Analysis
-
max time kernel
135s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
25-11-2020 15:57
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.GenericKD.35366371.21837.17504.exe
Resource
win7v20201028
General
-
Target
SecuriteInfo.com.Trojan.GenericKD.35366371.21837.17504.exe
-
Size
376KB
-
MD5
3eafc3e74deeffaccc2a203154265a30
-
SHA1
0de031ececa86e4e318f266f291474fc73d491ac
-
SHA256
100f3322fa66d60cb9a64e2cbcceb0a9558e65e600526fcbc25852d62940c7ea
-
SHA512
2ed5d67d71af751a35398a649699e48c6dcde52d54e4e4977be9601edf1b595242a0787e7d9b07aca41416355ca33f9df13a4c087a8f63ae60c17b123363ec4f
Malware Config
Signatures
-
ServiceHost packer 22 IoCs
Detects ServiceHost packer used for .NET malware
Processes:
resource yara_rule behavioral2/memory/1124-17-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1124-16-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1124-18-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1124-19-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1124-20-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1124-21-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1124-23-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1124-24-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1124-25-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1124-22-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1124-26-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1124-54-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1124-56-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1124-57-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1124-58-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1124-59-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1124-60-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1124-61-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1124-62-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1124-64-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1124-63-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1124-55-0x0000000000000000-mapping.dmp servicehost -
Blacklisted process makes network request 2 IoCs
Processes:
rundll32.exerundll32.exeflow pid process 19 4072 rundll32.exe 23 2216 rundll32.exe -
Executes dropped EXE 2 IoCs
Processes:
tdun.exeTaurus22.exepid process 2912 tdun.exe 1124 Taurus22.exe -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exerundll32.exepid process 4072 rundll32.exe 4072 rundll32.exe 2216 rundll32.exe 2216 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2820 1124 WerFault.exe Taurus22.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
rundll32.exeWerFault.exepid process 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 4072 rundll32.exe 2820 WerFault.exe 2820 WerFault.exe 2820 WerFault.exe 2820 WerFault.exe 2820 WerFault.exe 2820 WerFault.exe 2820 WerFault.exe 2820 WerFault.exe 2820 WerFault.exe 2820 WerFault.exe 2820 WerFault.exe 2820 WerFault.exe 2820 WerFault.exe 2820 WerFault.exe 2820 WerFault.exe 2820 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2820 WerFault.exe Token: SeBackupPrivilege 2820 WerFault.exe Token: SeDebugPrivilege 2820 WerFault.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
SecuriteInfo.com.Trojan.GenericKD.35366371.21837.17504.exetdun.execmd.exeTaurus22.execmd.exedescription pid process target process PID 744 wrote to memory of 2912 744 SecuriteInfo.com.Trojan.GenericKD.35366371.21837.17504.exe tdun.exe PID 744 wrote to memory of 2912 744 SecuriteInfo.com.Trojan.GenericKD.35366371.21837.17504.exe tdun.exe PID 744 wrote to memory of 2912 744 SecuriteInfo.com.Trojan.GenericKD.35366371.21837.17504.exe tdun.exe PID 2912 wrote to memory of 4032 2912 tdun.exe cmd.exe PID 2912 wrote to memory of 4032 2912 tdun.exe cmd.exe PID 2912 wrote to memory of 4032 2912 tdun.exe cmd.exe PID 4032 wrote to memory of 776 4032 cmd.exe reg.exe PID 4032 wrote to memory of 776 4032 cmd.exe reg.exe PID 4032 wrote to memory of 776 4032 cmd.exe reg.exe PID 2912 wrote to memory of 4072 2912 tdun.exe rundll32.exe PID 2912 wrote to memory of 4072 2912 tdun.exe rundll32.exe PID 2912 