Analysis
-
max time kernel
151s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-01-2021 13:45
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exe
Resource
win10v20201028
General
-
Target
SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exe
-
Size
387KB
-
MD5
1d6edfa073e4a8f072df28cfd5321bba
-
SHA1
a62fc3e619711102d3e8a62e9e2456db1e194997
-
SHA256
e2e17c7a66b0571f7d35ecd4f5522eb697a234d2b3d803d609d3f804a63de168
-
SHA512
c1426d54140a6cac1dabeb41fa6d21c0894b9d70afd677254ff0ed3afcb8bde3ba34b61b8fb7633ba4c85ebaf81620b79b53f626b3076c3aad8ff77bdad378cd
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 608 cmd.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 1552 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 147 IoCs
Processes:
ndadmin.exesvchost.exeSearchProtocolHost.exeExplorer.EXEpid process 1252 ndadmin.exe 1252 ndadmin.exe 1252 ndadmin.exe 800 svchost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1260 Explorer.EXE 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1260 Explorer.EXE 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1260 Explorer.EXE 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1260 Explorer.EXE 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1260 Explorer.EXE 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe -
Suspicious use of AdjustPrivilegeToken 117 IoCs
Processes:
SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exendadmin.exesvchost.exedescription pid process Token: SeDebugPrivilege 532 SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exe Token: SeTcbPrivilege 532 SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exe Token: SeDebugPrivilege 532 SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exe Token: SeDebugPrivilege 1252 ndadmin.exe Token: SeTcbPrivilege 1252 ndadmin.exe Token: SeCreateTokenPrivilege 1252 ndadmin.exe Token: SeAssignPrimaryTokenPrivilege 1252 ndadmin.exe Token: SeLockMemoryPrivilege 1252 ndadmin.exe Token: SeIncreaseQuotaPrivilege 1252 ndadmin.exe Token: SeMachineAccountPrivilege 1252 ndadmin.exe Token: SeTcbPrivilege 1252 ndadmin.exe Token: SeSecurityPrivilege 1252 ndadmin.exe Token: SeTakeOwnershipPrivilege 1252 ndadmin.exe Token: SeLoadDriverPrivilege 1252 ndadmin.exe Token: SeSystemProfilePrivilege 1252 ndadmin.exe Token: SeSystemtimePrivilege 1252 ndadmin.exe Token: SeProfSingleProcessPrivilege 1252 ndadmin.exe Token: SeIncBasePriorityPrivilege 1252 ndadmin.exe Token: SeCreatePagefilePrivilege 1252 ndadmin.exe Token: SeCreatePermanentPrivilege 1252 ndadmin.exe Token: SeBackupPrivilege 1252 ndadmin.exe Token: SeRestorePrivilege 1252 ndadmin.exe Token: SeShutdownPrivilege 1252 ndadmin.exe Token: SeDebugPrivilege 1252 ndadmin.exe Token: SeAuditPrivilege 1252 ndadmin.exe Token: SeSystemEnvironmentPrivilege 1252 ndadmin.exe Token: SeChangeNotifyPrivilege 1252 ndadmin.exe Token: SeRemoteShutdownPrivilege 1252 ndadmin.exe Token: SeUndockPrivilege 1252 ndadmin.exe Token: SeSyncAgentPrivilege 1252 ndadmin.exe Token: SeEnableDelegationPrivilege 1252 ndadmin.exe Token: SeManageVolumePrivilege 1252 ndadmin.exe Token: SeImpersonatePrivilege 1252 ndadmin.exe Token: SeCreateGlobalPrivilege 1252 ndadmin.exe Token: 31 1252 ndadmin.exe Token: 32 1252 ndadmin.exe Token: 33 1252 ndadmin.exe Token: 34 1252 ndadmin.exe Token: 35 1252 ndadmin.exe Token: SeDebugPrivilege 1252 ndadmin.exe Token: SeDebugPrivilege 800 svchost.exe Token: SeTcbPrivilege 800 svchost.exe Token: SeCreateTokenPrivilege 800 svchost.exe Token: SeAssignPrimaryTokenPrivilege 800 svchost.exe Token: SeLockMemoryPrivilege 800 svchost.exe Token: SeIncreaseQuotaPrivilege 800 svchost.exe Token: SeMachineAccountPrivilege 800 svchost.exe Token: SeTcbPrivilege 800 svchost.exe Token: SeSecurityPrivilege 800 svchost.exe Token: SeTakeOwnershipPrivilege 800 svchost.exe Token: SeLoadDriverPrivilege 800 svchost.exe Token: