c814443ec80011db3ceacda31ddc894e67edcc2912f71c77dda3404eee004145a2b3d855e8abb4ec813db352a15
-
C:\Users\Admin\AppData\Local\Temp\076B28~1.DLLMD5
e808d8d7c58ba9976bef24c39d46d937
SHA1a9a0124804e066e5deac7eb01ad2766ab9421ff3
SHA2567a9c21fbb90a59cf1e3f441da1bb50747d3640848b4e81633d681c4dcd3f2820
SHA512a396b44f79189a6c1cdae213d24c2ce414248dd199dd5e82c44c6b3a09d8e6a15a1740ef32423b4a1aa79bd3a0abaa20c27a0b7e0acc45669c0771d56e06cf63
-
C:\Users\Admin\AppData\Local\Temp\tmp8524.tmp.ps1MD5
e826f6ac34d130553d849af9eba639eb
SHA1c796f092c3e9af5b85b32ad9a5c2fb1753b03afe
SHA2561e72f1d6046641259790f1ecda63a19791cd8559e2b8153fec1df2adac24495d
SHA5121a198360587a55ae14fd960639c7f7acd2fcbbe60cba3c558c7cd032db48f737b5b45f6531d646682dba3a020226f620fe824f557b57ca50bb07fc6065f8b80b
-
C:\Users\Admin\AppData\Local\Temp\tmp9CA5.tmp.ps1MD5
6b913a0189de147762d9dfda14b7d66b
SHA154c314e41b7d9b25e9b2ee14f2dc4a4c96a82c9e
SHA2565b5adbe0070ce51b120ea6b445be84fe2636ec05269f5da079510fe5acb931bc
SHA5121ffc11ce0928a1b561aedb8b0fcf9f34daacafe34e70214a078f7a22ac5f5f6645e6b7e658086650f4c32bdf14a803110cddc4f38c98cf022926abf44df6e597
-
\Users\Admin\AppData\Local\Temp\076B28~1.DLLMD5
e808d8d7c58ba9976bef24c39d46d937
SHA1a9a0124804e066e5deac7eb01ad2766ab9421ff3
SHA2567a9c21fbb90a59cf1e3f441da1bb50747d3640848b4e81633d681c4dcd3f2820
SHA512a396b44f79189a6c1cdae213d24c2ce414248dd199dd5e82c44c6b3a09d8e6a15a1740ef32423b4a1aa79bd3a0abaa20c27a0b7e0acc45669c0771d56e06cf63
-
\Users\Admin\AppData\Local\Temp\076B28~1.DLLMD5
e808d8d7c58ba9976bef24c39d46d937
SHA1a9a0124804e066e5deac7eb01ad2766ab9421ff3
SHA2567a9c21fbb90a59cf1e3f441da1bb50747d3640848b4e81633d681c4dcd3f2820
SHA512a396b44f79189a6c1cdae213d24c2ce414248dd199dd5e82c44c6b3a09d8e6a15a1740ef32423b4a1aa79bd3a0abaa20c27a0b7e0acc45669c0771d56e06cf63
-
\Users\Admin\AppData\Local\Temp\076B28~1.DLLMD5
e808d8d7c58ba9976bef24c39d46d937
SHA1a9a0124804e066e5deac7eb01ad2766ab9421ff3
SHA2567a9c21fbb90a59cf1e3f441da1bb50747d3640848b4e81633d681c4dcd3f2820
SHA512a396b44f79189a6c1cdae213d24c2ce414248dd199dd5e82c44c6b3a09d8e6a15a1740ef32423b4a1aa79bd3a0abaa20c27a0b7e0acc45669c0771d56e06cf63
-
\Users\Admin\AppData\Local\Temp\076B28~1.DLLMD5
e808d8d7c58ba9976bef24c39d46d937
SHA1a9a0124804e066e5deac7eb01ad2766ab9421ff3
SHA2567a9c21fbb90a59cf1e3f441da1bb50747d3640848b4e81633d681c4dcd3f2820
SHA512a396b44f79189a6c1cdae213d24c2ce414248dd199dd5e82c44c6b3a09d8e6a15a1740ef32423b4a1aa79bd3a0abaa20c27a0b7e0acc45669c0771d56e06cf63
-
memory/836-6-0x0000000004B60000-0x00000000051B8000-memory.dmpFilesize
6.3MB
-
memory/836-2-0x0000000000000000-mapping.dmp
-
memory/884-1-0x0000000005640000-0x0000000005641000-memory.dmpFilesize
4KB
-
memory/1800-45-0x0000000008470000-0x0000000008471000-memory.dmpFilesize
4KB
-
memory/1800-42-0x0000000008020000-0x0000000008021000-memory.dmpFilesize
4KB
-
memory/1800-36-0x0000000070EC0000-0x00000000715AE000-memory.dmpFilesize
6.9MB
-
memory/1800-34-0x0000000000000000-mapping.dmp
-
memory/2904-15-0x0000000005310000-0x0000000005311000-memory.dmpFilesize
4KB
-
memory/2904-21-0x0000000005310000-0x0000000005411000-memory.dmpFilesize
1.0MB
-
memory/2904-10-0x0000000004A60000-0x00000000050B8000-memory.dmpFilesize
6.3MB
-
memory/2904-7-0x0000000000000000-mapping.dmp
-
memory/4068-24-0x0000000004D00000-0x0000000004D01000-memory.dmpFilesize
4KB
-
memory/4068-31-0x0000000008820000-0x0000000008821000-memory.dmpFilesize
4KB
-
memory/4068-32-0x0000000008870000-0x0000000008871000-memory.dmpFilesize
4KB
-
memory/4068-30-0x00000000084F0000-0x00000000084F1000-memory.dmpFilesize
4KB
-
memory/4068-29-0x0000000008100000-0x0000000008101000-memory.dmpFilesize
4KB
-
memory/4068-28-0x0000000007EE0000-0x0000000007EE1000-memory.dmpFilesize
4KB
-
memory/4068-27-0x0000000007E70000-0x0000000007E71000-memory.dmpFilesize
4KB
-
memory/4068-26-0x0000000007740000-0x0000000007741000-memory.dmpFilesize
4KB
-
memory/4068-25-0x0000000007840000-0x0000000007841000-memory.dmpFilesize
4KB
-
memory/4068-23-0x0000000071520000-0x0000000071C0E000-memory.dmpFilesize
6.9MB
-
memory/4068-22-0x0000000000000000-mapping.dmp