wrote to memory of 4072 2912 tdun.exe rundll32.exe PID 2912 wrote to memory of 1124 2912 tdun.exe Taurus22.exe PID 2912 wrote to memory of 1124 2912 tdun.exe Taurus22.exe PID 2912 wrote to memory of 1124 2912 tdun.exe Taurus22.exe PID 1124 wrote to memory of 1456 1124 Taurus22.exe cmd.exe PID 1124 wrote to memory of 1456 1124 Taurus22.exe cmd.exe PID 1124 wrote to memory of 1456 1124 Taurus22.exe cmd.exe PID 1456 wrote to memory of 648 1456 cmd.exe schtasks.exe PID 1456 wrote to memory of 648 1456 cmd.exe schtasks.exe PID 1456 wrote to memory of 648 1456 cmd.exe schtasks.exe PID 2912 wrote to memory of 2216 2912 tdun.exe rundll32.exe PID 2912 wrote to memory of 2216 2912 tdun.exe rundll32.exe PID 2912 wrote to memory of 2216 2912 tdun.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.35366371.21837.17504.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.35366371.21837.17504.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\df06955a2a\tdun.exe"C:\ProgramData\df06955a2a\tdun.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\df06955a2a\3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\df06955a2a\4⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\ProgramData\36877702447006\cred.dll, Main3⤵
- Blacklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\Taurus22.exe"C:\Users\Admin\AppData\Local\Temp\Taurus22.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c schtasks /create /F /sc minute /mo 1 /tn "\WindowsAppPool\AppPool" /tr "C:\Users\Admin\AppData\Local\Temp\aBCgjGFk.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /F /sc minute /mo 1 /tn "\WindowsAppPool\AppPool" /tr "C:\Users\Admin\AppData\Local\Temp\aBCgjGFk.exe"5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 11724⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\ProgramData\36877702447006\scr.dll, Main3⤵
- Blacklisted process makes network request
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\152133414903337197415362MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\ProgramData\36877702447006\cred.dllMD5
7da17ba4b45756b3a4030fadf2b10581
SHA1695ad3805d4f947d241c05831aa22b915dcecd08
SHA256ac4f71ef784c5c125ccad0dca8b2c1e0a5ece14006f7955ffe183d0e1db3c8f9
SHA512c69ce625861e64df4838fbb81bbede34e5604784e0aca5adbc3aa09b2a21390cac59908221a767923736334757aaab6d54217c4cf058c48b342de763b75815c0
-
C:\ProgramData\36877702447006\scr.dllMD5
640ab71aef505d0fa1872c085d34bd67
SHA19dcaf377132f39f5c98f3883adcdc552347226ad
SHA256846df3b6706b3ce2985c5d8f102c8ee74cd4734f294ae5f5c48b3f6f9def5070
SHA5129c5a141503c52c5aeed6c60a077cf42eb34f2a7df55522da2759a3305661e2664db38f7e27ce57d60a0a30e798e76018467cd75618afcc2765c95448e42886c7
-
C:\ProgramData\df06955a2a\tdun.exeMD5
3eafc3e74deeffaccc2a203154265a30
SHA10de031ececa86e4e318f266f291474fc73d491ac
SHA256100f3322fa66d60cb9a64e2cbcceb0a9558e65e600526fcbc25852d62940c7ea
SHA5122ed5d67d71af751a35398a649699e48c6dcde52d54e4e4977be9601edf1b595242a0787e7d9b07aca41416355ca33f9df13a4c087a8f63ae60c17b123363ec4f
-
C:\ProgramData\df06955a2a\tdun.exeMD5
3eafc3e74deeffaccc2a203154265a30
SHA10de031ececa86e4e318f266f291474fc73d491ac
SHA256100f3322fa66d60cb9a64e2cbcceb0a9558e65e600526fcbc25852d62940c7ea
SHA5122ed5d67d71af751a35398a649699e48c6dcde52d54e4e4977be9601edf1b595242a0787e7d9b07aca41416355ca33f9df13a4c087a8f63ae60c17b123363ec4f
-
C:\Users\Admin\AppData\Local\Temp\Taurus22.exeMD5
a4371e9bd79194ecb4cbeea6db5c84fc
SHA18d52f150505ccecc1660ca4de6f0b5d73e58a1f0
SHA256412a216b1c3d5b49588f3afa1a29af5242a1b865eac7aa98565b4e7c5d4ca7e8
SHA512c814c8de4ee96ba82571a245d7fc53f1537a45051cad35e8e86d2e17158e77b33d0817a2d84352d5aae2209047b5e846d38d58bae894278686d3ced62a38415a
-
C:\Users\Admin\AppData\Local\Temp\Taurus22.exeMD5
a4371e9bd79194ecb4cbeea6db5c84fc
SHA18d52f150505ccecc1660ca4de6f0b5d73e58a1f0
SHA256412a216b1c3d5b49588f3afa1a29af5242a1b865eac7aa98565b4e7c5d4ca7e8
SHA512c814c8de4ee96ba82571a245d7fc53f1537a45051cad35e8e86d2e17158e77b33d0817a2d84352d5aae2209047b5e846d38d58bae894278686d3ced62a38415a
-
\ProgramData\36877702447006\cred.dllMD5
7da17ba4b45756b3a4030fadf2b10581
SHA1695ad3805d4f947d241c05831aa22b915dcecd08