SeSystemProfilePrivilege 800 svchost.exe Token: SeSystemtimePrivilege 800 svchost.exe Token: SeProfSingleProcessPrivilege 800 svchost.exe Token: SeIncBasePriorityPrivilege 800 svchost.exe Token: SeCreatePagefilePrivilege 800 svchost.exe Token: SeCreatePermanentPrivilege 800 svchost.exe Token: SeBackupPrivilege 800 svchost.exe Token: SeRestorePrivilege 800 svchost.exe Token: SeShutdownPrivilege 800 svchost.exe Token: SeDebugPrivilege 800 svchost.exe Token: SeAuditPrivilege 800 svchost.exe Token: SeSystemEnvironmentPrivilege 800 svchost.exe Token: SeChangeNotifyPrivilege 800 svchost.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1260 Explorer.EXE 1260 Explorer.EXE 1260 Explorer.EXE 1260 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1260 Explorer.EXE 1260 Explorer.EXE 1260 Explorer.EXE 1260 Explorer.EXE -
Suspicious use of SetWindowsHookEx 28 IoCs
Processes:
SearchProtocolHost.exepid process 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe 1604 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exendadmin.exesvchost.exeSearchProtocolHost.exedescription pid process target process PID 532 wrote to memory of 1252 532 SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exe ndadmin.exe PID 532 wrote to memory of 1252 532 SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exe ndadmin.exe PID 532 wrote to memory of 1252 532 SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exe ndadmin.exe PID 532 wrote to memory of 1252 532 SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exe ndadmin.exe PID 532 wrote to memory of 1252 532 SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exe ndadmin.exe PID 532 wrote to memory of 1252 532 SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exe ndadmin.exe PID 532 wrote to memory of 1252 532 SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exe ndadmin.exe PID 532 wrote to memory of 1252 532 SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exe ndadmin.exe PID 532 wrote to memory of 1252 532 SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exe ndadmin.exe PID 1252 wrote to memory of 800 1252 ndadmin.exe svchost.exe PID 1252 wrote to memory of 800 1252 ndadmin.exe svchost.exe PID 1252 wrote to memory of 800 1252 ndadmin.exe svchost.exe PID 1252 wrote to memory of 800 1252 ndadmin.exe svchost.exe PID 1252 wrote to memory of 800 1252 ndadmin.exe svchost.exe PID 800 wrote to memory of 1604 800 svchost.exe SearchProtocolHost.exe PID 800 wrote to memory of 1604 800 svchost.exe SearchProtocolHost.exe PID 800 wrote to memory of 1604 800 svchost.exe SearchProtocolHost.exe PID 800 wrote to memory of 1604 800 svchost.exe SearchProtocolHost.exe PID 800 wrote to memory of 1604 800 svchost.exe SearchProtocolHost.exe PID 800 wrote to memory of 1604 800 svchost.exe SearchProtocolHost.exe PID 800 wrote to memory of 1604 800 svchost.exe SearchProtocolHost.exe PID 800 wrote to memory of 1604 800 svchost.exe SearchProtocolHost.exe PID 1604 wrote to memory of 1552 1604 SearchProtocolHost.exe ipconfig.exe PID 1604 wrote to memory of 1552 1604 SearchProtocolHost.exe ipconfig.exe PID 1604 wrote to memory of 1552 1604 SearchProtocolHost.exe ipconfig.exe PID 1604 wrote to memory of 1260 1604 SearchProtocolHost.exe Explorer.EXE PID 1604 wrote to memory of 1260 1604 SearchProtocolHost.exe Explorer.EXE PID 1604 wrote to memory of 1260 1604 SearchProtocolHost.exe Explorer.EXE PID 1604 wrote to memory of 1260 1604 SearchProtocolHost.exe Explorer.EXE PID 1604 wrote to memory of 1260 1604 SearchProtocolHost.exe Explorer.EXE PID 532 wrote to memory of 608 532 SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exe cmd.exe PID 532 wrote to memory of 608 532 SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exe cmd.exe PID 532 wrote to memory of 608 532 SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exe cmd.exe PID 532 wrote to memory of 608 532 SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ndadmin.exe"C:\Windows\system32\ndadmin.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c del /Q /F "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exe"3⤵
- Deletes itself
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\windows\system32\ipconfig.exe/flushdns3⤵
- Gathers network information
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A053CFB63FC8E6507871752236B5CCD5_8561586058D2ED9ACF276BAB29F2865EMD5
72dc05094094de2759bc76b158fbe405
SHA16763e718e1689ab0de8a1ffc9aadb262e910e3c3
SHA2565ed4145c1a2a33e4c40fae6799287cf4811e6263f24da2b976117fc33b444907
SHA5126d0a2ee96041c5b55287b9edf55e63cdc39b168cf2c08cab4fdc94bd0614fe7fedb1f1ca3fcded500a299dec14643d8b698c44d2be6657f6594d7331ef5e345f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96CMD5
5cb54cb2c6df3a0e1788998bb0cf3b35
SHA1abec167ee3900564a6e25b67ffe539d086904a8e
SHA2563939c212ae74b7a83dba6c8371b605fb77686c351e5cb8753359c2eceb72832d
SHA5123d00ade67811f7aea1791196d1933538a7657ae393c863904898f060e43bf58796ba5eee24c9477cc31c22f9cbdcd34a6fd0c4a609a9570dcc62cf1d888a3c0c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
21922806495622b55f15de5d9a05b0c2
SHA163eac24ef56d4543a2518c8dd3d1373197ad8e4a
SHA25678e329ef90db210c9ad2f8c86d49e45f3c53bf089ef66f9a22c7a7cc3cba7b9a
SHA51297b5f9c5391c9a64b97629bec0c463129f8f2d0e49b23446299a1d2df4eabb9c3890507e3ece59be867e61a166c399a60abc2462294613de0295922c67dd6e80
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
85ff75cf4a2129620a29e89507062b42
SHA175c7bc31354d48e7a6ae7bbb0bfafd75e51ff909
SHA256f3860f94cf8374825472dcedda9f269c4e7648ebf49b25c2e8e5e5e10cc16801
SHA5126ba3250379033aa6d7bc42934410875a5586805ecb7b818e2a371a7bb806d40f68d9d9471df14f2d6a6b3eb2b66a889a015e6cbf6215abb1c30d6556b09fbb80
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
7eb729161d081adc2c316df1e3ffbb7b
SHA1a379bbd647951ab2066d8fe09beffcb7ebe7d6be
SHA2567e2ff5b505b76354c9ac34c5ca6502a5b7cfeca701431bdfeea58cc69c27143f
SHA512d9eeb2ba2d9beee188be4bf3b1b12e67969e111247a58e3e7c3557d39106e90540b23b6651c2057ce9cf7aeaba5e2835d288df9c294eca34005e6d28eb49a8a1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
bdbf0928d5ec813ff3116b7fe422673c
SHA19422d3bbcd208b012931040f0737a2debf7df6b2
SHA256fcd68b891a0e91be15258abc2271560cc0c0cc03b77039390c822edc1c195352
SHA512cca0ea98a89488f2c05fb07d1974e06f72fd2cd984d839413d00975c1216d79f275258bd8a12a4b4f8af0e7e6d8226e2e4f6fec92a64a4af6491c2159d8a01b9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
68268ca474bf3034c694588f9b7c9a70
SHA1760967f75b1954dba8f63430fbecb14e67e6a391
SHA2565266d827d6a5594038096cebe526b3ccef00c64a0d734e0ddb5a57fbedc5648a
SHA51242edbb83872a0c11dbb6af4dd6f267b735cea18130e33bfafb704dedad49b91f53cf7f9070449e17774494fc9ec16ca8a7a1423200176a2798ec4ccd529da755
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A053CFB63FC8E6507871752236B5CCD5_8561586058D2ED9ACF276BAB29F2865EMD5
f38db53758c14b4f6fc5180040523cce
SHA128637baf315ad0bcded94c3d69b4230c9a367c7a
SHA256f5fd7efd2b23749c7cca6084eb4e05da4e16759f7fb037a1e286bdd314dcbd9f
SHA512e70faf5be75aed99df443416cd815b5d591b2d13e188bdab74abd943068de372a81e0af7bec3f7868491e99d416383242bc86c9189fc2619982d5f1cacff9c47
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96CMD5
f992272c98a7c487143be439d4b7ab9c
SHA1825333cf8350cb8cdf665f584344f74af471d061
SHA2560fdee35a33fe0a714506e4e4a8ec1a5e87a7f5dc50cbf34bc8ca7c8fa596cf69
SHA5127830a64c1758a70ddfdc0cb638ff6e5d88bf2c8acaf9de73576eee668ce412962fec05f9ea87714d08189cebbbba911a20de8d4205265dbde363f09f45014189
-
memory/608-24-0x0000000000000000-mapping.dmp
-
memory/1252-3-0x0000000000090000-0x0000000000093000-memory.dmpFilesize
12KB
-
memory/1552-11-0x0000000000000000-mapping.dmp
-
memory/1604-8-0x0000000000000000-mapping.dmp
-
memory/1828-14-0x000007FEF7590000-0x000007FEF780A000-memory.dmpFilesize
2.5MB