SHA256ac4f71ef784c5c125ccad0dca8b2c1e0a5ece14006f7955ffe183d0e1db3c8f9
SHA512c69ce625861e64df4838fbb81bbede34e5604784e0aca5adbc3aa09b2a21390cac59908221a767923736334757aaab6d54217c4cf058c48b342de763b75815c0
-
\ProgramData\36877702447006\cred.dllMD5
7da17ba4b45756b3a4030fadf2b10581
SHA1695ad3805d4f947d241c05831aa22b915dcecd08
SHA256ac4f71ef784c5c125ccad0dca8b2c1e0a5ece14006f7955ffe183d0e1db3c8f9
SHA512c69ce625861e64df4838fbb81bbede34e5604784e0aca5adbc3aa09b2a21390cac59908221a767923736334757aaab6d54217c4cf058c48b342de763b75815c0
-
\ProgramData\36877702447006\scr.dllMD5
640ab71aef505d0fa1872c085d34bd67
SHA19dcaf377132f39f5c98f3883adcdc552347226ad
SHA256846df3b6706b3ce2985c5d8f102c8ee74cd4734f294ae5f5c48b3f6f9def5070
SHA5129c5a141503c52c5aeed6c60a077cf42eb34f2a7df55522da2759a3305661e2664db38f7e27ce57d60a0a30e798e76018467cd75618afcc2765c95448e42886c7
-
\ProgramData\36877702447006\scr.dllMD5
640ab71aef505d0fa1872c085d34bd67
SHA19dcaf377132f39f5c98f3883adcdc552347226ad
SHA256846df3b6706b3ce2985c5d8f102c8ee74cd4734f294ae5f5c48b3f6f9def5070
SHA5129c5a141503c52c5aeed6c60a077cf42eb34f2a7df55522da2759a3305661e2664db38f7e27ce57d60a0a30e798e76018467cd75618afcc2765c95448e42886c7
-
memory/648-14-0x0000000000000000-mapping.dmp
-
memory/776-5-0x0000000000000000-mapping.dmp
-
memory/1124-17-0x0000000000000000-mapping.dmp
-
memory/1124-26-0x0000000000000000-mapping.dmp
-
memory/1124-55-0x0000000000000000-mapping.dmp
-
memory/1124-63-0x0000000000000000-mapping.dmp
-
memory/1124-16-0x0000000000000000-mapping.dmp
-
memory/1124-18-0x0000000000000000-mapping.dmp
-
memory/1124-19-0x0000000000000000-mapping.dmp
-
memory/1124-20-0x0000000000000000-mapping.dmp
-
memory/1124-21-0x0000000000000000-mapping.dmp
-
memory/1124-23-0x0000000000000000-mapping.dmp
-
memory/1124-24-0x0000000000000000-mapping.dmp
-
memory/1124-25-0x0000000000000000-mapping.dmp
-
memory/1124-22-0x0000000000000000-mapping.dmp
-
memory/1124-54-0x0000000000000000-mapping.dmp
-
memory/1124-64-0x0000000000000000-mapping.dmp
-
memory/1124-62-0x0000000000000000-mapping.dmp
-
memory/1124-56-0x0000000000000000-mapping.dmp
-
memory/1124-10-0x0000000000000000-mapping.dmp
-
memory/1124-61-0x0000000000000000-mapping.dmp
-
memory/1124-60-0x0000000000000000-mapping.dmp
-
memory/1124-59-0x0000000000000000-mapping.dmp
-
memory/1124-58-0x0000000000000000-mapping.dmp
-
memory/1124-57-0x0000000000000000-mapping.dmp
-
memory/1456-13-0x0000000000000000-mapping.dmp
-
memory/2216-30-0x0000000000000000-mapping.dmp
-
memory/2820-38-0x0000000005570000-0x0000000005571000-memory.dmpFilesize
4KB
-
memory/2820-39-0x0000000005570000-0x0000000005571000-memory.dmpFilesize
4KB
-
memory/2820-43-0x0000000005570000-0x0000000005571000-memory.dmpFilesize
4KB
-
memory/2820-44-0x0000000005570000-0x0000000005571000-memory.dmpFilesize
4KB
-
memory/2820-45-0x0000000005570000-0x0000000005571000-memory.dmpFilesize
4KB
-
memory/2820-47-0x0000000005570000-0x0000000005571000-memory.dmpFilesize
4KB
-
memory/2820-48-0x0000000005570000-0x0000000005571000-memory.dmpFilesize
4KB
-
memory/2820-49-0x0000000005570000-0x0000000005571000-memory.dmpFilesize
4KB
-
memory/2820-51-0x0000000005570000-0x0000000005571000-memory.dmpFilesize
4KB
-
memory/2820-52-0x0000000005570000-0x0000000005571000-memory.dmpFilesize
4KB
-
memory/2820-40-0x0000000005570000-0x0000000005571000-memory.dmpFilesize
4KB
-
memory/2820-41-0x0000000005570000-0x0000000005571000-memory.dmpFilesize
4KB
-
memory/2820-36-0x0000000005570000-0x0000000005571000-memory.dmpFilesize
4KB
-
memory/2820-35-0x0000000005570000-0x0000000005571000-memory.dmpFilesize
4KB
-
memory/2820-65-0x0000000005710000-0x0000000005711000-memory.dmpFilesize
4KB
-
memory/2820-32-0x0000000005570000-0x0000000005571000-memory.dmpFilesize
4KB
-
memory/2820-15-0x0000000004A20000-0x0000000004A21000-memory.dmpFilesize
4KB
-
memory/2820-28-0x0000000005570000-0x0000000005571000-memory.dmpFilesize
4KB
-
memory/2820-27-0x0000000005570000-0x0000000005571000-memory.dmpFilesize
4KB
-
memory/2912-0-0x0000000000000000-mapping.dmp
-
memory/4032-4-0x0000000000000000-mapping.dmp
-
memory/4072-6-0x0000000000000000-mapping.dmp